Новый участник
Сообщения: 26
Благодарности: 0
|
Профиль
|
Отправить PM
| Цитировать
Добрый день!
Олег, вот то, что Вы просили сделать! Но для начала вводная информация: два контроллера домена с именами DC1 и MAIL, адреса соответственно 10.0.0.131 и 10.0.0.136. Первый из них изначально являлся основным DC, второй резервом.
1. Лог FRS на MAIL полон предупреждений от NtFrs (ID 13508):
The File Replication Service is having trouble enabling replication from DC1 to MAIL for c:\windows\sysvol\domain using the DNS name DC1. FRS will keep retrying. Follow are some reasons...
[1] FRS can not resolve correctly DNS name DC1.
[2] FRS is not running on DC1.
[3] The topology information in the AD for this replica has not yet replicated to all DCs.
В журнале System много ошибок, вот они:
От Kerberos (ID 4):
"The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server host pdc.domain.local. The target name used was cifs /dc1.domain.local. This indicates that password used to encrypt the kerberos service ticket is different than that on the target server..."
От Netlogon (ID 5774):
"The dynamic registration of DNS record '_ldap._tcp.....' failed on the following DNS server ... 10.0.0.131..."
От NetBT (ID 4321):
"The name 'Domain.local :1b' couldn't be registered on the interface with ip address 10.0.0.136. The machine with ip address 10.0.0.131 did not allow the name to be claimed by this machine"
На DC1 ошибок меньше, но встречаются такие ошибки от Netlogon (ID 5513):
"The computer MAIL tried to connect to server DC1 using the trust relationship established by DOMAIN.LOCAL domain. However, the computer lost the correct SID when domain was reconfigured. Reestablish the trust relationship."
2. Попытка сбросить Secure Chanel выдает ошибку. Сбрасывать пытался с помощью команды
(Например на MAIL)
netdom reset mail /Domain:domain.local /Server:dc1 /UserO:admin /PasswordO:password
3. C помощью утилиты kerbtray посмотрел тикеты, действительно на DC1 были тикеты и для DC1 и для MAIL. Сделал purge для тикетов на обеих сторонах. Перезагрузился - ничего не изменилось.
4. Привожу вывод netdiag и dcdiag на обоих хостах:
DC1 ------ Netdiag
....................................
Computer Name: DC1
DNS Host Name: dc1.domain.local
System info : Microsoft Windows Server 2003 (Build 3790)
Processor : x86 Family 15 Model 2 Stepping 4, GenuineIntel
List of installed hotfixes :
KB958644
Q147222
Netcard queries test . . . . . . . : Passed
Per interface results:
Adapter : Local Area Connection
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : dc1
IP Address . . . . . . . . : 10.0.0.131
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . :
Dns Servers. . . . . . . . : 127.0.0.1
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Skipped
[WARNING] No gateways defined for this adapter.
NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.
No remote names have been found.
WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.
Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{B8A30F4C-DAC0-490B-ACD2-902C2426FD3D}
1 NetBt transport currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Failed
[FATAL] NO GATEWAYS ARE REACHABLE.
You have no connectivity to other network segments.
If you configured the IP protocol manually then
you need to add at least one valid gateway.
NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server '127.0.0.1'.
Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{B8A30F4C-DAC0-490B-ACD2-902C2426FD3D}
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{B8A30F4C-DAC0-490B-ACD2-902C2426FD3D}
The browser is bound to 1 NetBt transport.
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Failed
Failed to enumerate DCs by using the browser. [ERROR_NO_BROWSER_SERVERS_FOUND]
Trust relationship test. . . . . . : Skipped
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Skipped
Note: run "netsh ipsec dynamic show /?" for more detailed information
The command completed successfully
DC1 ------ dcdiag
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\DC1
Starting test: Connectivity
......................... DC1 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\DC1
Starting test: Replications
......................... DC1 passed test Replications
Starting test: NCSecDesc
......................... DC1 passed test NCSecDesc
Starting test: NetLogons
......................... DC1 passed test NetLogons
Starting test: Advertising
......................... DC1 passed test Advertising
Starting test: KnowsOfRoleHolders
......................... DC1 passed test KnowsOfRoleHolders
Starting test: RidManager
......................... DC1 passed test RidManager
Starting test: MachineAccount
......................... DC1 passed test MachineAccount
Starting test: Services
......................... DC1 passed test Services
Starting test: ObjectsReplicated
......................... DC1 passed test ObjectsReplicated
Starting test: frssysvol
......................... DC1 passed test frssysvol
Starting test: frsevent
......................... DC1 passed test frsevent
Starting test: kccevent
......................... DC1 passed test kccevent
Starting test: systemlog
......................... DC1 passed test systemlog
Starting test: VerifyReferences
......................... DC1 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : domain.local
Starting test: CrossRefValidation
......................... domain passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... domain passed test CheckSDRefDom
Running enterprise tests on : domain.local
Starting test: Intersite
......................... domain.local passed test Intersite
Starting test: FsmoCheck
......................... domain.local passed test FsmoCheck
Netdiag на MAIL
.....................................
Computer Name: MAIL
DNS Host Name: mail.domain.local
System info : Microsoft Windows Server 2003 R2 (Build 3790)
Processor : x86 Family 15 Model 4 Stepping 3, GenuineIntel
List of installed hotfixes :
KB958644
Q147222
Netcard queries test . . . . . . . : Passed
[WARNING] The net card 'HP NC7782 Gigabit Server Adapter' may not be working.
Per interface results:
Adapter : Local Area Connection 2
Netcard queries test . . . : Failed
NetCard Status: DISCONNECTED
Some tests will be skipped on this interface.
Host Name. . . . . . . . . : mail
Autoconfiguration IP Address : 169.254.112.195
Subnet Mask. . . . . . . . : 255.255.0.0
Default Gateway. . . . . . :
Dns Servers. . . . . . . . :
Adapter : Local Area Connection
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : mail
IP Address . . . . . . . . : 10.0.0.134
Subnet Mask. . . . . . . . : 255.255.255.0
IP Address . . . . . . . . : 10.0.0.136
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 10.0.0.130
Dns Servers. . . . . . . . : 10.0.0.131
10.0.0.136
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Failed
No gateway reachable for this adapter.
NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.
WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.
Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{460A9637-B218-47C5-8905-5E92C7155B05}
NetBT_Tcpip_{A426142D-936D-4DCE-BBD9-B13994AE0AD3}
2 NetBt transports currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Failed
[FATAL] NO GATEWAYS ARE REACHABLE.
You have no connectivity to other network segments.
If you configured the IP protocol manually then
you need to add at least one valid gateway.
NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Passed
[WARNING] Cannot find a primary authoritative DNS server for the name
'mail.domain.local'. [ERROR_TIMEOUT]
The name 'mail.domain.local' may not be registered in DNS.
[WARNING] The DNS entries for this DC are not registered correctly on DNS server '10.0.0.131'. Please wait for 30 minutes for DNS server replication.
PASS - All the DNS entries for DC are registered on DNS server '10.0.0.136' and other DCs also have some of the names registered.
Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{460A9637-B218-47C5-8905-5E92C7155B05}
NetBT_Tcpip_{A426142D-936D-4DCE-BBD9-B13994AE0AD3}
The redir is bound to 2 NetBt transports.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{A426142D-936D-4DCE-BBD9-B13994AE0AD3}
NetBT_Tcpip_{460A9637-B218-47C5-8905-5E92C7155B05}
The browser is bound to 2 NetBt transports.
DC discovery test. . . . . . . . . : Failed
Found DC '\\mail.domain.local' in domain 'domain'.
Found PDC emulator '\\mail.domain.local' in domain 'domain'.
Found Active Directory DC '\\mail.domain.local' in domain 'domain'.
[FATAL] The domain GUID of domain 'domain' cached in the local computer is
{C4F729F3-D81D-4136-8C27-AA87162D5BA9}
but the Domain Controller '\\mail.domain.local' indicates it should be
{92B80E1B-3B10-4FEB-AD82-F0E1156C6262}.
Consider running 'netdiag /fix' to try to fix this problem.
DC list test . . . . . . . . . . . : Failed
[WARNING] Cannot call DsBind to dc1.domain.local (10.0.0.131). [SEC_E_WRONG_PRINCIPAL]
Trust relationship test. . . . . . : Skipped
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Failed
[FATAL] Cannot do NTLM authenticated ldap_bind to 'dc1.domain.local': Invalid Credentials.
[FATAL] Cannot do Negotiate authenticated ldap_bind to 'dc1.domain.local': Invalid Credentials.
[WARNING] Failed to query SPN registration on DC 'dc1.domain.local'.
[FATAL] No LDAP servers work in the domain 'DOMAIN'.
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Skipped
Note: run "netsh ipsec dynamic show /?" for more detailed information
The command completed successfully
Ну и, наконец, dcdiag на MAIL
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\MAIL
Starting test: Connectivity
The host 60b704d8-65f7-48a6-a2b8-ce57f4b7c65b._msdcs.domain.local could not be resolved to an
IP address. Check the DNS server, DHCP, server name, etc
Although the Guid DNS name
(60b704d8-65f7-48a6-a2b8-ce57f4b7c65b._msdcs.domain.local) couldn't
be resolved, the server name (mail.domain.local) resolved to
the IP address (10.0.0.136) and was pingable. Check that the IP
address is registered correctly with the DNS server.
......................... MAIL failed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\MAIL
Skipping all tests, because server MAIL is
not responding to directory service requests
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : domain
Starting test: CrossRefValidation
......................... domain passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... domain passed test CheckSDRefDom
Running enterprise tests on : domain.local
Starting test: Intersite
......................... domain.local passed test Intersite
Starting test: FsmoCheck
[DC1] LDAP search failed with error 58,
Win32 Error 58.
Error: The server returned by DsGetDcName() did not match DsListRoles() for the PDC
......................... domain.local passed test FsmoCheck
5. Признаться честно, я попытался вручную с помощью ntdsutil на MAIL захватить все роли и получилось, однако радовался я недолго - теперь у меня оба сервера являются хозяевами всея возможного. Думал я на DC1 подключиться с помощью ntdsutil к MAIL и выполнить transfer, ну чтоб освободить его от всего хозяйства и в дальнейшем выполнить dcpromo. Однако при команде connect to server MAIL выдается ошибка
DsBindW error 0x80090322 The target principal name is incorrect
|
