Выполните на обоих КД dcdiag /test:connectivity и вывод покажите.

DC1:

C:\Users\Administrator>dcdiag /test:connectivity

Диагностика сервера каталогов

Выполнение начальной настройки:
Выполняется попытка поиска основного сервера...
Основной сервер = dc1
* Идентифицирован лес AD.
Сбор начальных данных завершен.

Выполнение обязательных начальных проверок

Сервер проверки: spelpais\DC1
Запуск проверки: Connectivity
......................... DC1 - пройдена проверка Connectivity

Выполнение основных проверок

Сервер проверки: spelpais\DC1


Выполнение проверок разделов на: ForestDnsZones

Выполнение проверок разделов на: DomainDnsZones

Выполнение проверок разделов на: Schema

Выполнение проверок разделов на: Configuration

Выполнение проверок разделов на: spel

Выполнение проверок предприятия на: spel.local

C:\Users\Administrator>

MNSUZDC1:

C:\Users\Administrator.SPEL>dcdiag /test:connectivity

Directory Server Diagnosis

Performing initial setup:
Trying to find home server...
Home Server = MNSUZDC1
* Identified AD Forest.
[DC1] LDAP bind failed with error 8341,
A directory service error has occurred..
Got error while checking if the DC is using FRS or DFSR. Error:
A directory service error has occurred.The VerifyReferences, FrsEvent and
DfsrEvent tests might fail because of this error.
Done gathering initial info.

Doing initial required tests

Testing server: uzory\mnsuzdc1
Starting test: Connectivity
......................... mnsuzdc1 passed test Connectivity

Doing primary tests

Testing server: uzory\mnsuzdc1


Running partition tests on : ForestDnsZones

Running partition tests on : DomainDnsZones

Running partition tests on : Schema

Running partition tests on : Configuration

Running partition tests on : spel

Running enterprise tests on : spel.local

C:\Users\Administrator.SPEL>

Вывод просто dcdiag с MNSUZDC1 покажите.

dcgiag c MNSUZDC1:


C:\Users\Administrator.SPEL>dcdiag

Directory Server Diagnosis

Performing initial setup:
Trying to find home server...
Home Server = MNSUZDC1
* Identified AD Forest.
[DC1] LDAP bind failed with error 8341,
A directory service error has occurred..
Got error while checking if the DC is using FRS or DFSR. Error:
A directory service error has occurred.The VerifyReferences, FrsEvent and
DfsrEvent tests might fail because of this error.
Done gathering initial info.

Doing initial required tests

Testing server: uzory\mnsuzdc1
Starting test: Connectivity
......................... mnsuzdc1 passed test Connectivity

Doing primary tests

Testing server: uzory\mnsuzdc1
Starting test: Advertising
......................... mnsuzdc1 passed test Advertising
Starting test: FrsEvent
......................... mnsuzdc1 passed test FrsEvent
Starting test: DFSREvent
......................... mnsuzdc1 passed test DFSREvent
Starting test: SysVolCheck
......................... mnsuzdc1 passed test SysVolCheck
Starting test: KccEvent
A warning event occurred. EventID: 0x8000061E
Time Generated: 02/04/2011 15:32:31
Event String:
All directory servers in the following site that can replicate the d
irectory partition over this transport are currently unavailable.
An error event occurred. EventID: 0xC000051F
Time Generated: 02/04/2011 15:32:31
Event String:
The Knowledge Consistency Checker (KCC) has detected problems with t
he following directory partition.
A warning event occurred. EventID: 0x80000749
Time Generated: 02/04/2011 15:32:31
Event String:
The Knowledge Consistency Checker (KCC) was unable to form a complet
e spanning tree network topology. As a result, the following list of sites canno
t be reached from the local site.
A warning event occurred. EventID: 0x8000061E
Time Generated: 02/04/2011 15:32:31
Event String:
All directory servers in the following site that can replicate the d
irectory partition over this transport are currently unavailable.
An error event occurred. EventID: 0xC000051F
Time Generated: 02/04/2011 15:32:31
Event String:
The Knowledge Consistency Checker (KCC) has detected problems with t
he following directory partition.
A warning event occurred. EventID: 0x80000749
Time Generated: 02/04/2011 15:32:31
Event String:
The Knowledge Consistency Checker (KCC) was unable to form a complet
e spanning tree network topology. As a result, the following list of sites canno
t be reached from the local site.
A warning event occurred. EventID: 0x8000061E
Time Generated: 02/04/2011 15:32:31
Event String:
All directory servers in the following site that can replicate the d
irectory partition over this transport are currently unavailable.
An error event occurred. EventID: 0xC000051F
Time Generated: 02/04/2011 15:32:31
Event String:
The Knowledge Consistency Checker (KCC) has detected problems with t
he following directory partition.
A warning event occurred. EventID: 0x80000749
Time Generated: 02/04/2011 15:32:31
Event String:
The Knowledge Consistency Checker (KCC) was unable to form a complet
e spanning tree network topology. As a result, the following list of sites canno
t be reached from the local site.
A warning event occurred. EventID: 0x8000061E
Time Generated: 02/04/2011 15:32:31
Event String:
All directory servers in the following site that can replicate the d
irectory partition over this transport are currently unavailable.
An error event occurred. EventID: 0xC000051F
Time Generated: 02/04/2011 15:32:31
Event String:
The Knowledge Consistency Checker (KCC) has detected problems with t
he following directory partition.
A warning event occurred. EventID: 0x80000749
Time Generated: 02/04/2011 15:32:31
Event String:
The Knowledge Consistency Checker (KCC) was unable to form a complet
e spanning tree network topology. As a result, the following list of sites canno
t be reached from the local site.
......................... mnsuzdc1 failed test KccEvent
Starting test: KnowsOfRoleHolders
[DC1] DsBindWithSpnEx() failed with error -2146893022,
The target principal name is incorrect..
Warning: DC1 is the Schema Owner, but is not responding to DS RPC
Bind.
Warning: DC1 is the Schema Owner, but is not responding to LDAP Bind.
Warning: DC1 is the Domain Owner, but is not responding to DS RPC
Bind.
Warning: DC1 is the Domain Owner, but is not responding to LDAP Bind.
Warning: DC1 is the PDC Owner, but is not responding to DS RPC Bind.
Warning: DC1 is the PDC Owner, but is not responding to LDAP Bind.
Warning: DC1 is the Rid Owner, but is not responding to DS RPC Bind.
Warning: DC1 is the Rid Owner, but is not responding to LDAP Bind.
Warning: DC1 is the Infrastructure Update Owner, but is not responding
to DS RPC Bind.
Warning: DC1 is the Infrastructure Update Owner, but is not responding
to LDAP Bind.
......................... mnsuzdc1 failed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... mnsuzdc1 passed test MachineAccount
Starting test: NCSecDesc
......................... mnsuzdc1 passed test NCSecDesc
Starting test: NetLogons
......................... mnsuzdc1 passed test NetLogons
Starting test: ObjectsReplicated
......................... mnsuzdc1 passed test ObjectsReplicated
Starting test: Replications
[Replications Check,mnsuzdc1] A recent replication attempt failed:
From DC1 to mnsuzdc1
Naming Context: DC=ForestDnsZones,DC=spel,DC=local
The replication generated an error (1256):
The remote system is not available. For information about network tr
oubleshooting, see Windows Help.

The failure occurred at 2011-02-04 14:53:33.
The last success occurred at 2011-01-13 14:49:29.
176 failures have occurred since the last success.
[Replications Check,mnsuzdc1] A recent replication attempt failed:
From DC1 to mnsuzdc1
Naming Context: DC=DomainDnsZones,DC=spel,DC=local
The replication generated an error (1256):
The remote system is not available. For information about network tr
oubleshooting, see Windows Help.

The failure occurred at 2011-02-04 14:53:33.
The last success occurred at 2011-01-13 14:49:29.
176 failures have occurred since the last success.
[Replications Check,mnsuzdc1] A recent replication attempt failed:
From DC1 to mnsuzdc1
Naming Context: CN=Schema,CN=Configuration,DC=spel,DC=local
The replication generated an error (-2146893022):
The target principal name is incorrect.
The failure occurred at 2011-02-04 14:53:34.
The last success occurred at 2011-01-13 14:49:29.
176 failures have occurred since the last success.
[Replications Check,mnsuzdc1] A recent replication attempt failed:
From DC1 to mnsuzdc1
Naming Context: CN=Configuration,DC=spel,DC=local
The replication generated an error (-2146893022):
The target principal name is incorrect.
The failure occurred at 2011-02-04 14:53:33.
The last success occurred at 2011-01-13 14:49:28.
176 failures have occurred since the last success.
[Replications Check,mnsuzdc1] A recent replication attempt failed:
From DC1 to mnsuzdc1
Naming Context: DC=spel,DC=local
The replication generated an error (-2146893022):
The target principal name is incorrect.
The failure occurred at 2011-02-04 14:53:33.
The last success occurred at 2011-01-13 14:49:28.
176 failures have occurred since the last success.
......................... mnsuzdc1 failed test Replications
Starting test: RidManager
......................... mnsuzdc1 failed test RidManager
Starting test: Services
......................... mnsuzdc1 passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x8000001D
Time Generated: 02/04/2011 14:37:58
Event String:
The Key Distribution Center (KDC) cannot find a suitable certificate
to use for smart card logons, or the KDC certificate could not be verified. Sma
rt card logon may not function correctly if this problem is not resolved. To cor
rect this problem, either verify the existing KDC certificate using certutil.exe
or enroll for a new KDC certificate.
An error event occurred. EventID: 0xC2000001
Time Generated: 02/04/2011 14:44:34
Event String: Unexpected failure. Error code: 490@01010004
An error event occurred. EventID: 0x40000004
Time Generated: 02/04/2011 14:47:47
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the se
rver dc1$. The target name used was ldap/dc1.spel.local. This indicates that the
target server failed to decrypt the ticket provided by the client. This can occ
ur when the target server principal name (SPN) is registered on an account other
than the account the target service is using. Please ensure that the target SPN
is registered on, and only registered on, the account used by the server. This
error can also happen when the target service is using a different password for
the target service account than what the Kerberos Key Distribution Center (KDC)
has for the target service account. Please ensure that the service on the server
and the KDC are both updated to use the current password. If the server name is
not fully qualified, and the target domain (SPEL.LOCAL) is different from the c
lient domain (SPEL.LOCAL), check if there are identically named server accounts
in these two domains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 02/04/2011 14:53:33
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the se
rver dc1$. The target name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2/e1c6f3e
8-6480-458e-a980-bcb76ec10ea7/spel.local@spel.local. This indicates that the tar
get server failed to decrypt the ticket provided by the client. This can occur w
hen the target server principal name (SPN) is registered on an account other tha
n the account the target service is using. Please ensure that the target SPN is
registered on, and only registered on, the account used by the server. This erro
r can also happen when the target service is using a different password for the
target service account than what the Kerberos Key Distribution Center (KDC) has
for the target service account. Please ensure that the service on the server and
the KDC are both updated to use the current password. If the server name is not
fully qualified, and the target domain (SPEL.LOCAL) is different from the clien
t domain (SPEL.LOCAL), check if there are identically named server accounts in t
hese two domains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 02/04/2011 15:21:53
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the se
rver dc1$. The target name used was DNS/dc1.spel.local. This indicates that the
target server failed to decrypt the ticket provided by the client. This can occu
r when the target server principal name (SPN) is registered on an account other
than the account the target service is using. Please ensure that the target SPN
is registered on, and only registered on, the account used by the server. This e
rror can also happen when the target service is using a different password for t
he target service account than what the Kerberos Key Distribution Center (KDC) h
as for the target service account. Please ensure that the service on the server
and the KDC are both updated to use the current password. If the server name is
not fully qualified, and the target domain (SPEL.LOCAL) is different from the cl
ient domain (SPEL.LOCAL), check if there are identically named server accounts i
n these two domains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 02/04/2011 15:34:11
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the se
rver dc1$. The target name used was LDAP/e1c6f3e8-6480-458e-a980-bcb76ec10ea7._m
sdcs.spel.local. This indicates that the target server failed to decrypt the tic
ket provided by the client. This can occur when the target server principal name
(SPN) is registered on an account other than the account the target service is
using. Please ensure that the target SPN is registered on, and only registered o
n, the account used by the server. This error can also happen when the target se
rvice is using a different password for the target service account than what the
Kerberos Key Distribution Center (KDC) has for the target service account. Plea
se ensure that the service on the server and the KDC are both updated to use the
current password. If the server name is not fully qualified, and the target dom
ain (SPEL.LOCAL) is different from the client domain (SPEL.LOCAL), check if ther
e are identically named server accounts in these two domains, or use the fully-q
ualified name to identify the server.
......................... mnsuzdc1 failed test SystemLog
Starting test: VerifyReferences
......................... mnsuzdc1 passed test VerifyReferences


Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation

Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation

Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation

Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation

Running partition tests on : spel
Starting test: CheckSDRefDom
......................... spel passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... spel passed test CrossRefValidation

Running enterprise tests on : spel.local
Starting test: LocatorCheck
......................... spel.local passed test LocatorCheck
Starting test: Intersite
......................... spel.local passed test Intersite

C:\Users\Administrator.SPEL>

Вывод nltest /SC_VERIFY:spel.local c MNSUZDC1 покажите.

Martia,
На КД MNSUZDC1 выполните следующие действия:
net stop KDC
netdom resetpwd /server:другой контроллер домена /userd:domain\administrator /passwordd:пароль администратора
Убедитесь, что появилось сообщение об успешном выполнении команды netdom (в противном случае это означает, что команда не привела к ожидаемым результатам).
net start KDC
Перезугружаем КД и затем repadmin /showrepl покажите.

Вывод команды nltest /SC_VERIFY:spel.local c MNSUZDC1

C:\Users\Administrator.SPEL>nltest /SC_VERIFY:spel.local
Flags: b0 HAS_IP HAS_TIMESERV
Trusted DC Name \\dc1.spel.local
Trusted DC Connection Status Status = 0 0x0 NERR_Success
Trust Verification Status = 0 0x0 NERR_Success
The command completed successfully

C:\Users\Administrator.SPEL>

Команда должна быть такой:
netdom resetpwd /server:dc1.spel.local /UserD:spel\administrator /passwordD:*******
?
Чем отличается userD от user и с паролем аналогично?

Тот контроллер удаленный. Его перезагружать проблемно\опасно. Конечно поднимется сам скорее всего, но мало ли.. Думаю завтра днем съезжу. Чтобы быть уверенным, что все наверняка запустилось и работает.

Команда должна быть такой:
netdom resetpwd /server:dc1.spel.local /UserD:spel\administrator /passwordD:******* »
Да такой, userD это параметр указывающий что дальше следует имя пользователя. Дополнительно почитайте справку (http://support.microsoft.com/kb/260575) по команде, написано для Windows 2000 но актуально для 2008 - го.

После выполнения всех команд и ребута сервера команда repadmin /showrepl показывает нам:


C:\Users\Administrator.SPEL>repadmin /showrepl

Repadmin: running command /showrepl against full DC localhost
uzory\mnsuzdc1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: e0083eda-418f-46f4-80b4-ae60d5a9463d
DSA invocationID: dc9efeb7-2a9a-43b6-9756-282eb16df320

==== INBOUND NEIGHBORS ======================================

DC=spel,DC=local
spelpais\DC1 via RPC
DSA object GUID: e1c6f3e8-6480-458e-a980-bcb76ec10ea7
Last attempt @ 2011-02-05 08:53:32 failed, result -2146893022 (0x8009032
2):
The target principal name is incorrect.
182 consecutive failure(s).
Last success @ 2011-01-13 14:49:28.

CN=Configuration,DC=spel,DC=local
spelpais\DC1 via RPC
DSA object GUID: e1c6f3e8-6480-458e-a980-bcb76ec10ea7
Last attempt @ 2011-02-05 08:53:32 failed, result -2146893022 (0x8009032
2):
The target principal name is incorrect.
182 consecutive failure(s).
Last success @ 2011-01-13 14:49:28.

CN=Schema,CN=Configuration,DC=spel,DC=local
spelpais\DC1 via RPC
DSA object GUID: e1c6f3e8-6480-458e-a980-bcb76ec10ea7
Last attempt @ 2011-02-05 08:53:33 failed, result -2146893022 (0x8009032
2):
The target principal name is incorrect.
182 consecutive failure(s).
Last success @ 2011-01-13 14:49:29.

DC=DomainDnsZones,DC=spel,DC=local
spelpais\DC1 via RPC
DSA object GUID: e1c6f3e8-6480-458e-a980-bcb76ec10ea7
Last attempt @ 2011-02-05 08:53:32 failed, result 1256 (0x4e8):
The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
182 consecutive failure(s).
Last success @ 2011-01-13 14:49:29.

DC=ForestDnsZones,DC=spel,DC=local
spelpais\DC1 via RPC
DSA object GUID: e1c6f3e8-6480-458e-a980-bcb76ec10ea7
Last attempt @ 2011-02-05 08:53:32 failed, result 1256 (0x4e8):
The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
182 consecutive failure(s).
Last success @ 2011-01-13 14:49:29.


После ребута сервер поднялся самостоятельно. Все службы и приложения запустились и полноценно функционируют. В следующий раз можно будет перезагружать удаленно.

==============
1. MNSUZDC1 не может подключиться к DC1 по ДНС имени. По IP и по DNS имени пингуется. По IP заходит на DC1. По ДНС имени не может зайти. Появляется ошибка:

http://img211.imageshack.us/img211/3927/image979281.jpg
http://img211.imageshack.us/img211/3324/image999218.jpg

2. Ни одна из сетей не видит в сетевом окружении MNSUZDC1

Я, конечно, понимаю, что покажусь некропостером, но, все-таки, проблему решили? Если да, то каким образом? Спасибо. :3

omich-kun, уже сложно вспомнить. Были долгие танцы с бубном. Долго возился, но сделал. Точно помню, что долго возился с ДНС и с пересылкой ДНС. Когда настроил ДНС и устранил все ошибки сервера - заработало само-собой :) . Работает и по сей день :Р