[AD] 無法加入網域無法加入使用者

ad trouble shooting windows server windows 2008r2 windows2019

matureox 2022-08-09 09:17:38 ‧ 1813 瀏覽

分享至

Hi 各位大大先謝謝大家的回答,

我有兩台 DC 在不同機器上的 VM
DC1 = FSMO, Win2008R2,VirtualBox
DC2 = Win2019, VirtualBox

8/1/2022 的時候, DC1 的硬碟壞掉, 重裝 OS, 把 7/2 的 VM ova 備份裝回去.
同時 8/1 發現 DC2 出現錯誤訊息, 重開後說 VM .vdi file missing. 所以再把 7/2 的 DC2 VM ova 裝回去.

問題:昨天發現安裝之前已經加入 domain 的 PC, 無法加入新的使用者.

退出 domain, 要再加入 domain 也不讓加入. (有跳出輸入使用者跟密碼視窗, 打入後跳出錯誤訊息)

在 DC1 跑了 dcdiag /q

C:\Users\Administrator>dcdiag /q
Warning: DsGetDcName returned information for \W2K19IP03.redwood.com,
when we were trying to reach WIN2K8R2-HM066.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... WIN2K8R2-HM066 failed test Advertising
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... WIN2K8R2-HM066 failed test DFSREvent
NETLOGON Service is paused on [WIN2K8R2-HM066]
......................... WIN2K8R2-HM066 failed test Services

C:\Users\Administrator>

在 DC2 跑了 dcdiag /q
Microsoft Windows [Version 10.0.17763.2628]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Users\administrator.REDWOOD>dcdiag /q
The host bfeb3fc7-745c-4e52-91cc-25ad7263baff._msdcs.redwood.com could not be resolved to an IP address. Check
the DNS server, DHCP, server name, etc.
Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
......................... W2K19IP03 failed test Connectivity
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
......................... redwood.com failed test LocatorCheck

C:\Users\administrator.REDWOOD>

另外在 DC1 的 Event Viewer 的 System 有個錯誤
The dynamic registration of the DNS record '6f48b381-651e-42c2-8d1d-cfa55e8f6e81._msdcs.redwood.com. 600 IN CNAME Win2K8R2-HM066.redwood.com.' failed on the following DNS server:

DNS server IP address: 87.239.8.2
Returned Response Code (RCODE): 5
Returned Status Code: 9017

For computers and users to locate this domain controller, this record must be registered in DNS.

USER ACTION
Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. To learn more about DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by this domain controller, run 'nltest.exe /dsregdns' from the command prompt on the domain controller or restart Net Logon service.
Or, you can manually add this record to DNS, but it is not recommended.

ADDITIONAL DATA
Error Value: DNS bad key.

謝謝大家.
Jerry

看更多先前的討論...收起先前的討論...

matureox iT邦新手 5 級 ‧ 2022-08-09 11:49:47 檢舉

1. 如果可以修復 DC1 , 就可以把 DC2 demote 然後再 promote
2. 還是可以再次回復到 7/2 DC1 備份, 等 DC1 跑一段時間再重裝一台 DC
DC1 run dcdiag /a (只顯示 fail 部分)
Testing server: Default-First-Site-Name\WIN2K8R2-HM066
Starting test: Advertising
Warning: DsGetDcName returned information for \\W2K19IP03.redwood.com,
when we were trying to reach WIN2K8R2-HM066.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... WIN2K8R2-HM066 failed test Advertising
Starting test: FrsEvent
......................... WIN2K8R2-HM066 passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... WIN2K8R2-HM066 failed test DFSREvent
Starting test: SysVolCheck
.....
Authoritative attribute lastLogonTimestamp on WIN2K8R2-HM066 (writea
ble)
usnLocalChange = 26554460
LastOriginatingDsa = WIN2K8R2-HM066
usnOriginatingChange = 26554460
timeLastOriginatingChange = 2022-08-01 10:40:20
VersionLastOriginatingChange = 85
Out-of-date attribute lastLogonTimestamp on W2K19IP03 (writeable)
usnLocalChange = 22225579
LastOriginatingDsa = WIN2K8R2-HM066
usnOriginatingChange = 26507231
timeLastOriginatingChange = 2022-06-28 16:20:28
VersionLastOriginatingChange = 84
Authoritative attribute pwdLastSet on WIN2K8R2-HM066 (writeable)
usnLocalChange = 26554447
LastOriginatingDsa = WIN2K8R2-HM066
usnOriginatingChange = 26554447
timeLastOriginatingChange = 2022-08-01 10:40:10
VersionLastOriginatingChange = 32
Out-of-date attribute pwdLastSet on W2K19IP03 (writeable)
usnLocalChange = 21804257
LastOriginatingDsa = WIN2K8R2-HM066
usnOriginatingChange = 25715655
timeLastOriginatingChange = 2022-06-03 11:19:28
VersionLastOriginatingChange = 31
Authoritative attribute options on WIN2K8R2-HM066 (writeable)
usnLocalChange = 26586771
LastOriginatingDsa = WIN2K8R2-HM066
usnOriginatingChange = 26586771
timeLastOriginatingChange = 2022-08-08 14:21:47
VersionLastOriginatingChange = 4
Out-of-date attribute options on W2K19IP03 (writeable)
usnLocalChange = 7570
LastOriginatingDsa = WIN2K8R2-HM066
usnOriginatingChange = 5836
timeLastOriginatingChange = 2020-01-28 21:31:25
VersionLastOriginatingChange = 1
......................... WIN2K8R2-HM066 failed test ObjectsReplicated
Starting test: Replications
......................... WIN2K8R2-HM066 failed test Services
Starting test: SystemLog
..
The event log DFS Replication on server W2K19IP03.redwood.com could
not be queried, error 0x6ba "The RPC server is unavailable."
......................... W2K19IP03 failed test DFSREvent
Starting test: SysVolCheck
..
The event log Directory Service on server W2K19IP03.redwood.com could
not be queried, error 0x6ba "The RPC server is unavailable."
......................... W2K19IP03 failed test KccEvent
Starting test: KnowsOfRoleHolders

......................... W2K19IP03 failed test ObjectsReplicated
Starting test: Replications
[Replications Check,W2K19IP03] A recent replication attempt failed:
From WIN2K8R2-HM066 to W2K19IP03
Naming Context: DC=ForestDnsZones,DC=redwood,DC=com
The replication generated an error (1256):
The remote system is not available. For information about network tr
oubleshooting, see Windows Help.

The failure occurred at 2022-08-09 07:58:38.
The last success occurred at 2022-07-02 21:59:05.
205 failures have occurred since the last success.
[Replications Check,W2K19IP03] A recent replication attempt failed:
From WIN2K8R2-HM066 to W2K19IP03
Naming Context: DC=DomainDnsZones,DC=redwood,DC=com
The replication generated an error (-2146893022):
The target principal name is incorrect.
The failure occurred at 2022-08-09 08:31:05.
The last success occurred at 2022-07-02 21:59:05.
460 failures have occurred since the last success.
[Replications Check,W2K19IP03] A recent replication attempt failed:
From WIN2K8R2-HM066 to W2K19IP03
Naming Context: CN=Schema,CN=Configuration,DC=redwood,DC=com
The replication generated an error (-2146893022):
The target principal name is incorrect.
The failure occurred at 2022-08-09 07:58:38.
The last success occurred at 2022-07-02 21:59:05.
201 failures have occurred since the last success.
[Replications Check,W2K19IP03] A recent replication attempt failed:
From WIN2K8R2-HM066 to W2K19IP03
Naming Context: CN=Configuration,DC=redwood,DC=com
The replication generated an error (-2146893022):
The target principal name is incorrect.
The failure occurred at 2022-08-09 07:58:38.
The last success occurred at 2022-07-02 21:59:05.
207 failures have occurred since the last success.
[Replications Check,W2K19IP03] A recent replication attempt failed:
From WIN2K8R2-HM066 to W2K19IP03
Naming Context: DC=redwood,DC=com
The replication generated an error (-2146893022):
The target principal name is incorrect.
The failure occurred at 2022-08-09 08:35:58.
The last success occurred at 2022-07-02 22:37:39.
8520 failures have occurred since the last success.
......................... W2K19IP03 failed test Replications
Starting test: RidManager
......................... W2K19IP03 failed test SystemLog
Starting test: VerifyReferences

1. 如果可以修復 DC1 , 就可以把 DC2 demote 然後再 promote
2. 還是可以再次回復到 7/2 DC1 備份, 等 DC1 跑一段時間再重裝一台 DC
DC1 run dcdiag /a (只顯示 fail 部分)
   Testing server: Default-First-Site-Name\WIN2K8R2-HM066
      Starting test: Advertising
         Warning: DsGetDcName returned information for \\W2K19IP03.redwood.com,
         when we were trying to reach WIN2K8R2-HM066.
         SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
         ......................... WIN2K8R2-HM066 failed test Advertising
      Starting test: FrsEvent
         ......................... WIN2K8R2-HM066 passed test FrsEvent
      Starting test: DFSREvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... WIN2K8R2-HM066 failed test DFSREvent
      Starting test: SysVolCheck
.....
Authoritative attribute lastLogonTimestamp on WIN2K8R2-HM066 (writea
ble)
               usnLocalChange = 26554460
               LastOriginatingDsa = WIN2K8R2-HM066
               usnOriginatingChange = 26554460
               timeLastOriginatingChange = 2022-08-01 10:40:20
               VersionLastOriginatingChange = 85
            Out-of-date attribute lastLogonTimestamp on W2K19IP03 (writeable)
               usnLocalChange = 22225579
               LastOriginatingDsa = WIN2K8R2-HM066
               usnOriginatingChange = 26507231
               timeLastOriginatingChange = 2022-06-28 16:20:28
               VersionLastOriginatingChange = 84
            Authoritative attribute pwdLastSet on WIN2K8R2-HM066 (writeable)
               usnLocalChange = 26554447
               LastOriginatingDsa = WIN2K8R2-HM066
               usnOriginatingChange = 26554447
               timeLastOriginatingChange = 2022-08-01 10:40:10
               VersionLastOriginatingChange = 32
            Out-of-date attribute pwdLastSet on W2K19IP03 (writeable)
               usnLocalChange = 21804257
               LastOriginatingDsa = WIN2K8R2-HM066
               usnOriginatingChange = 25715655
               timeLastOriginatingChange = 2022-06-03 11:19:28
               VersionLastOriginatingChange = 31
            Authoritative attribute options on WIN2K8R2-HM066 (writeable)
               usnLocalChange = 26586771
               LastOriginatingDsa = WIN2K8R2-HM066
               usnOriginatingChange = 26586771
               timeLastOriginatingChange = 2022-08-08 14:21:47
               VersionLastOriginatingChange = 4
            Out-of-date attribute options on W2K19IP03 (writeable)
               usnLocalChange = 7570
               LastOriginatingDsa = WIN2K8R2-HM066
               usnOriginatingChange = 5836
               timeLastOriginatingChange = 2020-01-28 21:31:25
               VersionLastOriginatingChange = 1
         ......................... WIN2K8R2-HM066 failed test ObjectsReplicated
      Starting test: Replications
         ......................... WIN2K8R2-HM066 failed test Services
      Starting test: SystemLog
..
The event log DFS Replication on server W2K19IP03.redwood.com could
         not be queried, error 0x6ba &quot;The RPC server is unavailable.&quot;
         ......................... W2K19IP03 failed test DFSREvent
      Starting test: SysVolCheck
..
 The event log Directory Service on server W2K19IP03.redwood.com could
         not be queried, error 0x6ba &quot;The RPC server is unavailable.&quot;
         ......................... W2K19IP03 failed test KccEvent
      Starting test: KnowsOfRoleHolders

......................... W2K19IP03 failed test ObjectsReplicated
      Starting test: Replications
         [Replications Check,W2K19IP03] A recent replication attempt failed:
            From WIN2K8R2-HM066 to W2K19IP03
            Naming Context: DC=ForestDnsZones,DC=redwood,DC=com
            The replication generated an error (1256):
            The remote system is not available. For information about network tr
oubleshooting, see Windows Help.

The failure occurred at 2022-08-09 07:58:38.
            The last success occurred at 2022-07-02 21:59:05.
            205 failures have occurred since the last success.
         [Replications Check,W2K19IP03] A recent replication attempt failed:
            From WIN2K8R2-HM066 to W2K19IP03
            Naming Context: DC=DomainDnsZones,DC=redwood,DC=com
            The replication generated an error (-2146893022):
            The target principal name is incorrect.
            The failure occurred at 2022-08-09 08:31:05.
            The last success occurred at 2022-07-02 21:59:05.
            460 failures have occurred since the last success.
         [Replications Check,W2K19IP03] A recent replication attempt failed:
            From WIN2K8R2-HM066 to W2K19IP03
            Naming Context: CN=Schema,CN=Configuration,DC=redwood,DC=com
            The replication generated an error (-2146893022):
            The target principal name is incorrect.
            The failure occurred at 2022-08-09 07:58:38.
            The last success occurred at 2022-07-02 21:59:05.
            201 failures have occurred since the last success.
         [Replications Check,W2K19IP03] A recent replication attempt failed:
            From WIN2K8R2-HM066 to W2K19IP03
            Naming Context: CN=Configuration,DC=redwood,DC=com
            The replication generated an error (-2146893022):
            The target principal name is incorrect.
            The failure occurred at 2022-08-09 07:58:38.
            The last success occurred at 2022-07-02 21:59:05.
            207 failures have occurred since the last success.
         [Replications Check,W2K19IP03] A recent replication attempt failed:
            From WIN2K8R2-HM066 to W2K19IP03
            Naming Context: DC=redwood,DC=com
            The replication generated an error (-2146893022):
            The target principal name is incorrect.
            The failure occurred at 2022-08-09 08:35:58.
            The last success occurred at 2022-07-02 22:37:39.
            8520 failures have occurred since the last success.
         ......................... W2K19IP03 failed test Replications
      Starting test: RidManager
         ......................... W2K19IP03 failed test SystemLog
      Starting test: VerifyReferences

修改

ZongXianLi iT邦研究生 5 級 ‧ 2022-08-09 11:58:10 檢舉

你在DC1發生故障沒有把FSMO轉至DC2.....
DC2發現錯誤訊息選擇重開.....
只能說保重............
而且2008R2 DC搭 2019 DC
如果你沒做一些操作的話，沒意外你的DFS複寫掛很久了....

allenlwh iT邦高手 1 級 ‧ 2022-08-09 17:55:08 檢舉

我這樣理解不知有沒有錯，倒備份回去時，DC1 和 DC2 應該要一起倒回去。
DC1 和 DC2 之間應該是同步的。

matureox iT邦新手 5 級 ‧ 2022-08-10 15:38:55 檢舉

To allenlwh, 對, 當 DC1 壞掉時, 我要去 DC2 轉成 FSMO 時, DC2 就壞掉了.
所以我只好把 DC1 and DC2 的備份大概差個 2 小時分別倒回去.

目前狀況: 我把 DC2 關機, 然後就可以加入 domain and 加入使用者.
我又新裝了一台 DC3 (Win2019) 把 FSMO 轉到 DC3 上面.
然後重裝 DC2(Win2019), 再把 FSMO 轉到 DC2 上面.
之後(明天)將會 DC1 重裝成 Win2019.
目前 DC2 上的 dcdiag /a 出現的錯誤只剩下 DFSREvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems.
......................... VM-W19-DC03 failed test DFSREvent

ZongXianLi iT邦研究生 5 級 ‧ 2022-08-10 19:10:27 檢舉

錯誤修正完如果只剩下DFSR的話
就可以開始做FSR轉DFSR
https://techcommunity.microsoft.com/t5/storage-at-microsoft/sysvol-migration-series-part-2-8211-dfsrmig-exe-the-sysvol/ba-p/423470

matureox iT邦新手 5 級 ‧ 2022-08-11 09:30:02 檢舉

Hi ZongXianLi, 我其實看不太懂他是要做甚麼事情.
不過我在 DC2 跑了 dfsrmig /setGloablState 1 跑出來我的 state 已經是 Eliminated 了. 有看到說如果是 Eliminated state 就不能恢復了. 那我還能轉 FSR to DFSR 嗎?
C:\Users\administrator.REDWOOD>dfsrmig /setGlobalState 1

Current DFSR global state: 'Eliminated'
New DFSR global state: 'Prepared'
Invalid state change requested.

C:\Users\administrator.REDWOOD>dfsrmig /GetGlobalState

Current DFSR global state: 'Eliminated'
Succeeded.

C:\Users\administrator.REDWOOD>dfsrmig /GetMigrationState

All domain controllers have migrated successfully to the Global state ('Eliminated').
Migration has reached a consistent state on all domain controllers.
Succeeded.

ZongXianLi iT邦研究生 5 級 ‧ 2022-08-11 13:53:10 檢舉

如果是 Eliminated 代表已經轉換完成
但你要去做DC的完整診斷看還有沒有甚麼錯誤
及使用repadmin /ReplSum去檢查站台複寫狀態

登入發表討論

直播研討會

{{ item.channelVendor }} {{ item.webinarstarted }} |

直播中

1 個回答

kw6732

iT邦研究生 5 級 ‧ 2022-08-10 14:55:40

看錯誤訊息時我的解讀，請檢查防火牆，因為有時虛擬機的恢復不是百分百，很可能會造成網域或IP的跳動，很可能是Mac位址造成或者與host主機網卡的通透模式相關，是否跳到了不允許AD登入的網段內了？
看錯誤訊息也是有可能不是在相同域內，與AD無法正確或完全連線時當然是任何操作都不給過了。

回應 2
分享
檢舉

matureox iT邦新手 5 級 ‧ 2022-08-10 15:44:08 檢舉

我們公司只有一個網域. 每台 PC 都是設定固定 IP.
很可能是Mac位址造成或者與host主機網卡的通透模式相關，是否跳到了不允許AD登入的網段內了 => 這個我就不了解了.

kw6732 iT邦研究生 5 級 ‧ 2022-08-10 16:29:42 檢舉

請注意虛擬機的固定IP是否相同，如相同請確認Mac是否也相同，VM .vdi file missing可能造成網卡Mac跳走。

用AD主機與該VM機互通(互ping)後，雙方以Mac確認是否為相同一台機器，可以用arp -a列出。

Power Shell>>

arp -a
介面: 192.168.**.*** --- 0x6
  網際網路網址          實體位址               類型
  192.168.**.1          00-99-48-77-77-77     動態
  192.168.**.**         00-55-01-33-88-88     動態
  192.168.**.**         ac-88-55-84-88-ec     動態
  192.168.***.**        94-88-22-90-fc-c4     動態

如果互通沒問題，表示在相同域內，此問題即可排除，思考另一個可能。
例如是否虛擬機的IP組態有問題？

登入發表回應