我前几天有一个相当的问题。 让我只说出发生了什么 – 我也inheritance了这个环境,请记住这一点。
第一个域控制器 – Windows Server 2003 R2 Std
第二个域控制器 – Windows Server 2008 R2 Ent
在过去的几天里,当用户启动并尝试从我最近刚刚安装的任何工作站login时,login时会遇到信任错误。 所以,我以本地pipe理员的身份login,然后重新join了域 – 但是,当信任失败多次越过几台机器,我深挖。
在其中一个工作站上,我检查了事件查看器,发现这个:
Log Name: System Source: NETLOGON Date: 5/16/2013 12:06:07 PM Event ID: 3210 Task Category: None Level: Error Keywords: Classic User: N/A Computer: WIN7-2083.Domain.DomainName.com Description: This computer could not authenticate with \\BDCName.Domain.DomainName.com, a Windows domain controller for domain DOMAIN, and therefore this computer might deny logon requests. This inability to authenticate might be caused by another computer on the same network using the same name or the password for this computer account is not recognized. If this message appears again, contact your system administrator. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="NETLOGON" /> <EventID Qualifiers="0">3210</EventID> <Level>2</Level> <Task>0</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2013-05-16T17:06:07.000000000Z" /> <EventRecordID>52991</EventRecordID> <Channel>System</Channel> <Computer>WIN7-2083.Domain.DomainName.com</Computer> <Security /> </System> <EventData> <Data>DOMAIN</Data> <Data>\\BDCName.Domain.DomainName.com</Data> <Binary>220000C0</Binary> </EventData> </Event> 所以出于某种原因,这让我相信这个工作站直接对第二DC和第一DC进行authentication。
看第一个DC事件查看器,我发现这个错误:
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition. Directory partition: CN=Configuration,DC=Domain,DC=DomainName,DC=com There is insufficient site connectivity information for the KCC to create a spanning tree replication topology. Or, one or more directory servers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible directory servers. User Action Perform one of the following actions: - Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option. - Add a Connection object to a directory service that contains the directory partition in this site from a directory service that contains the same directory partition in another site. If neither of the tasks correct this condition, see previous events logged by the KCC that identify the inaccessible directory servers.
其次是:
The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site. Sites: CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Domain,DC=DomainName,DC=com
所以我看了第一个DCfind几乎相同的错误:
The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site. Sites: CN=Jackson,CN=Sites,CN=Configuration,DC=Domain,DC=DomainName,DC=com
我已经看了几个解决scheme,其中许多都提到查找DNS条目和其他的东西,但是我不完全确定这个错误发生在哪里。 环境中的任何路由都没有改变。 这实际上是在过去的几天。 我猜在这一点上,他们都没有正确的沟通。 如果我在一个DC上做出改变,它应该显示在另一个DC上吗? 例如,更改一个DC上的用户属性应该很快显示在第二个DC上? 目前还没有发生。
我可以采取哪些措施来真正解决这个问题?