我有一个关于这个问题的先前的问题,但我已经来了一些新的信息,我想我会开始一个新的post,挑起一些新的讨论。
首先,我会给你所有关于我们的networking设置的简短描述(从我理解的方式)。 我们有2家店。 我们将他们称为CP和总部。 现在HQ是一个域控制器,我们有一个名为billsgs.net的本地域。 每家商店基本上都是自己经营的。 他们每个人都有一个防火墙,他们自己的服务器运行Windows Server 2008 R2。 他们互动的唯一时间是通过复制。 我们已经指定了复制目录,主要是用户configuration文件和我们的数据库文件。 这是大部分的备份。
现在要解决这个问题……几个星期前(六月初),我们注意到HQ服务器上的复制服务占用了大量的内存,而我的意思是,所有可用的内存都可以得到它的手上。 我们有13GB,在运行DFS的10分钟内,内存使用率约为98%。 所以我们阻止了它。 我们并没有真正被这个困扰,但是如果有什么事情崩溃的话,我们就会在备份上大打折扣。 我们已经跑了一些热修复,但没有任何工作。 就目前而言,DFS没有运行。
现在,几个星期前,防火墙操作系统被破坏了,我不知道怎么发生,我不在那里。 这是在总部商店。 所以我们有一个破损的防火墙和DFS不能正常工作。 我们最近重新安装了防火墙上的操作系统,这是pfsense。 一切似乎工作正常..除了我们开始注意到一些DNS问题。 我们正处于不知道这是与DNS / AD / DFS问题有关还是与防火墙问题有关的问题。 我们基本上已经打开了防火墙,所以我们已经决定这不是问题,至less看起来不是这样。 所以这里有一些我们已经完成的debugging…
这里是dcdiag输出…
C:\Users\Administrator>dcdiag Directory Server Diagnosis Performing initial setup: Trying to find home server... Home Server = BGS-HQ-VRDSVR01 * Identified AD Forest. Done gathering initial info. Doing initial required tests Testing server: BGS-HQ\BGS-HQ-VRDSVR01 Starting test: Connectivity ......................... BGS-HQ-VRDSVR01 passed test Connectivity Doing primary tests Testing server: BGS-HQ\BGS-HQ-VRDSVR01 Starting test: Advertising ......................... BGS-HQ-VRDSVR01 passed test Advertising Starting test: FrsEvent There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems. ......................... BGS-HQ-VRDSVR01 passed test FrsEvent Starting test: DFSREvent ......................... BGS-HQ-VRDSVR01 passed test DFSREvent Starting test: SysVolCheck ......................... BGS-HQ-VRDSVR01 passed test SysVolCheck Starting test: KccEvent A warning event occurred. EventID: 0x8000082C Time Generated: 08/05/2011 15:04:12 Event String: A warning event occurred. EventID: 0x8000082C Time Generated: 08/05/2011 15:05:12 Event String: ......................... BGS-HQ-VRDSVR01 passed test KccEvent Starting test: KnowsOfRoleHolders ......................... BGS-HQ-VRDSVR01 passed test KnowsOfRoleHolders Starting test: MachineAccount ......................... BGS-HQ-VRDSVR01 passed test MachineAccount Starting test: NCSecDesc ......................... BGS-HQ-VRDSVR01 passed test NCSecDesc Starting test: NetLogons ......................... BGS-HQ-VRDSVR01 passed test NetLogons Starting test: ObjectsReplicated ......................... BGS-HQ-VRDSVR01 passed test ObjectsReplicated Starting test: Replications [Replications Check,BGS-HQ-VRDSVR01] A recent replication attempt failed: From BGS-CP-VRDSVR01 to BGS-HQ-VRDSVR01 Naming Context: DC=ForestDnsZones,DC=billsgs,DC=net The replication generated an error (1908): Could not find the domain controller for this domain. The failure occurred at 2011-08-05 14:34:49. The last success occurred at 2011-08-05 13:51:35. 1 failures have occurred since the last success. Kerberos Error. A KDC was not found to authenticate the call. Check that sufficient domain controllers are available. [Replications Check,BGS-HQ-VRDSVR01] A recent replication attempt failed: From BGS-CP-VRDSVR01 to BGS-HQ-VRDSVR01 Naming Context: DC=DomainDnsZones,DC=billsgs,DC=net The replication generated an error (1908): Could not find the domain controller for this domain. The failure occurred at 2011-08-05 14:34:48. The last success occurred at 2011-08-05 13:51:35. 1 failures have occurred since the last success. Kerberos Error. A KDC was not found to authenticate the call. Check that sufficient domain controllers are available. [Replications Check,BGS-HQ-VRDSVR01] A recent replication attempt failed: From BGS-CP-VRDSVR01 to BGS-HQ-VRDSVR01 Naming Context: CN=Schema,CN=Configuration,DC=billsgs,DC=net The replication generated an error (1908): Could not find the domain controller for this domain. The failure occurred at 2011-08-05 14:34:47. The last success occurred at 2011-08-05 13:51:34. 1 failures have occurred since the last success. Kerberos Error. A KDC was not found to authenticate the call. Check that sufficient domain controllers are available. [Replications Check,BGS-HQ-VRDSVR01] A recent replication attempt failed: From BGS-CP-VRDSVR01 to BGS-HQ-VRDSVR01 Naming Context: CN=Configuration,DC=billsgs,DC=net The replication generated an error (1908): Could not find the domain controller for this domain. The failure occurred at 2011-08-05 14:34:46. The last success occurred at 2011-08-05 13:51:34. 1 failures have occurred since the last success. Kerberos Error. A KDC was not found to authenticate the call. Check that sufficient domain controllers are available. [Replications Check,BGS-HQ-VRDSVR01] A recent replication attempt failed: From BGS-CP-VRDSVR01 to BGS-HQ-VRDSVR01 Naming Context: DC=billsgs,DC=net The replication generated an error (1908): Could not find the domain controller for this domain. The failure occurred at 2011-08-05 14:34:46. The last success occurred at 2011-08-05 13:51:34. 1 failures have occurred since the last success. Kerberos Error. A KDC was not found to authenticate the call. Check that sufficient domain controllers are available. ......................... BGS-HQ-VRDSVR01 failed test Replications Starting test: RidManager ......................... BGS-HQ-VRDSVR01 passed test RidManager Starting test: Services Invalid service startup type: DFSR on BGS-HQ-VRDSVR01, current value DISABLED, expected value AUTO_START DFSR Service is stopped on [BGS-HQ-VRDSVR01] ......................... BGS-HQ-VRDSVR01 failed test Services Starting test: SystemLog A warning event occurred. EventID: 0x00000458 Time Generated: 08/05/2011 14:08:10 Event String: The Group Policy Client Side Extension Folder Redirection was unable to apply one or more settings because the changes must be processed before system startup or u ser logon. The system will wait for Group Policy processing to finish completely before the next startup or logon for this user, and this may result in slow startup and boot p erformance. An error event occurred. EventID: 0x00000456 Time Generated: 08/05/2011 14:23:08 Event String: The processing of Group Policy failed. Windows could not determine if the user and computer accounts are in the same forest. Ensure the user domain name matches th e name of a trusted domain that resides in the same forest as the computer account. An error event occurred. EventID: 0xC0001B78 Time Generated: 08/05/2011 14:28:16 Event String: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the DFS Replication service, but this actio n failed with the following error: An error event occurred. EventID: 0xC000271A Time Generated: 08/05/2011 14:31:28 Event String: The server {995C996E-D918-4A8C-A302-45719A6F4EA7} did not register with DCOM within the required timeout. A warning event occurred. EventID: 0x8000001D Time Generated: 08/05/2011 14:34:09 Event String: The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon m ay not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certi ficate. A warning event occurred. EventID: 0x000003F6 Time Generated: 08/05/2011 14:34:13 Event String: Name resolution for the name billsgs.net timed out after none of the configured DNS servers responded. An error event occurred. EventID: 0xC0001B58 Time Generated: 08/05/2011 14:34:48 Event String: The DgiVecp service failed to start due to the following error: An error event occurred. EventID: 0x0000168E Time Generated: 08/05/2011 14:34:55 Event String: The dynamic registration of the DNS record '6282bfca-ade1-41c8-84dc-516ce19b49be._msdcs.billsgs.net. 600 IN CNAME BGS-HQ-VRDSVR01.billsgs.net.' failed on the follo wing DNS server: An error event occurred. EventID: 0x0000168E Time Generated: 08/05/2011 14:34:56 Event String: The dynamic registration of the DNS record '_kpasswd._udp.billsgs.net. 600 IN SRV 0 100 464 BGS-HQ-VRDSVR01.billsgs.net.' failed on the following DNS server: A warning event occurred. EventID: 0x00002724 Time Generated: 08/05/2011 14:34:56 Event String: This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses. A warning event occurred. EventID: 0x000003F6 Time Generated: 08/05/2011 14:34:55 Event String: Name resolution for the name billsgs.net timed out after none of the configured DNS servers responded. An error event occurred. EventID: 0xC00110F1 Time Generated: 08/05/2011 14:35:09 Event String: The WINS Server could not initialize security to allow the read-only operations. An error event occurred. EventID: 0xC0002720 Time Generated: 08/05/2011 14:36:05 Event String: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID A warning event occurred. EventID: 0x000727AA Time Generated: 08/05/2011 14:38:30 Event String: The WinRM service failed to create the following SPNs: WSMAN/BGS-HQ-VRDSVR01.billsgs.net; WSMAN/BGS-HQ-VRDSVR01. A warning event occurred. EventID: 0x0000043D Time Generated: 08/05/2011 14:47:48 Event String: Windows failed to apply the Folder Redirection settings. Folder Redirection settings might have its own log file. Please click on the "More information" link. An error event occurred. EventID: 0x0000168E Time Generated: 08/05/2011 15:02:25 Event String: The dynamic registration of the DNS record '6282bfca-ade1-41c8-84dc-516ce19b49be._msdcs.billsgs.net. 600 IN CNAME BGS-HQ-VRDSVR01.billsgs.net.' failed on the follo wing DNS server: An error event occurred. EventID: 0x0000168E Time Generated: 08/05/2011 15:02:26 Event String: The dynamic registration of the DNS record '_kpasswd._udp.billsgs.net. 600 IN SRV 0 100 464 BGS-HQ-VRDSVR01.billsgs.net.' failed on the following DNS server: ......................... BGS-HQ-VRDSVR01 failed test SystemLog Starting test: VerifyReferences ......................... BGS-HQ-VRDSVR01 passed test VerifyReferences Running partition tests on : ForestDnsZones Starting test: CheckSDRefDom ......................... ForestDnsZones passed test CheckSDRefDom Starting test: CrossRefValidation ......................... ForestDnsZones passed test CrossRefValidation Running partition tests on : DomainDnsZones Starting test: CheckSDRefDom ......................... DomainDnsZones passed test CheckSDRefDom Starting test: CrossRefValidation ......................... DomainDnsZones passed test CrossRefValidation Running partition tests on : Schema Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation Running partition tests on : Configuration Starting test: CheckSDRefDom ......................... Configuration passed test CheckSDRefDom Starting test: CrossRefValidation ......................... Configuration passed test CrossRefValidation Running partition tests on : billsgs Starting test: CheckSDRefDom ......................... billsgs passed test CheckSDRefDom Starting test: CrossRefValidation ......................... billsgs passed test CrossRefValidation Running enterprise tests on : billsgs.net Starting test: LocatorCheck ......................... billsgs.net passed test LocatorCheck Starting test: Intersite ......................... billsgs.net passed test Intersite 现在请记住,每当我们重新启动服务器时,情况就会有所不同。 有时我们遇到的问题与DCOM无法访问我们指定的DNS服务器有关! 现在..这里是一个DNStesting的输出…
C:\Users\Administrator>dcdiag /test:DNS Directory Server Diagnosis Performing initial setup: Trying to find home server... Home Server = BGS-HQ-VRDSVR01 * Identified AD Forest. Done gathering initial info. Doing initial required tests Testing server: BGS-HQ\BGS-HQ-VRDSVR01 Starting test: Connectivity ......................... BGS-HQ-VRDSVR01 passed test Connectivity Doing primary tests Testing server: BGS-HQ\BGS-HQ-VRDSVR01 Starting test: DNS DNS Tests are running and not hung. Please wait a few minutes... ......................... BGS-HQ-VRDSVR01 passed test DNS Running partition tests on : ForestDnsZones Running partition tests on : DomainDnsZones Running partition tests on : Schema Running partition tests on : Configuration Running partition tests on : billsgs Running enterprise tests on : billsgs.net Starting test: DNS Test results for domain controllers: DC: BGS-HQ-VRDSVR01.billsgs.net Domain: billsgs.net TEST: Basic (Basc) Warning: adapter [00000007] Intel(R) PRO/1000 MT Network Connection has invalid DNS server: 192.168.40.254 (<name unavailable>) TEST: Records registration (RReg) Network Adapter [00000007] Intel(R) PRO/1000 MT Network Connection: Warning: Missing SRV record at DNS server 192.168.40.13: _ldap._tcp.billsgs.net Warning: Missing SRV record at DNS server 192.168.40.13: _ldap._tcp.22017278-29d1-493a-b72d-e44b31411a70.domains._msdcs.billsgs.net Warning: Missing SRV record at DNS server 192.168.40.13: _kerberos._tcp.dc._msdcs.billsgs.net Warning: Missing SRV record at DNS server 192.168.40.13: _ldap._tcp.dc._msdcs.billsgs.net Warning: Missing SRV record at DNS server 192.168.40.13: _kerberos._tcp.billsgs.net Warning: Missing SRV record at DNS server 192.168.40.13: _kerberos._udp.billsgs.net Warning: Missing SRV record at DNS server 192.168.40.13: _kpasswd._tcp.billsgs.net Error: Missing SRV record at DNS server 192.168.40.13: _ldap._tcp.BGS-HQ._sites.billsgs.net Error: Missing SRV record at DNS server 192.168.40.13: _kerberos._tcp.BGS-HQ._sites.dc._msdcs.billsgs.net Error: Missing SRV record at DNS server 192.168.40.13: _ldap._tcp.BGS-HQ._sites.dc._msdcs.billsgs.net Error: Missing SRV record at DNS server 192.168.40.13: _kerberos._tcp.BGS-HQ._sites.billsgs.net Warning: Missing SRV record at DNS server 192.168.40.13: _ldap._tcp.gc._msdcs.billsgs.net Warning: Missing A record at DNS server 192.168.40.13: gc._msdcs.billsgs.net Error: Missing SRV record at DNS server 192.168.40.13: _gc._tcp.BGS-HQ._sites.billsgs.net Error: Missing SRV record at DNS server 192.168.40.13: _ldap._tcp.BGS-HQ._sites.gc._msdcs.billsgs.net Error: Missing SRV record at DNS server 192.168.40.13: _ldap._tcp.pdc._msdcs.billsgs.net Warning: Missing CNAME record at DNS server 192.168.40.254: 6282bfca-ade1-41c8-84dc-516ce19b49be._msdcs.billsgs.net Warning: Missing A record at DNS server 192.168.40.254: BGS-HQ-VRDSVR01.billsgs.net Error: Missing SRV record at DNS server 192.168.40.254: _ldap._tcp.billsgs.net Error: Missing SRV record at DNS server 192.168.40.254: _ldap._tcp.22017278-29d1-493a-b72d-e44b31411a70.domains._msdcs.billsgs.net Error: Missing SRV record at DNS server 192.168.40.254: _kerberos._tcp.dc._msdcs.billsgs.net Error: Missing SRV record at DNS server 192.168.40.254: _ldap._tcp.dc._msdcs.billsgs.net Error: Missing SRV record at DNS server 192.168.40.254: _kerberos._tcp.billsgs.net Error: Missing SRV record at DNS server 192.168.40.254: _kerberos._udp.billsgs.net Error: Missing SRV record at DNS server 192.168.40.254: _kpasswd._tcp.billsgs.net Error: Missing SRV record at DNS server 192.168.40.254: _ldap._tcp.BGS-HQ._sites.billsgs.net Error: Missing SRV record at DNS server 192.168.40.254: _kerberos._tcp.BGS-HQ._sites.dc._msdcs.billsgs.net Error: Missing SRV record at DNS server 192.168.40.254: _ldap._tcp.BGS-HQ._sites.dc._msdcs.billsgs.net Error: Missing SRV record at DNS server 192.168.40.254: _kerberos._tcp.BGS-HQ._sites.billsgs.net Error: Missing SRV record at DNS server 192.168.40.254: _ldap._tcp.gc._msdcs.billsgs.net Warning: Missing A record at DNS server 192.168.40.254: gc._msdcs.billsgs.net Error: Missing SRV record at DNS server 192.168.40.254: _gc._tcp.BGS-HQ._sites.billsgs.net Error: Missing SRV record at DNS server 192.168.40.254: _ldap._tcp.BGS-HQ._sites.gc._msdcs.billsgs.net Error: Missing SRV record at DNS server 192.168.40.254: _ldap._tcp.pdc._msdcs.billsgs.net Error: Record registrations cannot be found for all the network adapters Summary of test results for DNS servers used by the above domain controllers: DNS server: 192.168.40.254 (<name unavailable>) 1 test failure on this DNS server Name resolution is not functional. _ldap._tcp.billsgs.net. failed on the DNS server 192.168.40.254 Summary of DNS test results: Auth Basc Forw Del Dyn RReg Ext _________________________________________________________________ Domain: billsgs.net BGS-HQ-VRDSVR01 PASS WARN PASS PASS PASS FAIL n/a ......................... billsgs.net failed test DNS C:\Users\Administrator>
我相信这是我们的主要问题,但我在整个事情上都迷失了方向。 我已经给了netlogon重启技巧几次尝试。 我甚至跑了以下顺序:
net stop netlogon net stop dns ipconfig /flushdns net start dns net start netlogon
似乎没有任何工作。 就在最近,今天,我们进入了“活动目录用户和计算机”,在“域控制器”下,HQ服务器没有列出。 它只是说不可用。
另外..这里是一个IPconfiguration输出…
Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\Administrator>ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : BGS-HQ-VRDSVR01 Primary Dns Suffix . . . . . . . : billsgs.net Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : billsgs.net Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection Physical Address. . . . . . . . . : 00-0C-29-03-BA-38 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 192.168.40.13(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.40.254 DNS Servers . . . . . . . . . . . : 192.168.40.13 192.168.40.254 Primary WINS Server . . . . . . . : 192.168.40.13 Secondary WINS Server . . . . . . : 192.168.41.17 NetBIOS over Tcpip. . . . . . . . : Enabled Tunnel adapter isatap.{ADEC15A8-2603-40EB-964C-489CCBD11E08}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Microsoft ISATAP Adapter Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Tunnel adapter Local Area Connection* 11: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes C:\Users\Administrator>
HQ是192.168.40.13,CP是192.168.41.17。 另外192.168.40.254是HQ防火墙,而192.168.41.254是CP防火墙。
把这一切联系在一起,我们基本上是服务器不通信。 像我说的,DNS似乎是主要的问题。 任何这样的例子将是..从总部networking,如果我运行nslookup billsgs.net地址是192.168.41.17这是CP服务器地址。 这样说,没有人可以从总部位置“访问”活动目录。 含义.. \\ billsgs.net无法通过总部networking访问。
你是对的AD问题几乎都是 DNS问题。 我认为问题是将防火墙设置为DC IP设置上的辅助DNS。 将其从NICconfiguration中除去,并将防火墙作为转发器添加到DNSconfiguration中。
这将强制所有DNSparsing以Windows DNS开始,而不知道的地址将通过转发器进行查询。
一旦您重置了DNS设置,请在DC上运行ipconfig /registerdns以修复DNS中的AD注册。
而且,所有的Windows服务器和客户端都只应该指向这个DNS。 如果您需要备用DNS,请在另一台服务器上安装DNS(它不需要是运行DNS的DC)。
我认为真正的问题是域名是一个单标签的DNS名称(一个字(票据),然后是一个有效的tld(.net))。 默认情况下,DNS客户端不会注册这些域名,因为它们很可能是公共域名。