我们总共有 6 个域控制器,其中 2 个(dc03/04)刚刚创建。我能够在所有较旧的 DC 之间以及 03 和 04 之间进行 PSRemote,但无法在较旧的 DC 和新创建的 DC 之间进行 PSRemote。我能够使用我的(域管理员)凭据通过 RDP 登录到所有 DC。
PS C:\Windows\system32> Get-ADDomainController -Filter * -Server $DomainName |Select-Object Hostname,OperatingSystem
Hostname OperatingSystem
-------- ---------------
dcsrv02.example.com Windows Server 2016 Standard
DC01.example.com Windows Server 2019 Datacenter
dcsrv01.example.com Windows Server 2016 Standard
DC02.example.com Windows Server 2019 Datacenter
dc03.example.com Windows Server 2019 Standard
dc04.example.com Windows Server 2019 Standard
我专门尝试从 dc01 转到 03 或 04 以完成Add-DhcpServerv4Failover。以下所有操作均在 dc01 上的 PowerShell 会话中“以管理员身份”运行:
PS C:\Windows\system32> Enter-PSSession -ComputerName dcsrv01.example.com -Authentication Credssp -Credential $cred
[dcsrv01.example.com]: PS C:\Users\myUser\Documents> exit
PS C:\Windows\system32> Enter-PSSession -ComputerName dcsrv02.example.com -Authentication Credssp -Credential $cred
[dcsrv02.example.com]: PS C:\Users\myUser\Documents> exit
PS C:\Windows\system32> Enter-PSSession -ComputerName dc02.example.com -Authentication Credssp -Credential $cred
[dc02.example.com]: PS C:\Users\myUser\Documents> exit
PS C:\Windows\system32> Enter-PSSession -ComputerName dc03.example.com -Authentication Credssp -Credential $cred
Enter-PSSession : Connecting to remote server dc03.example.com failed with the following error message : WinRM cannot complete the operation. Verify
that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is
enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the
same local subnet. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession -ComputerName dc03.example.com -Authentication ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (dc03.example.com:String) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed
PS C:\Windows\system32> Enter-PSSession -ComputerName dc04.example.com -Authentication Credssp -Credential $cred
Enter-PSSession : Connecting to remote server dc04.example.com failed with the following error message : WinRM cannot complete the operation. Verify
that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is
enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the
same local subnet. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession -ComputerName dc04.example.com -Authentication ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (dc04.example.com:String) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed
Windows 远程管理操作日志中生成的错误是“WSMan 操作 CreateShell 失败,错误代码 2150859046”。以下内容在 dc03 上的 PowerShell 会话中“以管理员身份”运行:
PS C:\Windows\system32> Enter-PSSession -ComputerName dc04.example.com -Authentication Credssp -Credential $cred
[dc04.example.com]: PS C:\Users\myUser\Documents> exit
PS C:\Windows\system32> Enter-PSSession -ComputerName dc01.example.com -Authentication Credssp -Credential $cred
Enter-PSSession : Connecting to remote server dc01.example.com failed with the following error message : The client cannot
connect to the destination specified in the request. Verify that the service on the destination is running and is accepting
requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM.
If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service:
"winrm quickconfig". For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:2
+ Enter-PSSession -ComputerName dc01.example.com -Authentication ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (dc01.example.com:String) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed
从 04 运行时也可以看到相同的情况。所有 dc0X 服务器都位于同一子网,而 dcsrv0X 服务器位于不同的子网。域策略已禁用域控制器的防火墙(不要让我开始),并且任何 DC 上都没有配置代理:
PS C:\Windows\system32> netsh winhttp show proxy
Current WinHTTP proxy settings:
Direct access (no proxy server).
组策略设置为将客户端凭据委托给域 (wsman/*.example.com) 中的所有计算机。只需运行Enter-PSSession -ComputerName而不指定身份验证类型和凭据,即可看到相同的行为。
答案1
tl;dr - 检查您的交换机端口是否有错误。
事实证明,这是由于主机所连接的 ESXi 交换机上的一个坏端口造成的。该端口最终发生故障,导致主机及其所有虚拟机离线。
从那时起,我们将虚拟机移至不同的集群/存储,并且自移动以来,所有 DC 之间的通信都是即时的,并且没有错误。