我遇到了一个几天前开始出现的问题。让我来具体说一下发生了什么 - 而且我已经继承了这个环境,请记住这一点。
第一个域控制器 - Windows Server 2003 R2 Std
第二域控制器 - Windows Server 2008 R2 Ent
在过去的几天里,当用户启动并尝试从我最近安装的任何工作站登录时,登录时都会遇到 Trust 错误。因此,我以本地管理员身份登录并重新加入域 - 但是当 Trust 在多台机器上多次失败时,我进行了更深入的挖掘。
在其中一个工作站上,我检查了事件查看器并发现了以下内容:
Log Name: System
Source: NETLOGON
Date: 5/16/2013 12:06:07 PM
Event ID: 3210
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: WIN7-2083.Domain.DomainName.com
Description:
This computer could not authenticate with \\BDCName.Domain.DomainName.com, a Windows domain controller for domain DOMAIN, and therefore this computer might deny logon requests. This inability to authenticate might be caused by another computer on the same network using the same name or the password for this computer account is not recognized. If this message appears again, contact your system administrator.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="NETLOGON" />
<EventID Qualifiers="0">3210</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2013-05-16T17:06:07.000000000Z" />
<EventRecordID>52991</EventRecordID>
<Channel>System</Channel>
<Computer>WIN7-2083.Domain.DomainName.com</Computer>
<Security />
</System>
<EventData>
<Data>DOMAIN</Data>
<Data>\\BDCName.Domain.DomainName.com</Data>
<Binary>220000C0</Binary>
</EventData>
</Event>
因此,出于某种原因,它让我相信该工作站正在直接向第 2 个 DC 而不是第 1 个 DC 进行身份验证。
查看第一个 DC 事件查看器,我发现此错误:
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
Directory partition:
CN=Configuration,DC=Domain,DC=DomainName,DC=com
There is insufficient site connectivity information for the KCC to create a spanning tree replication topology. Or, one or more directory servers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible directory servers.
User Action
Perform one of the following actions:
- Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.
- Add a Connection object to a directory service that contains the directory partition in this site from a directory service that contains the same directory partition in another site.
If neither of the tasks correct this condition, see previous events logged by the KCC that identify the inaccessible directory servers.
其次是:
The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.
Sites:
CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Domain,DC=DomainName,DC=com
因此我查看了第一个 DC,发现了几乎相同的错误:
The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.
Sites:
CN=Jackson,CN=Sites,CN=Configuration,DC=Domain,DC=DomainName,DC=com
我查看了几种解决方案,其中许多都涉及查找 DNS 条目和其他内容,但是由于这种情况刚刚开始发生,因此我并不完全确定错误出在哪里。环境中的任何路由都没有发生变化。实际上,这种情况已经持续了几天。我猜,到目前为止,它们都无法正常通信。如果我在一个 DC 上进行更改,它应该会显示在另一个 DC 上,对吗?例如,在一个 DC 上更改用户属性也应该很快显示在第二个 DC 上?目前还没有发生这种情况。
我可以采取什么步骤来真正解决这个问题?