我在安装我们的Exchange 2010服务器时遇到了一个问题,其中客户端访问身份validation不起作用,除非服务器configuration为具有global catalogue的域控制器。
由于时间的限制,我进行了这方面的生产,但现在我真的需要修复它。 我不知道问题出在哪里,或者如何发现问题。
我的问题是():
什么可能导致这个问题? 我怎么testing它并修复它?
我不知道哪些信息与这个问题有关,
服务器操作系统是Win 2008 R2 ,所有的DC都是一样的。 Exchange服务器具有CAS , Hub Transport和Mailbox Serverangular色。 外部邮件由另一个在DMZ中运行边缘angular色的Exchange 2010服务器接收。 (这个工作好,边缘服务器不是一个DC …显然;))
请让我知道可以添加什么额外的信息来改善这个问题。 我会尽快添加它。
这是一个后续的问题。
Directory Server Diagnosis Performing initial setup: Trying to find home server... * Verifying that the local machine DC2, is a Directory Server. Home Server = DC2 * Connecting to directory service on server DC2. * Identified AD Forest. Collecting AD specific global data * Collecting site info. Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=corp,DC=domain,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),....... The previous call succeeded Iterating through the sites Looking at base site object: CN=NTDS Site Settings,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain Getting ISTG and options for the site * Identifying all servers. Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=corp,DC=domain,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),....... The previous call succeeded.... The previous call succeeded Iterating through the list of servers Getting information for the server CN=NTDS Settings,CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain objectGuid obtained InvocationID obtained dnsHostname obtained site info obtained All the info for the server collected Getting information for the server CN=NTDS Settings,CN=DC3,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain objectGuid obtained InvocationID obtained dnsHostname obtained site info obtained All the info for the server collected Getting information for the server CN=NTDS Settings,CN=MX1,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain objectGuid obtained InvocationID obtained dnsHostname obtained site info obtained All the info for the server collected * Identifying all NC cross-refs. * Found 3 DC(s). Testing 1 of them. Done gathering initial info. Doing initial required tests Testing server: Brisbane\DC2 Starting test: Connectivity * Active Directory LDAP Services Check Determining IP4 connectivity * Active Directory RPC Services Check ......................... DC2 passed test Connectivity Doing primary tests Testing server: Brisbane\DC2 Starting test: Advertising The DC DC2 is advertising itself as a DC and having a DS. The DC DC2 is advertising as an LDAP server The DC DC2 is advertising as having a writeable directory The DC DC2 is advertising as a Key Distribution Center The DC DC2 is advertising as a time server The DS DC2 is advertising as a GC. ......................... DC2 passed test Advertising Test omitted by user request: CheckSecurityError Test omitted by user request: CutoffServers Starting test: FrsEvent * The File Replication Service Event log test Skip the test because the server is running DFSR. ......................... DC2 passed test FrsEvent Starting test: DFSREvent The DFS Replication Event Log. ......................... DC2 passed test DFSREvent Starting test: SysVolCheck * The File Replication Service SYSVOL ready test File Replication Service's SYSVOL is ready ......................... DC2 passed test SysVolCheck Starting test: KccEvent * The KCC Event log test Found no KCC errors in "Directory Service" Event log in the last 15 minutes. ......................... DC2 passed test KccEvent Starting test: KnowsOfRoleHolders Role Schema Owner = CN=NTDS Settings,CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain Role Domain Owner = CN=NTDS Settings,CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain Role PDC Owner = CN=NTDS Settings,CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain Role Rid Owner = CN=NTDS Settings,CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain Role Infrastructure Update Owner = CN=NTDS Settings,CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain ......................... DC2 passed test KnowsOfRoleHolders Starting test: MachineAccount Checking machine account for DC DC2 on DC DC2. * SPN found :LDAP/DC2.corp.domain/corp.domain * SPN found :LDAP/DC2.corp.domain * SPN found :LDAP/DC2 * SPN found :LDAP/DC2.corp.domain/corpdomain * SPN found :LDAP/ef6459ec-28d5-4ab4-85bc-778547782ce7._msdcs.corp.domain * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/ef6459ec-28d5-4ab4-85bc-778547782ce7/corp.domain * SPN found :HOST/DC2.corp.domain/corp.domain * SPN found :HOST/DC2.corp.domain * SPN found :HOST/DC2 * SPN found :HOST/DC2.corp.domain/corpdomain * SPN found :GC/DC2.corp.domain/corp.domain ......................... DC2 passed test MachineAccount Starting test: NCSecDesc * Security Permissions check for all NC's on DC DC2. * Security Permissions Check for DC=ForestDnsZones,DC=corp,DC=domain (NDNC,Version 3) * Security Permissions Check for DC=DomainDnsZones,DC=corp,DC=domain (NDNC,Version 3) * Security Permissions Check for CN=Schema,CN=Configuration,DC=corp,DC=domain (Schema,Version 3) * Security Permissions Check for CN=Configuration,DC=corp,DC=domain (Configuration,Version 3) * Security Permissions Check for DC=corp,DC=domain (Domain,Version 3) ......................... DC2 passed test NCSecDesc Starting test: NetLogons * Network Logons Privileges Check Verified share \\DC2\netlogon Verified share \\DC2\sysvol ......................... DC2 passed test NetLogons Starting test: ObjectsReplicated DC2 is in domain DC=corp,DC=domain Checking for CN=DC2,OU=Domain Controllers,DC=corp,DC=domain in domain DC=corp,DC=domain on 1 servers Object is up-to-date on all servers. Checking for CN=NTDS Settings,CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain in domain CN=Configuration,DC=corp,DC=domain on 1 servers Object is up-to-date on all servers. ......................... DC2 passed test ObjectsReplicated Test omitted by user request: OutboundSecureChannels Starting test: Replications * Replications Check * Replication Latency Check DC=ForestDnsZones,DC=corp,DC=domain Latency information for 1 entries in the vector were ignored. 1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). DC=DomainDnsZones,DC=corp,DC=domain Latency information for 1 entries in the vector were ignored. 1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). CN=Schema,CN=Configuration,DC=corp,DC=domain Latency information for 1 entries in the vector were ignored. 1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). CN=Configuration,DC=corp,DC=domain Latency information for 1 entries in the vector were ignored. 1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). DC=corp,DC=domain Latency information for 1 entries in the vector were ignored. 1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). ......................... DC2 passed test Replications Starting test: RidManager * Available RID Pool for the Domain is 3102 to 1073741823 * DC2.corp.domain is the RID Master * DsBind with RID Master was successful * rIDAllocationPool is 1602 to 2101 * rIDPreviousAllocationPool is 1602 to 2101 * rIDNextRID: 1818 ......................... DC2 passed test RidManager Starting test: Services * Checking Service: EventSystem * Checking Service: RpcSs * Checking Service: NTDS * Checking Service: DnsCache * Checking Service: DFSR * Checking Service: IsmServ * Checking Service: kdc * Checking Service: SamSs * Checking Service: LanmanServer * Checking Service: LanmanWorkstation * Checking Service: w32time * Checking Service: NETLOGON ......................... DC2 passed test Services Starting test: SystemLog * The System Event log test An error event occurred. EventID: 0x80000003 Time Generated: 03/19/2013 13:15:51 Event String: A Kerberos Error Message was received: on logon session Client Time: Server Time: 3:15:51.0000 3/19/2013 Z Error Code: 0xd KDC_ERR_BADOPTION Extended Error: 0xc00000bb KLIN(0) Client Realm: Client Name: Server Realm: CORP.domain Server Name: [email protected] Target Name: [email protected]@CORP.domain Error Text: File: 9 Line: f09 Error Data is in record data. An error event occurred. EventID: 0x80000003 Time Generated: 03/19/2013 13:30:51 Event String: A Kerberos Error Message was received: on logon session Client Time: Server Time: 3:30:51.0000 3/19/2013 Z Error Code: 0xd KDC_ERR_BADOPTION Extended Error: 0xc00000bb KLIN(0) Client Realm: Client Name: Server Realm: CORP.domain Server Name: [email protected] Target Name: [email protected]@CORP.domain Error Text: File: 9 Line: f09 Error Data is in record data. An error event occurred. EventID: 0x80000003 Time Generated: 03/19/2013 13:45:52 Event String: A Kerberos Error Message was received: on logon session Client Time: Server Time: 3:45:52.0000 3/19/2013 Z Error Code: 0xd KDC_ERR_BADOPTION Extended Error: 0xc00000bb KLIN(0) Client Realm: Client Name: Server Realm: CORP.domain Server Name: [email protected] Target Name: [email protected]@CORP.domain Error Text: File: 9 Line: f09 Error Data is in record data. An error event occurred. EventID: 0x80000003 Time Generated: 03/19/2013 13:53:46 Event String: A Kerberos Error Message was received: on logon session Client Time: Server Time: 3:53:46.0000 3/19/2013 Z Error Code: 0x29 KRB_AP_ERR_MODIFIED Extended Error: Client Realm: Client Name: Server Realm: CORP.domain Server Name: dc2$ Target Name: Error Text: File: 3 Line: 576 Error Data is in record data. An error event occurred. EventID: 0x80000003 Time Generated: 03/19/2013 14:00:52 Event String: A Kerberos Error Message was received: on logon session Client Time: Server Time: 4:0:52.0000 3/19/2013 Z Error Code: 0xd KDC_ERR_BADOPTION Extended Error: 0xc00000bb KLIN(0) Client Realm: Client Name: Server Realm: CORP.domain Server Name: [email protected] Target Name: [email protected]@CORP.domain Error Text: File: 9 Line: f09 Error Data is in record data. ......................... DC2 failed test SystemLog Test omitted by user request: Topology Test omitted by user request: VerifyEnterpriseReferences Starting test: VerifyReferences The system object reference (serverReference) CN=DC2,OU=Domain Controllers,DC=corp,DC=domain and backlink on CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain are correct. The system object reference (serverReferenceBL) CN=DC2,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=corp,DC=domain and backlink on CN=NTDS Settings,CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain are correct. The system object reference (msDFSR-ComputerReferenceBL) CN=DC2,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=corp,DC=domain and backlink on CN=DC2,OU=Domain Controllers,DC=corp,DC=domain are correct. ......................... DC2 passed test VerifyReferences Test omitted by user request: VerifyReplicas Test omitted by user request: DNS Test omitted by user request: DNS Running partition tests on : ForestDnsZones Starting test: CheckSDRefDom ......................... ForestDnsZones passed test CheckSDRefDom Starting test: CrossRefValidation ......................... ForestDnsZones passed test CrossRefValidation Running partition tests on : DomainDnsZones Starting test: CheckSDRefDom ......................... DomainDnsZones passed test CheckSDRefDom Starting test: CrossRefValidation ......................... DomainDnsZones passed test CrossRefValidation Running partition tests on : Schema Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation Running partition tests on : Configuration Starting test: CheckSDRefDom ......................... Configuration passed test CheckSDRefDom Starting test: CrossRefValidation ......................... Configuration passed test CrossRefValidation Running partition tests on : corp Starting test: CheckSDRefDom ......................... corp passed test CheckSDRefDom Starting test: CrossRefValidation ......................... corp passed test CrossRefValidation Running enterprise tests on : corp.domain Test omitted by user request: DNS Test omitted by user request: DNS Starting test: LocatorCheck GC Name: \\DC2.corp.domain Locator Flags: 0xe00031fd PDC Name: \\DC2.corp.domain Locator Flags: 0xe00031fd Time Server Name: \\DC2.corp.domain Locator Flags: 0xe00031fd Preferred Time Server Name: \\DC2.corp.domain Locator Flags: 0xe00031fd KDC Name: \\DC2.corp.domain Locator Flags: 0xe00031fd ......................... corp.domain passed test LocatorCheck Starting test: Intersite Skipping site Brisbane, this site is outside the scope provided by the command line arguments provided. ......................... corp.domain passed test Intersite
Directory Server Diagnosis Performing initial setup: Trying to find home server... Home Server = DC2 * Identified AD Forest. Done gathering initial info. Doing initial required tests Testing server: Brisbane\DC2 Starting test: Connectivity ......................... DC2 passed test Connectivity Doing primary tests Testing server: Brisbane\DC2 Starting test: Topology ......................... DC2 passed test Topology Running partition tests on : ForestDnsZones Running partition tests on : DomainDnsZones Running partition tests on : Schema Running partition tests on : Configuration Running partition tests on : corp Running enterprise tests on : corp.domain
Directory Server Diagnosis Performing initial setup: Trying to find home server... Home Server = DC2 * Identified AD Forest. Done gathering initial info. Doing initial required tests Testing server: Brisbane\DC2 Starting test: Connectivity ......................... DC2 passed test Connectivity Doing primary tests Testing server: Brisbane\DC2 Starting test: Replications ......................... DC2 passed test Replications Running partition tests on : ForestDnsZones Running partition tests on : DomainDnsZones Running partition tests on : Schema Running partition tests on : Configuration Running partition tests on : corp Running enterprise tests on : corp.domain
DNSLint Report System Date: Tue Mar 19 14:43:20 2013 Command run: c:\dnslint\dnslint /ad 10.1.1.21 /s 10.1.1.21 Root of Active Directory Forest: corp.domain Active Directory Forest Replication GUIDs Found: DC: DC2 GUID: ef6459ec-28d5-4ab4-85bc-778547782ce7 DC: DC3 GUID: 232f1e47-aa8e-44ae-8a19-6e1e5ecd6346 DC: MX1 GUID: 579be28b-006e-4f1c-911a-780458c5d081 Total GUIDs found: 3 -------------------------------------------------------------------------------- The following 2 DNS servers were checked for records related to AD forest replication: DNS server: dc2.corp.domain IP Address: 10.1.1.21 UDP port 53 responding to queries: YES TCP port 53 responding to queries: Not tested Answering authoritatively for domain: YES SOA record data from server: Authoritative name server: dc2.corp.domain Hostmaster: hostmaster.corp.domain Zone serial number: 150 Zone expires in: 1.00 day(s) Refresh period: 900 seconds Retry delay: 600 seconds Default (minimum) TTL: 3600 seconds Additional authoritative (NS) records from server: dc2.corp.domain Unknown dc3.corp.domain Unknown Alias (CNAME) and glue (A) records for forest GUIDs from server: CNAME: ef6459ec-28d5-4ab4-85bc-778547782ce7._msdcs.corp.domain Alias: dc2.corp.domain Glue: 10.1.1.21 CNAME: 232f1e47-aa8e-44ae-8a19-6e1e5ecd6346._msdcs.corp.domain Alias: dc3.corp.domain Glue: 10.1.1.22 CNAME: 579be28b-006e-4f1c-911a-780458c5d081._msdcs.corp.domain Alias: mx1.corp.domain Glue: 10.1.1.25 Total number of CNAME records found on this server: 3 Total number of CNAME records missing on this server: 0 Total number of glue (A) records this server could not find: 0 -------------------------------------------------------------------------------- DNS server: dc3.corp.domain IP Address: 10.1.1.22 UDP port 53 responding to queries: YES TCP port 53 responding to queries: Not tested Answering authoritatively for domain: YES SOA record data from server: Authoritative name server: dc3.corp.domain Hostmaster: hostmaster.corp.domain Zone serial number: 150 Zone expires in: 1.00 day(s) Refresh period: 900 seconds Retry delay: 600 seconds Default (minimum) TTL: 3600 seconds Additional authoritative (NS) records from server: dc2.corp.domain Unknown dc3.corp.domain Unknown Alias (CNAME) and glue (A) records for forest GUIDs from server: CNAME: ef6459ec-28d5-4ab4-85bc-778547782ce7._msdcs.corp.domain Alias: dc2.corp.domain Glue: 10.1.1.21 CNAME: 232f1e47-aa8e-44ae-8a19-6e1e5ecd6346._msdcs.corp.domain Alias: dc3.corp.domain Glue: 10.1.1.22 CNAME: 579be28b-006e-4f1c-911a-780458c5d081._msdcs.corp.domain Alias: mx1.corp.domain Glue: 10.1.1.25 Total number of CNAME records found on this server: 3 Total number of CNAME records missing on this server: 0
Zone query result: Zone info: ptr = 0000000000197AB0 zone name = corp.domain zone type = 1 shutdown = 0 paused = 0 update = 2 DS integrated = 1 read only zone = 0 in DS loading queue = 0 currently DS loading = 0 data file = (null) using WINS = 0 using Nbstat = 0 aging = 0 refresh interval = 168 no refresh = 168 scavenge available = 0 Zone Masters NULL IP Array. Zone Secondaries NULL IP Array. secure secs = 1 directory partition = AD-Domain flags 00000015 zone DN = DC=corp.domain,cn=MicrosoftDNS,DC=DomainDnsZones,DC=corp,DC=domain Command completed successfully.
Repadmin: running command /showrepl against full DC localhost Brisbane\DC2 DSA Options: IS_GC Site Options: (none) DSA object GUID: ef6459ec-28d5-4ab4-85bc-778547782ce7 DSA invocationID: d2eb9fee-f5ee-458d-b37f-813d6cc41d9b ==== INBOUND NEIGHBORS ====================================== DC=corp,DC=domain Brisbane\MX1 via RPC DSA object GUID: 579be28b-006e-4f1c-911a-780458c5d081 Last attempt @ 2013-03-19 14:58:35 was successful. Brisbane\DC3 via RPC DSA object GUID: 232f1e47-aa8e-44ae-8a19-6e1e5ecd6346 Last attempt @ 2013-03-19 14:59:08 was successful. CN=Configuration,DC=corp,DC=domain Brisbane\DC3 via RPC DSA object GUID: 232f1e47-aa8e-44ae-8a19-6e1e5ecd6346 Last attempt @ 2013-03-19 14:55:31 was successful. Brisbane\MX1 via RPC DSA object GUID: 579be28b-006e-4f1c-911a-780458c5d081 Last attempt @ 2013-03-19 14:55:31 was successful. CN=Schema,CN=Configuration,DC=corp,DC=domain Brisbane\DC3 via RPC DSA object GUID: 232f1e47-aa8e-44ae-8a19-6e1e5ecd6346 Last attempt @ 2013-03-19 14:55:31 was successful. Brisbane\MX1 via RPC DSA object GUID: 579be28b-006e-4f1c-911a-780458c5d081 Last attempt @ 2013-03-19 14:55:31 was successful. DC=DomainDnsZones,DC=corp,DC=domain Brisbane\DC3 via RPC DSA object GUID: 232f1e47-aa8e-44ae-8a19-6e1e5ecd6346 Last attempt @ 2013-03-19 14:55:31 was successful. DC=ForestDnsZones,DC=corp,DC=domain Brisbane\DC3 via RPC DSA object GUID: 232f1e47-aa8e-44ae-8a19-6e1e5ecd6346 Last attempt @ 2013-03-19 14:55:31 was successful.
Replication Summary Start Time: 2013-03-19 14:59:31 Beginning data collection for replication summary, this may take awhile: ...... Source DSA largest delta fails/total %% error DC2 12m:51s 0 / 8 0 DC3 12m:51s 0 / 8 0 MX1 11m:11s 0 / 6 0 Destination DSA largest delta fails/total %% error DC2 04m:00s 0 / 8 0 DC3 11m:11s 0 / 8 0 MX1 12m:51s 0 / 6 0
Repadmin: running command /kcc against full DC localhost Brisbane Current Site Options: (none) Consistency check on localhost successful.
Schema master DC2.corp.domain Domain naming master DC2.corp.domain PDC DC2.corp.domain RID pool manager DC2.corp.domain Infrastructure master DC2.corp.domain The command completed successfully.
Exchange 2010服务器需要在同一站点中具有GC的域控制器。
此外,不build议在域控制器上运行Exchange。 而且绝对不能将Exchange服务器升级到域控制器。
这听起来像是从你的描述中断开了至less两条规则,如果不是全部的话。
Ashdrewness提供的解决scheme
交换安装后,不支持在服务器上运行dcpromo。 安装交换机时,也不支持从std到in进行就地升级。 您必须卸载Exchange或执行Exchange的灾难恢复安装(setup.com / recoverserver)。
从http://technet.microsoft.com/en-us/library/aa996719(v=exchg.141).aspx
在目录服务器上安装Exchange 2010
出于安全性和性能原因,我们build议您仅在成员服务器上安装Exchange 2010,而不要在Active Directory目录服务器上安装Exchange 2010。 但是,无法在运行Exchange 2010的计算机上运行DCPromo。在安装Exchange 2010之后,不支持将其angular色从成员服务器更改为目录服务器,反之亦然。