因此,我们最近向我们的域 (Win 2008 R2 Enterprise) 添加了一个新的 DC,其想法是用第二个 Enterprise DC 替换我们的 Win 2008 R2 Standard DC - 这将为我们提供 2008 R2 Enterprise 上的 2 个 DC。
在添加这个 DC 的同时,我们最终还从 2003 年到 2008 年提高了森林和领域的等级。
据我所知,一切都复制得很好。AD、SYSVOL 或其他任何东西都没有问题。
在降级 2008 R2 标准盒之前,我会确保一切正常且紧凑。
所有 DC 均未通过 VerifyEnterpriseReferences 测试,输出如下:
Starting test: VerifyEnterpriseReferences
The following problems were found while verifying various important DN
references. Note, that these problems can be reported because of
latency in replication. So follow up to resolve the following
problems, only if the same problem is reported on all DCs for a given
domain or if the problem persists after replication has had
reasonable time to replicate changes.
[1] Problem: Missing Expected Value
Base Object: CN=DC2008S-0,OU=Domain Controllers,DC=domain,DC=com
Base Object Description: "DC Account Object"
Value Object Attribute Name: msDFSR-ComputerReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862
[2] Problem: Missing Expected Value
Base Object:
CN=DC2008E-0,OU=Domain Controllers,DC=domain,DC=com
Base Object Description: "DC Account Object"
Value Object Attribute Name: msDFSR-ComputerReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862
[3] Problem: Missing Expected Value
Base Object:
CN=DC2008E-1,OU=Domain Controllers,DC=domain,DC=com
Base Object Description: "DC Account Object"
Value Object Attribute Name: msDFSR-ComputerReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862
LDAP Error 0x20 (32) - No Such Object.
......................... DC2008S-0 failed test VerifyEnterpriseReferences
此外,DNS RReg 测试失败 - 我还没有详细研究这个,但它包含在 dcdiag 报告中,所以我想我现在将它添加到这里
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
_________________________________________________________________
Domain: domain.com
DC2008S-0 PASS PASS PASS PASS PASS FAIL n/a
DC2008E-0 PASS PASS PASS PASS PASS FAIL n/a
DC2008E-1 PASS PASS PASS PASS PASS FAIL n/a
Total Time taken to test all the DCs:2 min. 52 sec.
......................... domain.com failed test DNS
该错误将我指向 2003 服务器的知识库文章https://support.microsoft.com/en-us/help/312862/recovering-missing-frs-objects-and-frs-attributes-in-active-directory
我仍然试图跟随,只是为了看看我会发现什么。
我们所有的 DC 上似乎都填写了 Server-Reference。(ASDIEdit、根域、默认命名上下文、CN=System、CN=File Replication Service、CN=Domain System Volume(SYSVOL 共享),所有 3 个 DC 都被列为一个 nTFRSMember,并且属性在 serverReference 中填写了详细信息。
它与我取出的内容不完全匹配,但我不能 100% 确定我正在寻找正确的地方:
CN=NTDS Site Settings,CN=SITE_NAME,CN=Sites,CN=Configuration,DC=DOMAIN_NAME,DC=com
CN=NTDS Settings,CN=DC2008S-0,CN=Servers,CN=SITE_NAME,CN=Sites,CN=Configuration,DC=DOMAIN_NAME,DC=com
但是对于所有 3 个 DC,第二个值都是 true(具有不同的 DC 名称)。
如果我运行 ntfrsutl ds 我确实得到(空)输出但是:
NTFRS CONFIGURATION IN THE DS
SUBSTITUTE DCINFO FOR DC
FRS DomainControllerName: (null)
Computer Name : DC2008E-0
Computer DNS Name : DC2008E-0.domain.com
该输出在所有 3 个 DC 上也是如此。
再次 - 据我所知,其他一切似乎都很好。我们在 5 天前推出了新的 DC 并更新了功能级别。我不确定为什么会出现这些故障,并希望在继续退役之前对其进行清理。
额外细节:
我运行了脚本“通过 PowerShell 测试 SYSVOL 复制延迟/收敛”,一切似乎都如愿以偿:
Name PDC Site Name DS Type IP Address OS Version
---- --- --------- ------- ---------- ----------
DC2008S-0.domain.com FALSE sitename Read/Write 10.1.1.3 Windows Server 2008 R2 Standard
DC2008E-0.domain.com TRUE sitename Read/Write 10.1.1.27 Windows Server 2008 R2 Enterprise
DC2008E-1.domain.com FALSE sitename Read/Write 10.1.1.28 Windows Server 2008 R2 Enterprise
这是正确的,报告吐出一个积极的结果!
====================== CHECK 6 ======================
REMARK: Each DC In The List Below Must Be At Least Accessible Through SMB Over TCP (445)
* Contacting DC In AD domain ...[DC2008E-1.domain.COM [SOURCE RWDC]]...
- DC Is Reachable...
- Object [sysvolReplTempObject20180926163805.txt] Exists In The NetLogon Share
* Contacting DC In AD domain ...[DC2008S-0.domain.COM]...
- DC Is Reachable...
- Object [sysvolReplTempObject20180926163805.txt] Now Does Exist In The NetLogon Share
* Contacting DC In AD domain ...[DC2008E-0.domain.COM]...
- DC Is Reachable...
- Object [sysvolReplTempObject20180926163805.txt] Now Does Exist In The NetLogon Share
Start Time......: 2018-09-26 16:38:05
End Time........: 2018-09-26 16:38:11
Duration........: 6.20 Seconds
Deleting Temp Text File...
Temp Text File [sysvolReplTempObject20180926163805.txt] Has Been Deleted On The Target RWDC!
Name Site Name Time
---- --------- ----
DC2008E-1.domain.COM [SOURCE RWDC] sitename 0
DC2008S-0.domain.com sitename 6.17
DC2008E-0.domain.com sitename 6.20
更多细节:
我还运行了脚本“通过 PowerShell 测试 Active Directory 复制延迟/收敛”来验证 AD 复制
Name Domain GC FSMO Site Name DS Type IP Address OS Version
---- ------ -- ---- --------- ------- ---------- ----------
DC2008S-0.domain.com domain.com TRUE ..... sitename Read/Write 10.1.1.3 Windows Server 2008 R2 Standard
DC2008E-0.domain.com domain.com TRUE SCH/DNM/PDC/RID/INF sitename Read/Write 10.1.1.27 Windows Server 2008 R2 Enterprise
DC2008E-1.domain.com domain.com TRUE ..... sitename Read/Write 10.1.1.28 Windows Server 2008 R2 Enterprise
所有 DC 在森林中都正确出现,然后进行域检查(上面列出的域输出。看到它们都有一个全局目录,并且 DC2008E-0 具有我们所有的 FSMO 角色)
====================== CHECK 15 ======================
REMARK: Each DC In The List Below Must Be At Least Accessible Through LDAP Over TCP (389)
REMARK: Each GC In The List Below Must Be At Least Accessible Through LDAP-GC Over TCP (3268)
* Contacting DC In AD domain ...[DC2008E-1.domain.COM [SOURCE RWDC]]...
- DC Is Reachable...
- Object [CN=adReplTempObject20180926164916,CN=Users,DC=domain,DC=com] Exists In The Database
* Contacting DC In AD domain ...[DC2008S-0.domain.COM]...
- DC Is Reachable...
- Object [CN=adReplTempObject20180926164916,CN=Users,DC=domain,DC=com] Now Does Exist In The Database
* Contacting DC In AD domain ...[DC2008E-0.domain.COM]...
- DC Is Reachable...
- Object [CN=adReplTempObject20180926164916,CN=Users,DC=domain,DC=com] Now Does Exist In The Database
Start Time......: 2018-09-26 16:49:16
End Time........: 2018-09-26 16:49:32
Duration........: 15.59 Seconds
Deleting Temp Contact Object...
Temp Contact Object [CN=adReplTempObject20180926164916,CN=Users,DC=domain,DC=com] Has Been Deleted On The Target RWDC!
Name Domain GC Site Name Time
---- ------ -- --------- ----
DC2008E-1.domain.COM [SOURCE RWDC] domain.com TRUE sitename 0
DC2008E-0.domain.com domain.com TRUE sitename 15.59
DC2008S-0.domain.com domain.com TRUE sitename 2.20
同样,一切看起来都在很好地复制。还是认为 15 秒太长了?延迟是导致我在 dcdiag 测试中激动的原因吗?
另一个更新!
我已验证每个 DC 上每个区域中的 SOA 序列号是否匹配。
我还浏览了 _msdcs 区域中的所有子目录和记录,那里的所有内容也都匹配 100%。
听起来您遇到了 SYSVOL 复制问题,我建议您使用以下 Powershell 工具来测试 SYSVOL 复制:https ://gallery.technet.microsoft.com/Testing-SYSVOL-Replication-c3e9dc68
确认 SYSVOL 复制存在问题后,您可以通过执行非权威 SYSVOL 还原来解决。https://support.microsoft.com/en-us/help/290762/using-the-burflags-registry-key-to-reinitialize-file-replication-servi
如果非权威性不起作用,您可以使用权威性还原,但要小心,因为这更危险。
解决了 SYSVOL 复制后,我建议您从 FRS 复制迁移到 DFS-R 复制。https://blogs.technet.microsoft.com/filecab/2014/06/25/streamlined-migration-of-frs-to-dfsr-sysvol/
作为参考,如果需要,还有一组 DFS-R 重新同步步骤:https: //support.microsoft.com/en-us/help/2218556/how-to-force-an-authoritative-and-non-authoritative -同步-fo
Jorge 还提供了一个我建议运行的 ADDS 复制检查 powershell 脚本:https ://gallery.technet.microsoft.com/Testing-Active-Directory-94e61e3e
人们经常忘记 Active Directory 复制由两个独立的部分组成,即 ADDS 和 SYSVOL。如果任何一方失败,你最终都会遇到大问题。最重要的是,FRS 和 DFS-R 因默默失败给 GPO 带来灾难性后果而臭名昭著。GPO 的 ADDS 端将在 DC 之间匹配,但 SYSVOL 端(包含 GPO 的实际指令)不会。
不确定 RREG 问题,但我会确认您的反向 DNS 查找区域已正确设置和复制。您可以确认两个DC之间的Zone序列号,以便收敛。此外,查看 _msdcs 转发区域是否存在错误,包括不正确的 NS 条目。
在与 OP 进一步讨论后,我发现了这个链接:https ://social.technet.microsoft.com/Forums/windowsserver/en-US/2ce07c3f-9956-4bec-ae46-055f311c5d96/dcdiag-test-failed-on-verifyenterprisereferences ?forum=winserverDS
在将域从 2003 级别迁移到 2008 级别之后,但在从 FRS 迁移到 DFS-R SYSVOL 复制之前,他的原始错误“测试验证企业引用失败”似乎是一个已知且预期的错误。可以安全地忽略该错误,但最佳实践涉及完成 DFS-R 迁移。