O Controlador de Domínio é um servidor físico que executa o Windows Server 2012 R2. O nível FF é 2008 R2, o nível DF é 2012 R2. No entanto, encontrei um artigo do MS que afirma que o XP é totalmente compatível até mesmo com um R2 FFL de 2012. Esse problema está afetando apenas as VMs do Windows XP (e mais antigas). O erro exato quando tento ingressar uma máquina no domínio é:
Ocorreu o seguinte erro ao tentar ingressar no domínio "MeuDomínio": O nome de rede especificado não está mais disponível.
Etapas de solução de problemas tentadas até agora:
- Reinicializando o DC
- Reativando SMB1 e reinicializando o DC (já estava habilitado) EDIT: Não é verdade! Continue lendo...
- Reiniciando o serviço NETLOGON no DC (sem problemas) e em VMs XP (não permanece iniciado)
- Executando DCDIAG (todos os testes passam)
- Desativando o IPv6 no DC
- Desativando o adaptador ISATAP NIC (dispositivo oculto) no DevMgmt .msc
Aqui está a saída do DCDiag /v
PS C:\> DCDiag /v
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the local machine MY-SERVER, is a Directory Server.
Home Server = MY-SERVER
* Connecting to directory service on server MY-SERVER.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=acme,DC=com,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme,DC=com
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=acme,DC=com,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=MY-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme,DC=com
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 1 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\MY-SERVER
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... MY-SERVER passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\MY-SERVER
Starting test: Advertising
The DC MY-SERVER is advertising itself as a DC and having a DS.
The DC MY-SERVER is advertising as an LDAP server
The DC MY-SERVER is advertising as having a writeable directory
The DC MY-SERVER is advertising as a Key Distribution Center
The DC MY-SERVER is advertising as a time server
The DS MY-SERVER is advertising as a GC.
......................... MY-SERVER passed test Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Starting test: FrsEvent
* The File Replication Service Event log test
Skip the test because the server is running DFSR.
......................... MY-SERVER passed test FrsEvent
Starting test: DFSREvent
The DFS Replication Event Log.
......................... MY-SERVER passed test DFSREvent
Starting test: SysVolCheck
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... MY-SERVER passed test SysVolCheck
Starting test: KccEvent
* The KCC Event log test
Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
......................... MY-SERVER passed test KccEvent
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=MY-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme,DC=com
Role Domain Owner = CN=NTDS Settings,CN=MY-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme,DC=com
Role PDC Owner = CN=NTDS Settings,CN=MY-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme,DC=com
Role Rid Owner = CN=NTDS Settings,CN=MY-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme,DC=com
Role Infrastructure Update Owner = CN=NTDS Settings,CN=MY-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme,DC=com
......................... MY-SERVER passed test KnowsOfRoleHolders
Starting test: MachineAccount
Checking machine account for DC MY-SERVER on DC MY-SERVER.
* SPN found :LDAP/MY-SERVER.acme.com/acme.com
* SPN found :LDAP/MY-SERVER.acme.com
* SPN found :LDAP/MY-SERVER
* SPN found :LDAP/MY-SERVER.acme.com/acme
* SPN found :LDAP/121ee01d-112f-4dff-8dd1-ba8463ea8203._msdcs.acme.com
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/121ee01d-112f-4dff-8dd1-ba8463ea8203/acme.com
* SPN found :HOST/MY-SERVER.acme.com/acme.com
* SPN found :HOST/MY-SERVER.acme.com
* SPN found :HOST/MY-SERVER
* SPN found :HOST/MY-SERVER.acme.com/acme
* SPN found :GC/MY-SERVER.acme.com/acme.com
......................... MY-SERVER passed test MachineAccount
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC MY-SERVER.
* Security Permissions Check for
DC=ForestDnsZones,DC=acme,DC=com
(NDNC,Version 3)
* Security Permissions Check for
DC=DomainDnsZones,DC=acme,DC=com
(NDNC,Version 3)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=acme,DC=com
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=acme,DC=com
(Configuration,Version 3)
* Security Permissions Check for
DC=acme,DC=com
(Domain,Version 3)
......................... MY-SERVER passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\MY-SERVER\netlogon
Verified share \\MY-SERVER\sysvol
......................... MY-SERVER passed test NetLogons
Starting test: ObjectsReplicated
MY-SERVER is in domain DC=acme,DC=com
Checking for CN=MY-SERVER,OU=Domain Controllers,DC=acme,DC=com in domain DC=acme,DC=com on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=MY-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme,DC=com in domain CN=Configurat
ion,DC=acme,DC=com on 1 servers
Object is up-to-date on all servers.
......................... MY-SERVER passed test ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Starting test: Replications
* Replications Check
* Replication Latency Check
......................... MY-SERVER passed test Replications
Starting test: RidManager
* Available RID Pool for the Domain is 1601 to 1073741823
* MY-SERVER.acme.com is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 1101 to 1600
* rIDPreviousAllocationPool is 1101 to 1600
* rIDNextRID: 1147
......................... MY-SERVER passed test RidManager
Starting test: Services
* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
* Checking Service: DnsCache
* Checking Service: DFSR
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... MY-SERVER passed test Services
Starting test: SystemLog
* The System Event log test
Found no errors in "System" Event log in the last 60 minutes.
......................... MY-SERVER passed test SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Starting test: VerifyReferences
The system object reference (serverReference) CN=MY-SERVER,OU=Domain Controllers,DC=acme,DC=com and backlink on
CN=MY-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme,DC=com are correct.
The system object reference (serverReferenceBL) CN=MY-SERVER,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=acme,DC=com
and backlink on CN=NTDS Settings,CN=MY-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme,DC=com are correct.
The system object reference (msDFSR-ComputerReferenceBL)
CN=MY-SERVER,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=acme,DC=com and backlink on
CN=MY-SERVER,OU=Domain Controllers,DC=acme,DC=com are correct.
......................... MY-SERVER passed test VerifyReferences
Test omitted by user request: VerifyReplicas
Test omitted by user request: DNS
Test omitted by user request: DNS
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : acme
Starting test: CheckSDRefDom
......................... acme passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... acme passed test CrossRefValidation
Running enterprise tests on : acme.com
Test omitted by user request: DNS
Test omitted by user request: DNS
Starting test: LocatorCheck
GC Name: \\MY-SERVER.acme.com
Locator Flags: 0xe000f1fd
PDC Name: \\MY-SERVER.acme.com
Locator Flags: 0xe000f1fd
Time Server Name: \\MY-SERVER.acme.com
Locator Flags: 0xe000f1fd
Preferred Time Server Name: \\MY-SERVER.acme.com
Locator Flags: 0xe000f1fd
KDC Name: \\MY-SERVER.acme.com
Locator Flags: 0xe000f1fd
......................... acme.com passed test LocatorCheck
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope provided by the command line arguments provided.
......................... acme.com passed test Intersite
PS C:\>
Neste momento estou completamente sem ideias? O que poderia ser isso, um problema de NTLM?
Isso foi resolvido agora. O DC estava relatando incorretamente o status do SMB1 (mostrando habilitado quando na verdade ainda não estava habilitado):
A execução deste comando do PowerShell corrigiu o problema ( link do recurso aqui ):
Set-SmbServerConfiguration -EnableSMB1Protocol $trueVocê tem uma política de grupo configurada para restringir os tipos de criptografia Kerberos herdados? Alguns guias de proteção ou políticas de auditoria forçam você a configurar isso, o que pode tornar clientes legados como o XP incapazes de se autenticar corretamente.
A configuração está em
Windows Settings - Security Settings - Local Policies - Security Options - Network security: Configure encryption types allowed for Kerberos. Mais informações aqui:https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos