我继承了一个 Microsoft 网络,其中有 2 个 AD 主机在 MS-Windows 2012 core 上运行。直到一周前,它还在正常工作,但从那时起,登录和访问网络共享就出现了问题。虽然一个 AD 主机出现了表现正常,另一个则不会配合。尝试通过远程 powershell 访问它:
enter-pssession : Connecting to remote server ad1 failed with the following error message : WinRM cannot
process the request. The following error occurred while using Kerberos authentication: Cannot find the computer
ad1. Verify that the computer exists on the network and that the name provided is spelled correctly. For
more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ enter-pssession -computername ad1
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (ad1:String) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed
经过一番摸索之后,我终于能够通过...访问它。
Set-Item WSMan:\localhost\Client\TrustedHosts -Value '10.1.0.64'
$cred = get-credential
enter-pssession -computername 10.1.0.64 -credential $cred
尽管是域控制器主机,但我的会话无法访问任何与 AD 相关的功能:
[10.1.0.64]: PS C:\Users\symcbean\Documents> Test-ComputerSecureChannel
Cannot verify the secure channel for the local computer.
Operation failed with the following exception: The specified domain either does not exist or could not be contacted.
+ CategoryInfo : OperationStopped: (ad1:String) [Test-ComputerSecureChannel], InvalidOperation Exception
+ FullyQualifiedErrorId : FailToTestSecureChannel,Microsoft.PowerShell.Commands.TestComputerSecureChannelCommand
DNS 查找 _ldap._tcp.$DOMAIN SRV 记录会返回两个 AD 服务器。运行 get-AdDomain 也会出现错误:
[10.1.0.64]: PS C:\Users\symcbean\Documents> get-addomain
Attempting to perform the InitializeDefaultDrives operation on the 'ActiveDirectory' provider failed.
Server instance not found on the given port.
+ CategoryInfo : InvalidArgument: (NTSERVDOM:ADDomain) [Get-ADDomain], ArgumentException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.ArgumentException,Microsoft.ActiveDirectory.Management.Comm
ands.GetADDomain
在我的台式电脑上运行相同的命令,我看到一个稍微不同的错误:
PS C:\Users\symcbean> get-addomain
get-addomain : Unable to contact the server. This may be because this server does not exist, it is currently down, or
it does not have the Active Directory Web Services running.
At line:1 char:1
+ get-addomain
+ ~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (NTSERVDOM:ADDomain) [Get-ADDomain], ADServerDownException
+ FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADDomain
主机上 NtDs、NtFrs、Kdc、IsmServ 和 DNS 服务均在运行。我可以使用端口 3128、636 和 9389 完成 TCP 握手。哪里出了问题?我接下来应该检查什么?