%EF%BC%8C%E5%9B%A0%E4%B8%BA%E6%89%80%E9%9C%80%E7%9A%84%20(SPN)%20f.png)
我最近将 Windows Serevr 2019 DC 添加到我的域中,该域已在两个站点上拥有三个 DC。现有的三个 DC 是 Server 2012 R2,域和林级别是 2008 R2。新 DC 与主 DC 位于不同的站点
当我在主 DC 上运行 dcdiag /v 时,我在输出中看到以下错误
Active Directory Domain Services did not perform an authenticated remote procedure call (RPC) to another directory server because the desired service principal name (SPN) for the destination directory server is not registered on the Key Distribution Center (KDC) domain controller that resolves the SPN.
Destination directory server:
5BF411A7-E02F-419D-9B7E-FF82B1054046._msdcs.my_domain.local
SPN:
E3514235-4B06-11D1-AB04-00C04FC2DCD2/5BF411A7-E02F-419D-9B7E-FF82B1054046/my_domain.local@my_domain.local
User Action
Verify that the names of the destination directory server and domain are correct. Also, verify that the SPN is registered on the KDC domain controller. If the destination directory server has been recently promoted, it will be necessary for the local directory server's account data to replicate to the KDC before this directory server can be authenticated.
当我在主 DC 上运行 repadmin /sowrelp 时,我得到与新 DC 相关的以下信息
Source: site2\new_dc
******* 1 CONSECUTIVE FAILURES since 2023-08-31 15:45:49
Last error: 1396 (0x574):
The target account name is incorrect.
Naming Context: CN=Configuration,DC=my_domain,DC=local
Source: site2\new_dc
******* WARNING: KCC could not add this REPLICA LINK due to error.
Naming Context: DC=my_domain,DC=local
Source: site2\new_dc
******* WARNING: KCC could not add this REPLICA LINK due to error.
Naming Context: DC=DomainDnsZones,DC=my_domain,DC=local
Source: site2\new_dc
******* WARNING: KCC could not add this REPLICA LINK due to error.
Naming Context: DC=ForestDnsZones,DC=my_domain,DC=local
Source: site2\new_dc
******* WARNING: KCC could not add this REPLICA LINK due to error.
我尝试通过在主 DC 上运行以下命令来添加 SPN
C:\Windows\system32>setspn -a E3514235-4B06-11D1-AB04-00C04FC2DCD2/5bf411a7-e02f-419d-9b7e-ff82b1054046/new_dc.my_domain.local@my_domain.local new_dc
返回结果如下
Checking domain DC=my_domain,DC=local
Registering ServicePrincipalNames for CN=new_dc,OU=Domain Controllers,DC=my_domain,DC=local
E3514235-4B06-11D1-AB04-00C04FC2DCD2/5bf411a7-e02f-419d-9b7e-ff82b1054046/new_dc.my_domain.local@my_domain.local
Updated object
但是,当我在主 DC 上再次运行 repadmin /showrepl 和 dcdiag /v 时,我遇到了与之前相同的错误。
当我setspn -l new_dc在主 DC 上运行时,我得到了以下内容
C:\Windows\system32>setspn -l new_dc
Registered ServicePrincipalNames for CN=new_dc,OU=Domain Controllers,DC=my_domain,DC=local:
E3514235-4B06-11D1-AB04-00C04FC2DCD2/5bf411a7-e02f-419d-9b7e-ff82b1054046/new_dc.my_domain.local@my_domain.local
Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/new_dc.my_domain.local
WSMAN/new_dc
WSMAN/new_dc.my_domain.local
TERMSRV/new_dc
TERMSRV/new_dc.my_domain.local
RestrictedKrbHost/new_dc
HOST/new_dc
RestrictedKrbHost/new_dc.my_domain.local
HOST/new_dc.my_domain.local
当我在主 DC 上运行相同的命令并引用与我的新 DC 位于同一站点的另一个 DC(Server 2012 R2)时,我获得了更多信息,例如
C:\Windows\system32>setspn -l other_dc
Registered ServicePrincipalNames for CN=other_dc,OU=Domain Controllers,DC=my_domain,DC=local:
NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/other_dc.my_domain.local
exchangeAB/other_dc.my_domain.local
GC/other_dc.my_domain.local/my_domain.local
HOST/other_dc.my_domain.local/my_domain
HOST/other_dc/my_domain
RPC/0933d3c4-faa2-41ee-bca2-618d2295b503._msdcs.my_domain.local
DNS/other_dc.my_domain.local
exchangeAB/other_dc
HOST/other_dc.my_domain.local/my_domain.local
ldap/0933d3c4-faa2-41ee-bca2-618d2295b503._msdcs.my_domain.local
ldap/other_dc/my_domain
ldap/other_dc.my_domain.local/my_domain.local
ldap/other_dc.my_domain.local/ForestDnsZones.my_domain.local
ldap/other_dc.my_domain.local/DomainDnsZones.my_domain.local
ldap/other_dc.my_domain.local
ldap/other_dc
ldap/other_dc.my_domain.local/my_domain
E3514235-4B06-11D1-AB04-00C04FC2DCD2/0933d3c4-faa2-41ee-bca2-618d2295b503/my_domain.local
Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/other_dc.my_domain.local
WSMAN/other_dc.my_domain.local
WSMAN/other_dc
TERMSRV/other_dc
TERMSRV/other_dc.my_domain.local
RestrictedKrbHost/other_dc
HOST/other_dc
RestrictedKrbHost/other_dc.my_domain.local
HOST/other_dc.my_domain.local
另外,为什么 setspn -l 中有关其他 DC 的详细信息多得多,而有关我的新 DC 的详细信息却少得多?为什么 setspn -l 输出中有关新 DC 的所有 ldap 引用都缺失?
为什么我会收到复制和 dcdiag 错误
提前致谢 POR