我有一个实验室,其中包含 ACME 域,即 ACME-DC2 和 ACME-DC3。它有一个名为 LAB 的子域,其中包含 LAB-DC1。我对我的环境进行了一些基础架构更改,导致 Active Directory DNS 暂时中断。我的 ACME 域与 LAB 域之间的复制似乎中断了:
Starting test: Replications
[Replications Check,LAB-DC1] A recent replication attempt failed:
From ACME-DC2 to LAB-DC1
Naming Context: DC=ForestDnsZones,DC=ACME,DC=local
The replication generated an error (1256):
The remote system is not available. For information about network troubleshooting, see Windows Help.
The failure occurred at 2022-01-14 13:54:35.
The last success occurred at 2019-05-03 19:45:51.
20747 failures have occurred since the last success.
REPLICATION LATENCY WARNING
ERROR: Expected notification link is missing.
Source ACME-DC2
Replication of new changes along this path will be delayed.
This problem should self-correct on the next periodic sync.
[Replications Check,LAB-DC1] A recent replication attempt failed:
From ACME-DC2 to LAB-DC1
Naming Context: CN=Schema,CN=Configuration,DC=ACME,DC=local
The replication generated an error (5):
Access is denied.
The failure occurred at 2022-01-14 13:54:35.
The last success occurred at 2019-05-03 19:45:51.
20738 failures have occurred since the last success.
[Replications Check,LAB-DC1] A recent replication attempt failed:
From ACME-DC2 to LAB-DC1
Naming Context: CN=Configuration,DC=ACME,DC=local
The replication generated an error (5):
Access is denied.
The failure occurred at 2022-01-14 13:54:34.
The last success occurred at 2019-05-03 19:45:51.
20771 failures have occurred since the last success.
REPLICATION LATENCY WARNING
ERROR: Expected notification link is missing.
Source ACME-DC2
Replication of new changes along this path will be delayed.
This problem should self-correct on the next periodic sync.
[Replications Check,LAB-DC1] A recent replication attempt failed:
From ACME-DC2 to LAB-DC1
Naming Context: DC=ACME,DC=local
The replication generated an error (1256):
The remote system is not available. For information about network troubleshooting, see Windows Help.
The failure occurred at 2022-01-14 13:54:35.
The last success occurred at 2019-05-03 20:16:26.
39498 failures have occurred since the last success.
REPLICATION LATENCY WARNING
ERROR: Expected notification link is missing.
Source ACME-DC2
Replication of new changes along this path will be delayed.
C:\Users\administrator.ACME> repadmin /replicate LAB-DC1 ACME-DC2 "DC=ForestDnsZones,DC=ACME,DC=local"
DsReplicaSync() failed with status 5 (0x5):
Access is denied.
dcdiag 报告:
......................... ACME-DC2 passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x8000001C
Time Generated: 01/22/2022 18:09:57
Event String:
When generating a cross realm referral from domain LAB.ACME.L
verify the ticket. The ticket key version in the request was 15 and the avai
this error is a delay in replicating the keys. In order to remove this probl
of keys to occur.
......................... ACME-DC2 passed test SystemLog
Starting test: VerifyReferences
......................... ACME-DC2 passed test VerifyReferences
我尝试了各种方法来修复它。中断时间肯定超过 180 天,所以我相信 LAB-DC 已被墓碑化或反之亦然。我之前见过一些关于此的错误。为了修复此问题,我在注册表中将“严格复制一致性”设置为 0,然后重新运行复制。这似乎修复了一些错误,但我无法绕过“访问被拒绝”的问题。
我在 LAB-DC1 的 DNS 数据中也多次提到了 ACME-DC1(之前的一个失效 DC)。我仔细检查了所有数据,并将这些数据重命名为 ACME-DC2。
知道如何修复此“访问被拒绝”错误吗?
第二个问题是,LAB 域将旧的 ACME-DC1 作为架构主机和域命名服务器。该 DC 存在于站点和服务中。我试图在那里删除它,但做不到。我不得不使用 ADSIEdit 从 CN=Configuration 区域将其删除。
C:\Users\administrator.ACME>netdom query fsmo
Schema master *** Warning: role owner is a deleted DC: CN=NTDS Settings\0ADEL:a1047a26-7404-43b1-8a6e-f260c2a73d14,CN=ACME-DC1\0ADEL:e307b4b3-3a49-4c03-a93f-9c0c8e
b45c10,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ACME,DC=local
Domain naming master *** Warning: role owner is a deleted DC: CN=NTDS Settings\0ADEL:a1047a26-7404-43b1-8a6e-f260c2a73d14,CN=ACME-DC1\0ADEL:e307b4b3-3a49-4c03-a93f-9c0c8e
b45c10,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ACME,DC=local
PDC lab-dc1.lab.ACME.local
RID pool manager lab-dc1.lab.ACME.local
Infrastructure master lab-dc1.lab.ACME.local
我尝试使用 ADSIEdit 并更改 fsmoRoleOwner (??) 属性来更正此问题,但得到了 WILL_NOT_PERFORM。我有点犹豫是否要尝试夺取角色。
我还尝试向 LAB 域添加一个新的域控制器,但由于对 ACME-DC1 的引用无效而导致出错。
如果我不得不丢弃 LAB 域名,这并不是世界末日,但我希望我不会这么做。
我还尝试了 fixfsmo.ps1。它识别出错误并说已修复。当我尝试netdom 查询 fsmo,仍显示旧条目。
编辑
我能够解决这个问题。但我还遇到了其他几个问题。
ACME-DC3 上的 sysvol 共享丢失。我能够将 maxofflinetimeindays 天数延长到 DFS 复制事件查看器中显示的错误过去,然后重新启动 DFS 复制服务。SYSVOL 和 NETLOGON 重新出现在 ACME-DC3 上。之后我将 maxofflinetimeindays 重置回 60。
在重新设置 DC 的 IP 之前,我还在 DNS 中发现了一些异常条目。已修复所有异常条目。
我手动在 LAB-DC1 和 NETOPIA-DC3 之间添加了 NTDS 连接。不确定这是否有帮助,但 dcdiag 抱怨说它缺失了。
ACME-DC2 和 ACME-DC3 之间的安全通道已断开。我尝试使用 netdom 进行修复,但一直出现错误。我终于能够使用 Active Directory 域和信任关系来修复信任关系。这是修复问题的重要一步。我之前曾尝试使用 PowerShell 和 netdom 或 nltest 来修复安全通道,但失败了。我最终只是从 3 个 DC 中的每一个和两个方向(子到父和父到子)使用此工具并选择验证连接和修复。最终我让它工作了。