我们遇到一个问题,有些计算机似乎没有获取所有 GPO。在组策略管理编辑器中查看时,我们会看到很多“红色 x”、“文件未找到”GPO(并且没有指定它们是哪个 GPO)。
关于我们的环境,我们在 Server 2008 R2 功能级别有 4 个域控制器。2 个 DC 是本地 Server2k8R2,另外 2 个是运行 Server 2016 的异地 AWS EC2 实例。
运行“net share”显示 2 个 2K8R2 DC 与 2K16 DC 的 NETLOGON 和 SYSVOL 在不同的路径上共享(我不知道这是否是个问题)。
Server2016 DCs show these paths:
NETLOGON - C:\Windows\SYSVOL\sysvol\domain.local\SCRIPTS
SYSVOL - C:\Windows\SYSVOL\sysvol
Server 2008 R2 DCs show these paths:
NETLOGON - C:\Windows\SYSVOL_DFSR\sysvol\superior.local\SCRIPTS
SYSVOL - C:\Windows\SYSVOL_DFSR\sysvol
在所有情况下,除了 domain.local 文件夹之外,C:\Windows\SYSVOL\sysvol 都是空的。
运行“DCDIAG”显示所有四个“SystemLog”测试均失败,并且 DFSREvent 测试出现警告:
AWSDC01 & AWSDC02:
SystemLog test-
"The Netlogon service encountered a client using RPC signing instead of RPC sealing".
"The Netlogon service denied a vulnerable Netlogon secure channel connection from a machine account.
DFSREvent test - "There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause problems with group policy"
"
OnSite-DC1:
DFRSEvent test - "There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause problems with group policy"
SystemLog test - "An error event occurred. Event ID 0xC2000001. Unexpected failure. Error code 490@01010004"
OnSite-DC2:
DFRSEvent test - "There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause problems with group policy"
and
"This computer could not authenticate with \\AWSDC01.domain.local, a Windows domain controller for domain DOMAINNAME, and therefore this computer might deny logon requests. This inability to authenticate might be caused by another computer on the same network using the same name or the password for this computer account is not recognized."
其他一些注意事项:
-Event viewer logs (on on-site DC1 and on-site DC2) under application and services > DFS replication show only information about replication between each other. No mention of replication between the AWS DC's.
- Every hour the on-prem DCs show a DFS error "the dfs replication service is stopping communication with partner {other on-prem DC} for replication group Domain System Volume due to an error. Error 9036.
AWS DC02 only shows error logs regarding DFS replication with on-prem DC02. Same error 9036 "replication service stopping due to an error".
AWS DC01, same thing - only shows logs regarding DFS replication with on-prem DC01. Error 9036 "replication service stopped due to an error".
知道这里可能发生什么事吗,或者下一步该看哪里?
答案1
这些错误确实表明存在身份验证问题,因此最近的 kerberos 更新(由 Greg Askew 引用)可能是原因,特别是如果您最近进行了更新并且问题从那时开始。如果您这么认为,请考虑暂时删除该更新,然后当一切恢复正常时,计划尽快将 2008 服务器 dcpromo 出去。
你可以尝试一下这个工具: https://www.microsoft.com/en-us/download/details.aspx?id=30005
我确信我以前也使用过 MS 的另一个复制监视工具,只是现在想不起它叫什么了。我记得它只是一个 MSI 安装!也许它只是 FRS diag,而不是 dfrs。
AD 复制高度依赖于 DNS 和同步时间,因此请务必仔细检查所有设置。您可以使用以下方法比较时间:
net time \\server
看看是否存在差异 - 如果它完全有效(即运行命令时服务器之间没有连接问题)。否则,请考虑从同一外部时间源(例如pool.ntp.org)同步它们。
要测试 DNS,请从其他所有服务器 ping 每个服务器 fqdn,将结果相互比较并与您的预期进行比较。我假设您在本地和 AWS 之间有一些 VPN 或类似的非 nat L3 路由?例如 192.168.1.10 可以 ping 10.0.0.2,或者本地和 AWS 上的“内部”IP(我只熟悉 Azure,所以可能不一样,如果 AWS 的工作方式有所不同,请原谅我)。
您可能还想检查 AD 站点和服务中的 AWS 和本地,深入到 NTDS 并查看复制关系。您可以右键单击并复制,看看它是否显示(解释)“确定”或“无法执行” - 这可能有助于缩小问题范围。