我有一个域分成四个网站。 在我的一个偏远地区,我推动了一个新的特区,并将在几个星期内退役现有的特区。 我没有收到任何错误,当我做了dcpromo,但我不得不推迟几天后,重新启动服务器。
重新启动后,这个新的DC出现了一些严重的问题:
This directory server has not recently received replication information from a number of directory servers. ),2089( This directory partition has not been backed up since at least the following number of days. ),以及2093( The remote server which is the owner of a FSMO role is not responding. This server has not replicated with the FSMO role owner recently. )。 系统日志包含许多事件1006( The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description. )来自详细信息选项卡的信息如下所示:
SupportInfo1 1 SupportInfo2 5012 ProcessingMode 0 ProcessingTimeInMilliseconds 2184 ErrorCode 49 ErrorDescription Invalid Credentials DCName
以及错误4( The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server kelethdc01$. The target name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2/2ee10a9d-dcf0-4940-b2e5-25044f90869c/[email protected]. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (DOMAIN.COM) is different from the client domain (DOMAIN.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server. The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server kelethdc01$. The target name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2/2ee10a9d-dcf0-4940-b2e5-25044f90869c/[email protected]. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (DOMAIN.COM) is different from the client domain (DOMAIN.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server. )和错误5782( Dynamic registration or deregistration of one or more DNS records failed with the following error: TCP/IP network protocol not installed. 。
任何人都可以提出可能发生在这里,以及如何纠正?
我之前没有看到这个,但是我最初的想法是,因为Kerberos票据是基于时间的,所以在dcpromo和重新启动之间的延迟可能导致了这个问题。
你有没有尝试去促进新的服务器,并做一个新的dcpromo并重新启动?
关于“这个目录分区至less从以下几天开始还没有被备份”。 当执行系统状态备份并且备份Active Directory时,它将更新分区上的属性。
您可以使用以下命令确认是否/何时执行备份:
repadmin /showbackup <dcname>
可以抑制属性的更新。 如果此消息仅针对模式分区显示,则可能已将其closures。