我遇到了 AD 林中树域的 PDC 问题。它无法复制到其他 DC,并且其客户端正在失去对域的信任,无法使用 Test-computersecurechannel -repair 进行重置,我无法将客户端加入/重新加入域。
这是 Server 2016 林,站点创建为树域。林是 xyz.den.lcl,其他树是 xyz.atl.lcl(损坏的)、xyz.sea.lcl、xyz.cle.lcl、xyz.qucy.lcl 和 xyz.sat.lcl。所有 DC 都是 Windows 2016 STD,大多数是 2016 数据中心 Hyper-V 群集上的 VM。CLEDC01 是一个例外,是一台物理服务器。
我在这里吐出了一堆信息,但我怀疑所有这些结果都是因为 SChannel/Machine 密码被破坏了。
我认为这个问题最初是由 AV 防火墙引起的,我后来卸载了它并尝试修复这个问题。在安装 A/V 之前一切都很好。我已经使用 Portqry 和 RPCping 验证了 RPC 服务正在监听并且可以从/到所有 DC 进行访问。
我还修复了域中缺失的一些 SRV 记录(xyz.atl.lcl _msdcs 目录中缺少 _kerberos 和 _Kpassword)。据我所知,DNS 很好。我可以通过它的所有服务器记录、通过它在林 _msdcs 区域中的 CNAME GUID 来解析 DC(ATLVMDC01),rDNS 解析正确,它的 SRV 记录具有正确的优先级。我检查了所有内容http://go.microsoft.com/fwlink/?linkid=5171
我还尝试在 DC 上使用 Netdom resetpwd 来重置机器 PW。
当我尝试使用 nltest 从任何域上的任何其他服务器/PC 获取 xyz.atl.lcl 的 DC 时,我会看到这种情况。
C:\Windows\system32>nltest /dsgetdc:xyz.atl.lcl
Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
来自 ATLVMDC01
C:\Windows\system32>nltest /dsgetdc:xyz.atl.lcl
DC: \\ATLVMDC01.xyz.atl.lcl
Address: \\<server ip>
Dom Guid: <GUID>
Dom Name: xyz.atl.lcl
Forest Name: xyz.den.lcl
Dc Site Name: ATLANTA
Our Site Name: ATLANTA
Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE FULL_SECRET WS DS_8 DS_9 DS_10
The command completed successfully
ATLVMDC01 的网络配置。所有其他 DC 的配置都接近此配置。它们的主 DNS 是它们自己的 IP,辅助 DNS 服务器与此处列出的 2 个相同。
Windows IP Configuration
Host Name . . . . . . . . . . . . : ATLVMDC01
Primary Dns Suffix . . . . . . . : xyz.atl.lcl
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : xyz.atl.lcl
xyz.den.lcl
xyz.qucy.lcl
xyz.cle.lcl
xyz.sat.lcl
Ethernet adapter Ethernet 3:
Connection-specific DNS Suffix . : xyz.atl.lcl
Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter #3
Physical Address. . . . . . . . . : 00-15-5D-2C-6F-15
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::a174:d654:693c:79c6%5(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.245(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 134223197
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-23-AB-58-66-00-15-5D-2C-6F-05
DNS Servers . . . . . . . . . . . : 192.168.1.245
172.18.32.165
172.18.32.166
NetBIOS over Tcpip. . . . . . . . : Enabled
管理/回复
关于问题DC“ATLVMDC01”
Source DSA largest delta fails/total %% error
ATLVMDC01 32d.00h:12m:06s 32 / 32 100 (1722) The RPC server is unavailable.
CLEDC01 12m:51s 0 / 32 0
DENVMDC01 25m:33s 0 / 26 0
DENVMDC02 32m:45s 0 / 42 0
QCYDC001 11m:51s 0 / 32 0
SATVMCAM01 25m:00s 0 / 42 0
SATVMDC01 32m:49s 0 / 10 0
来自任何其他 DC
Source DSA largest delta fails/total %% error
ATLVMDC01 32d.00h:12m:06s 32 / 32 100 (1722) The RPC server is unavailable.
CLEDC01 12m:51s 0 / 32 0
DENVMDC01 25m:33s 0 / 26 0
DENVMDC02 32m:45s 0 / 42 0
QCYDC001 11m:51s 0 / 32 0
SATVMCAM01 25m:00s 0 / 42 0
SATVMDC01 32m:49s 0 / 10 0
Experienced the following operational errors trying to retrieve replication information:
8341 - ATLVMDC01.xyz.atl.lcl
在问题 DC(ATLVMDC01)上,DCDIAG /TEST:DNS 和 DCDIAG /TEST:DNS /E 全部通过。
C:\Windows\system32>dcdiag /test:DNS
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = ATLVMDC01
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: ATLANTA\ATLVMDC01
Starting test: Connectivity
......................... ATLVMDC01 passed test Connectivity
Doing primary tests
Testing server: ATLANTA\ATLVMDC01
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
......................... ATLVMDC01 passed test DNS
Running partition tests on : DomainDnsZones
Running partition tests on : xyz
Running partition tests on : ForestDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running enterprise tests on : xyz.den.lcl
Starting test: DNS
......................... xyz.den.lcl passed test DNS
在所有其他 DC 上,我看到 DCDIAG /TEST:DNS /E
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = DENVMDC01
* Identified AD Forest.
[ATLVMDC01] LDAP bind failed with error 8341,
A directory service error has occurred..
Got error while checking if the DC is using FRS or DFSR. Error: A directory service error has occurred.The
VerifyReferences, FrsEvent and DfsrEvent tests might fail because of this error.
Done gathering initial info.
Doing initial required tests
Testing server: DENVER\DENVMDC01
Starting test: Connectivity
......................... DENVMDC01 passed test Connectivity
Testing server: DENVER\DENVMDC02
Starting test: Connectivity
......................... DENVMDC02 passed test Connectivity
Testing server: QUINCY\QCYDC001
Starting test: Connectivity
......................... QCYDC001 passed test Connectivity
Testing server: ATLANTA\ATLVMDC01
Starting test: Connectivity
Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
......................... ATLVMDC01 failed test Connectivity
Testing server: CLEVELAND\CLEDC01
Starting test: Connectivity
......................... CLEDC01 passed test Connectivity
Testing server: SANANTONIO\SATVMDC01
Starting test: Connectivity
......................... SATVMDC01 passed test Connectivity
Testing server: SANANTONIO\SATVMCAM01
Starting test: Connectivity
......................... SATVMCAM01 passed test Connectivity
Doing primary tests
Testing server: DENVER\DENVMDC01
Testing server: DENVER\DENVMDC02
Testing server: QUINCY\QCYDC001
Testing server: ATLANTA\ATLVMDC01
Testing server: CLEVELAND\CLEDC01
Testing server: SANANTONIO\SATVMDC01
Testing server: SANANTONIO\SATVMCAM01
Starting test: DNS
Starting test: DNS
Starting test: DNS
Starting test: DNS
Starting test: DNS
Starting test: DNS
Starting test: DNS Starting test: DNS
DNS Tests are running and not hung. Please waita few minutes...
ATLVMDC01 failed test DNS
SATVMDC01 passed test DNS
DENVMDC01 passed test DNS
SATVMCAM01 passed test DNS
CLEDC01 passed test DNS
DENVMDC02 passed test DNS
QCYDC001 passed test DNS
Running partition tests on : DomainDnsZones
Running partition tests on : ForestDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : xyz
Running partition tests on : DomainDnsZones
Running partition tests on : xyz
Running partition tests on : DomainDnsZones
Running partition tests on : xyz
Running partition tests on : DomainDnsZones
Running partition tests on : xyz
Running partition tests on : DomainDnsZones
Running partition tests on : xyz
Running partition tests on : DomainDnsZones
Running partition tests on : xyz
Running enterprise tests on : xyz.den.lcl
Starting test: DNS
Test results for domain controllers:
DC: ATLVMDC01.xyz.atl.lcl
Domain: xyz.atl.lcl
TEST: Authentication (Auth)
Error: Authentication failed with specified credentials
TEST: Basic (Basc)
Error: No LDAP connectivity
Error: No WMI connectivity
No host records (A or AAAA) were found for this DC
DC: QCYDC001.xyz.qucy.lcl
Domain: xyz.qucy.lcl
TEST: Basic (Basc)
Warning: adapter [00000003] QLogic BCM57800 10 Gigabit Ethernet (NDIS VBD Client) has invalid DNS
server: <server ip> (<name unavailable>)
Warning: Adapter B0:83:FE:D2:39:FB has dynamic IP address (can be a misconfiguration)
Warning: Adapter B0:83:FE:D2:39:F9 has dynamic IP address (can be a misconfiguration)
DNS server: 8.8.8.8 (<name unavailable>)
3 test failure on this DNS server
Name resolution is not functional. _ldap._tcp.xyz.den.lcl. failed on the DNS server 8.8.8.8
DNS server: <server ip> (<name unavailable>)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server <server ip> Name resolution is not functional. _ldap._tcp.xyz.den.lcl. failed on the DNS server 192.168.130.3
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
_________________________________________________________________
Domain: xyz.den.lcl
ATLVMDC01 FAIL FAIL n/a n/a n/a n/a n/a
QCYDC001 PASS WARN PASS PASS PASS PASS n/a
......................... xyz.den.lcl failed test DNS
运行 DCDIAG /test:checksecurityerror 并收到以下内容。
C:\Windows\system32>dcdiag /test:checksecurityerror
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = DENVMDC01
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: DENVER\DENVMDC01
Starting test: Connectivity
......................... DENVMDC01 passed test Connectivity
Doing primary tests
Testing server: DENVER\DENVMDC01
Starting test: CheckSecurityError
Source DC ATLVMDC01 has possible security error (1722). Diagnosing...
No KDC found for domain xyz.atl.lcl in site ATLANTA (1355, NULL)
[ATLVMDC01] Unable to contact this DC. Cannot continue diagnosing errors with this DC.
......................... DENVMDC01 failed test CheckSecurityError
Running partition tests on : DomainDnsZones
Running partition tests on : ForestDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : xyz
Running enterprise tests on : xyz.den.lcl