我在安装我们的服务器时遇到了一个问题,Exchange 2010除非将服务器配置为域控制器,否则客户端访问身份验证不起作用global catalogue。
由于时间紧迫,我将其投入生产,但我现在真的需要修复它。我不知道问题可能出在哪里,也不知道如何识别问题。
我的问题是:
什么原因可能导致此问题?我该如何测试并修复它?
我确实不知道什么信息与这个问题相关但是;
服务器操作系统是Win 2008 R2,所有 DC 都相同。Exchange 服务器具有CAS、Hub Transport和Mailbox Server角色。外部邮件由在 DMZ 中运行 Edge 角色的另一台 Exchange 2010 服务器接收。(这可以正常工作,并且 Edge 服务器不是 DC... 显然 ;) )
请告诉我可以添加哪些其他信息来改进此问题。我会尽快添加。
这是来自这。
dcsdiag /v
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the local machine DC2, is a Directory Server.
Home Server = DC2
* Connecting to directory service on server DC2.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=corp,DC=domain,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=corp,DC=domain,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=DC3,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=MX1,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 3 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Brisbane\DC2
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... DC2 passed test Connectivity
Doing primary tests
Testing server: Brisbane\DC2
Starting test: Advertising
The DC DC2 is advertising itself as a DC and having a DS.
The DC DC2 is advertising as an LDAP server
The DC DC2 is advertising as having a writeable directory
The DC DC2 is advertising as a Key Distribution Center
The DC DC2 is advertising as a time server
The DS DC2 is advertising as a GC.
......................... DC2 passed test Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Starting test: FrsEvent
* The File Replication Service Event log test
Skip the test because the server is running DFSR.
......................... DC2 passed test FrsEvent
Starting test: DFSREvent
The DFS Replication Event Log.
......................... DC2 passed test DFSREvent
Starting test: SysVolCheck
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... DC2 passed test SysVolCheck
Starting test: KccEvent
* The KCC Event log test
Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
......................... DC2 passed test KccEvent
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
Role Domain Owner = CN=NTDS Settings,CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
Role PDC Owner = CN=NTDS Settings,CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
Role Rid Owner = CN=NTDS Settings,CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
Role Infrastructure Update Owner = CN=NTDS Settings,CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
......................... DC2 passed test KnowsOfRoleHolders
Starting test: MachineAccount
Checking machine account for DC DC2 on DC DC2.
* SPN found :LDAP/DC2.corp.domain/corp.domain
* SPN found :LDAP/DC2.corp.domain
* SPN found :LDAP/DC2
* SPN found :LDAP/DC2.corp.domain/corpdomain
* SPN found :LDAP/ef6459ec-28d5-4ab4-85bc-778547782ce7._msdcs.corp.domain
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/ef6459ec-28d5-4ab4-85bc-778547782ce7/corp.domain
* SPN found :HOST/DC2.corp.domain/corp.domain
* SPN found :HOST/DC2.corp.domain
* SPN found :HOST/DC2
* SPN found :HOST/DC2.corp.domain/corpdomain
* SPN found :GC/DC2.corp.domain/corp.domain
......................... DC2 passed test MachineAccount
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC DC2.
* Security Permissions Check for
DC=ForestDnsZones,DC=corp,DC=domain
(NDNC,Version 3)
* Security Permissions Check for
DC=DomainDnsZones,DC=corp,DC=domain
(NDNC,Version 3)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=corp,DC=domain
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=corp,DC=domain
(Configuration,Version 3)
* Security Permissions Check for
DC=corp,DC=domain
(Domain,Version 3)
......................... DC2 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\DC2\netlogon
Verified share \\DC2\sysvol
......................... DC2 passed test NetLogons
Starting test: ObjectsReplicated
DC2 is in domain DC=corp,DC=domain
Checking for CN=DC2,OU=Domain Controllers,DC=corp,DC=domain in domain DC=corp,DC=domain on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain in domain CN=Configuration,DC=corp,DC=domain on 1 servers
Object is up-to-date on all servers.
......................... DC2 passed test ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Starting test: Replications
* Replications Check
* Replication Latency Check
DC=ForestDnsZones,DC=corp,DC=domain
Latency information for 1 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=DomainDnsZones,DC=corp,DC=domain
Latency information for 1 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=corp,DC=domain
Latency information for 1 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=corp,DC=domain
Latency information for 1 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=corp,DC=domain
Latency information for 1 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
......................... DC2 passed test Replications
Starting test: RidManager
* Available RID Pool for the Domain is 3102 to 1073741823
* DC2.corp.domain is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 1602 to 2101
* rIDPreviousAllocationPool is 1602 to 2101
* rIDNextRID: 1818
......................... DC2 passed test RidManager
Starting test: Services
* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
* Checking Service: DnsCache
* Checking Service: DFSR
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... DC2 passed test Services
Starting test: SystemLog
* The System Event log test
An error event occurred. EventID: 0x80000003
Time Generated: 03/19/2013 13:15:51
Event String:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 3:15:51.0000 3/19/2013 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: CORP.domain
Server Name: [email protected]
Target Name: [email protected]@CORP.domain
Error Text:
File: 9
Line: f09
Error Data is in record data.
An error event occurred. EventID: 0x80000003
Time Generated: 03/19/2013 13:30:51
Event String:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 3:30:51.0000 3/19/2013 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: CORP.domain
Server Name: [email protected]
Target Name: [email protected]@CORP.domain
Error Text:
File: 9
Line: f09
Error Data is in record data.
An error event occurred. EventID: 0x80000003
Time Generated: 03/19/2013 13:45:52
Event String:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 3:45:52.0000 3/19/2013 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: CORP.domain
Server Name: [email protected]
Target Name: [email protected]@CORP.domain
Error Text:
File: 9
Line: f09
Error Data is in record data.
An error event occurred. EventID: 0x80000003
Time Generated: 03/19/2013 13:53:46
Event String:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 3:53:46.0000 3/19/2013 Z
Error Code: 0x29 KRB_AP_ERR_MODIFIED
Extended Error:
Client Realm:
Client Name:
Server Realm: CORP.domain
Server Name: dc2$
Target Name:
Error Text:
File: 3
Line: 576
Error Data is in record data.
An error event occurred. EventID: 0x80000003
Time Generated: 03/19/2013 14:00:52
Event String:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 4:0:52.0000 3/19/2013 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: CORP.domain
Server Name: [email protected]
Target Name: [email protected]@CORP.domain
Error Text:
File: 9
Line: f09
Error Data is in record data.
......................... DC2 failed test SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Starting test: VerifyReferences
The system object reference (serverReference)
CN=DC2,OU=Domain Controllers,DC=corp,DC=domain and
backlink on
CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
are correct.
The system object reference (serverReferenceBL)
CN=DC2,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=corp,DC=domain
and backlink on
CN=NTDS Settings,CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
are correct.
The system object reference (msDFSR-ComputerReferenceBL)
CN=DC2,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=corp,DC=domain
and backlink on
CN=DC2,OU=Domain Controllers,DC=corp,DC=domain are
correct.
......................... DC2 passed test VerifyReferences
Test omitted by user request: VerifyReplicas
Test omitted by user request: DNS
Test omitted by user request: DNS
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : corp
Starting test: CheckSDRefDom
......................... corp passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... corp passed test CrossRefValidation
Running enterprise tests on : corp.domain
Test omitted by user request: DNS
Test omitted by user request: DNS
Starting test: LocatorCheck
GC Name: \\DC2.corp.domain
Locator Flags: 0xe00031fd
PDC Name: \\DC2.corp.domain
Locator Flags: 0xe00031fd
Time Server Name: \\DC2.corp.domain
Locator Flags: 0xe00031fd
Preferred Time Server Name: \\DC2.corp.domain
Locator Flags: 0xe00031fd
KDC Name: \\DC2.corp.domain
Locator Flags: 0xe00031fd
......................... corp.domain passed test
LocatorCheck
Starting test: Intersite
Skipping site Brisbane, this site is outside the scope provided by the
command line arguments provided.
......................... corp.domain passed test Intersite
dcsdiag /测试:拓扑
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = DC2
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Brisbane\DC2
Starting test: Connectivity
......................... DC2 passed test Connectivity
Doing primary tests
Testing server: Brisbane\DC2
Starting test: Topology
......................... DC2 passed test Topology
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : corp
Running enterprise tests on : corp.domain
dcsdiag /测试:复制
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = DC2
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Brisbane\DC2
Starting test: Connectivity
......................... DC2 passed test Connectivity
Doing primary tests
Testing server: Brisbane\DC2
Starting test: Replications
......................... DC2 passed test Replications
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : corp
Running enterprise tests on : corp.domain
dnslint /ad 10.1.1.21 /s 10.1.1.21
DNSLint Report
System Date: Tue Mar 19 14:43:20 2013
Command run:
c:\dnslint\dnslint /ad 10.1.1.21 /s 10.1.1.21
Root of Active Directory Forest:
corp.domain
Active Directory Forest Replication GUIDs Found:
DC: DC2
GUID: ef6459ec-28d5-4ab4-85bc-778547782ce7
DC: DC3
GUID: 232f1e47-aa8e-44ae-8a19-6e1e5ecd6346
DC: MX1
GUID: 579be28b-006e-4f1c-911a-780458c5d081
Total GUIDs found: 3
--------------------------------------------------------------------------------
The following 2 DNS servers were checked for records related to AD forest replication:
DNS server: dc2.corp.domain
IP Address: 10.1.1.21
UDP port 53 responding to queries: YES
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: YES
SOA record data from server:
Authoritative name server: dc2.corp.domain
Hostmaster: hostmaster.corp.domain
Zone serial number: 150
Zone expires in: 1.00 day(s)
Refresh period: 900 seconds
Retry delay: 600 seconds
Default (minimum) TTL: 3600 seconds
Additional authoritative (NS) records from server:
dc2.corp.domain Unknown
dc3.corp.domain Unknown
Alias (CNAME) and glue (A) records for forest GUIDs from server:
CNAME: ef6459ec-28d5-4ab4-85bc-778547782ce7._msdcs.corp.domain
Alias: dc2.corp.domain
Glue: 10.1.1.21
CNAME: 232f1e47-aa8e-44ae-8a19-6e1e5ecd6346._msdcs.corp.domain
Alias: dc3.corp.domain
Glue: 10.1.1.22
CNAME: 579be28b-006e-4f1c-911a-780458c5d081._msdcs.corp.domain
Alias: mx1.corp.domain
Glue: 10.1.1.25
Total number of CNAME records found on this server: 3
Total number of CNAME records missing on this server: 0
Total number of glue (A) records this server could not find: 0
--------------------------------------------------------------------------------
DNS server: dc3.corp.domain
IP Address: 10.1.1.22
UDP port 53 responding to queries: YES
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: YES
SOA record data from server:
Authoritative name server: dc3.corp.domain
Hostmaster: hostmaster.corp.domain
Zone serial number: 150
Zone expires in: 1.00 day(s)
Refresh period: 900 seconds
Retry delay: 600 seconds
Default (minimum) TTL: 3600 seconds
Additional authoritative (NS) records from server:
dc2.corp.domain Unknown
dc3.corp.domain Unknown
Alias (CNAME) and glue (A) records for forest GUIDs from server:
CNAME: ef6459ec-28d5-4ab4-85bc-778547782ce7._msdcs.corp.domain
Alias: dc2.corp.domain
Glue: 10.1.1.21
CNAME: 232f1e47-aa8e-44ae-8a19-6e1e5ecd6346._msdcs.corp.domain
Alias: dc3.corp.domain
Glue: 10.1.1.22
CNAME: 579be28b-006e-4f1c-911a-780458c5d081._msdcs.corp.domain
Alias: mx1.corp.domain
Glue: 10.1.1.25
Total number of CNAME records found on this server: 3
Total number of CNAME records missing on this server: 0
dnscmd /zoneinfo 公司域名
Zone query result:
Zone info:
ptr = 0000000000197AB0
zone name = corp.domain
zone type = 1
shutdown = 0
paused = 0
update = 2
DS integrated = 1
read only zone = 0
in DS loading queue = 0
currently DS loading = 0
data file = (null)
using WINS = 0
using Nbstat = 0
aging = 0
refresh interval = 168
no refresh = 168
scavenge available = 0
Zone Masters NULL IP Array.
Zone Secondaries NULL IP Array.
secure secs = 1
directory partition = AD-Domain flags 00000015
zone DN = DC=corp.domain,cn=MicrosoftDNS,DC=DomainDnsZones,DC=corp,DC=domain
Command completed successfully.
repadmin /showrepl
Repadmin: running command /showrepl against full DC localhost
Brisbane\DC2
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: ef6459ec-28d5-4ab4-85bc-778547782ce7
DSA invocationID: d2eb9fee-f5ee-458d-b37f-813d6cc41d9b
==== INBOUND NEIGHBORS ======================================
DC=corp,DC=domain
Brisbane\MX1 via RPC
DSA object GUID: 579be28b-006e-4f1c-911a-780458c5d081
Last attempt @ 2013-03-19 14:58:35 was successful.
Brisbane\DC3 via RPC
DSA object GUID: 232f1e47-aa8e-44ae-8a19-6e1e5ecd6346
Last attempt @ 2013-03-19 14:59:08 was successful.
CN=Configuration,DC=corp,DC=domain
Brisbane\DC3 via RPC
DSA object GUID: 232f1e47-aa8e-44ae-8a19-6e1e5ecd6346
Last attempt @ 2013-03-19 14:55:31 was successful.
Brisbane\MX1 via RPC
DSA object GUID: 579be28b-006e-4f1c-911a-780458c5d081
Last attempt @ 2013-03-19 14:55:31 was successful.
CN=Schema,CN=Configuration,DC=corp,DC=domain
Brisbane\DC3 via RPC
DSA object GUID: 232f1e47-aa8e-44ae-8a19-6e1e5ecd6346
Last attempt @ 2013-03-19 14:55:31 was successful.
Brisbane\MX1 via RPC
DSA object GUID: 579be28b-006e-4f1c-911a-780458c5d081
Last attempt @ 2013-03-19 14:55:31 was successful.
DC=DomainDnsZones,DC=corp,DC=domain
Brisbane\DC3 via RPC
DSA object GUID: 232f1e47-aa8e-44ae-8a19-6e1e5ecd6346
Last attempt @ 2013-03-19 14:55:31 was successful.
DC=ForestDnsZones,DC=corp,DC=domain
Brisbane\DC3 via RPC
DSA object GUID: 232f1e47-aa8e-44ae-8a19-6e1e5ecd6346
Last attempt @ 2013-03-19 14:55:31 was successful.
repadmin/replsummary
Replication Summary Start Time: 2013-03-19 14:59:31
Beginning data collection for replication summary, this may take awhile:
......
Source DSA largest delta fails/total %% error
DC2 12m:51s 0 / 8 0
DC3 12m:51s 0 / 8 0
MX1 11m:11s 0 / 6 0
Destination DSA largest delta fails/total %% error
DC2 04m:00s 0 / 8 0
DC3 11m:11s 0 / 8 0
MX1 12m:51s 0 / 6 0
repadmin /kcc
Repadmin: running command /kcc against full DC localhost
Brisbane
Current Site Options: (none)
Consistency check on localhost successful.
Netdom -查询 fsmo
Schema master DC2.corp.domain
Domain naming master DC2.corp.domain
PDC DC2.corp.domain
RID pool manager DC2.corp.domain
Infrastructure master DC2.corp.domain
The command completed successfully.
答案1
Exchange 2010 服务器需要在同一站点中具有 GC 的域控制器。
此外,不建议在域控制器上运行 Exchange。而且你绝对不能将 Exchange 服务器升级为域控制器。
根据您的描述,您违反了至少两条规则,甚至违反了全部三条规则。
答案2
提供的解决方案阿什德鲁内斯
安装 Exchange 后,不支持在服务器上运行 dcpromo。安装 Exchange 后,也不支持从 std 到 ent 的就地升级。您必须卸载 Exchange 或执行 Exchange 的灾难恢复安装 (setup.com /recoverserver)。
从http://technet.microsoft.com/en-us/library/aa996719(v=exchg.141).aspx
在目录服务器上安装 Exchange 2010
出于安全和性能方面的考虑,我们建议您仅在成员服务器上安装 Exchange 2010,而不在 Active Directory 目录服务器上安装。但是,您无法在运行 Exchange 2010 的计算机上运行 DCPromo。安装 Exchange 2010 后,不支持将其角色从成员服务器更改为目录服务器,反之亦然。