背景
我们目前正在进行多个域控制器升级。在我开始之前,以前的管理员已经开始将我们的 DC 从 2008 R2 Standard 迁移到 2008 R2 Enterprise 的过程。有一个 PDC DC2008S-0 和一个额外的 DC DC2008E-1 正在运行。有一个 2008 年第三个企业 DC 位于已关闭的 VM 上。所有这一切都是从 2003 年升级 DC 的遗留项目。之前的管理员认为标准对 DC 来说不够用,并且这些许可证是错误购买的,所以在浮动两个标准 DC 之后,添加了企业 DC 和一个标准 DC被降级。
企业 DC 根本没有复制 SYSVOL。企业 DC 上也缺少 MSDCS 区域。对于完全墓碑化的 DC(位于关闭 VM 上的备用 2008E),还必须进行一些元数据清理。经过相当多的故障排除后,我们从 PDC 进行了权威恢复。之后 SYSVOL 似乎可以正确复制,我们手动添加了 MSDCS 并将所有记录拉入。这可能是 8 或 9 个月前。从那以后,一切都进行得很顺利;登录、gpo 复制、新 gpos、新 AD 帐户 - 以及到 O365 的混合迁移,以及所有 AD 同步和 Dir 同步的东西都运行良好。
在那段时间之后,我们回到了这个 DC 项目。我的任务清单如下:
从 2003 年到 2008 年更新域和林的功能级别(包括从 FRS 迁移到 DFRS) 核对关闭的第二个企业 DC,重新安装它,给它一个 DC 角色并将其添加到域中。将 FSMO 角色等移动到第一个 Enterprise DC 并使其成为 PDC。停用标准 DC。
当这个 DNS RReg 问题曝光时,我正处于停用标准 DC 的边缘。我不相信它在复制 SYSVOL 和 AD 和 DNS 项目后存在,但我可能是错的。
目前的问题
我们所有的 DC 均未通过 DCDIAG 的 RReg 测试。
这是我们使用 DCDIAG 针对每个 DC 检查 DC 运行状况时唯一的失败。运行 gui AD 复制状态工具 v1.0 以及来自 TechNET 的两个 PS 脚本时,AD 和 SYSVOL 复制/延迟收敛检查。
这是 DCDIAG DNS 测试的失败输出
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
_________________________________________________________________
Domain: domain.com
DC2008S-0 PASS PASS PASS PASS PASS FAIL n/a
DC2008E-0 PASS PASS PASS PASS PASS FAIL n/a
DC2008E-1 PASS PASS PASS PASS PASS FAIL n/a
Total Time taken to test all the DCs:2 min. 55 sec.
......................... domain.com failed test DNS
故障均与新 PDC DC2008E-0 上的单个 CNAME 和单个 A 记录和多个 SRV 记录有关
Starting test: DNS
Test results for domain controllers:
DC: DC2008E-0.domain.com
Domain: domain.com
TEST: Records registration (RReg)
Network Adapter [00000007] vmxnet3 Ethernet Adapter:
Warning:
Missing CNAME record at DNS server 10.1.1.27:
7ae71958-74b2-4dc3-bf0e-224ec881bafa._msdcs.domain.com
Warning:
Missing A record at DNS server 10.1.1.27:
DC2008E-0.domain.com
Error:
Missing SRV record at DNS server 10.1.1.27:
_ldap._tcp.domain.com
Error:
Missing SRV record at DNS server 10.1.1.27:
_ldap._tcp.5f315a51-10e4-4785-a4db-50312543bf35.domains._msdcs.domain.com
Error:
Missing SRV record at DNS server 10.1.1.27:
_kerberos._tcp.dc._msdcs.domain.com
Error:
Missing SRV record at DNS server 10.1.1.27:
_ldap._tcp.dc._msdcs.domain.com
Error:
Missing SRV record at DNS server 10.1.1.27:
_kerberos._tcp.domain.com
Error:
Missing SRV record at DNS server 10.1.1.27:
_kerberos._udp.domain.com
Error:
Missing SRV record at DNS server 10.1.1.27:
_kpasswd._tcp.domain.com
Error:
Missing SRV record at DNS server 10.1.1.27:
_ldap._tcp.siteName._sites.domain.com
Error:
Missing SRV record at DNS server 10.1.1.27:
_kerberos._tcp.siteName._sites.dc._msdcs.domain.com
Error:
Missing SRV record at DNS server 10.1.1.27:
_ldap._tcp.siteName._sites.dc._msdcs.domain.com
Error:
Missing SRV record at DNS server 10.1.1.27:
_kerberos._tcp.siteName._sites.domain.com
Error:
Missing SRV record at DNS server 10.1.1.27:
_ldap._tcp.gc._msdcs.domain.com
Warning:
Missing A record at DNS server 10.1.1.27:
gc._msdcs.domain.com
Error:
Missing SRV record at DNS server 10.1.1.27:
_gc._tcp.siteName._sites.domain.com
Error:
Missing SRV record at DNS server 10.1.1.27:
_ldap._tcp.siteName._sites.gc._msdcs.domain.com
Error:
Missing SRV record at DNS server 10.1.1.27:
_ldap._tcp.pdc._msdcs.domain.com
Error: Record registrations cannot be found for all the network adapters
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
_________________________________________________________________
Domain: domain.com
DC2008E-0 PASS PASS PASS PASS PASS FAIL n/a
......................... domain.com failed test DNS
到目前为止的调查
我已经手动检查了所有这些记录,并且可以确认所有记录都存在于我的所有 DC 上。
我还比较了所有 DC 上的 MCDCS 区域,并且所有其他记录都匹配。
SOA 上的区域序列号与所有 DC 上的匹配,对于所有 DC 上的所有区域也是如此,而不仅仅是 MCDCS 区域。
我不确定这是否是表达我可以手动找到记录的最佳方式,但是我针对上面列出的记录之一对所有三个 DC 运行了 NSLOOKUP,并且似乎在所有三个上都找到了它。
c:\Users\userName\Desktop\replication>nslookup -type=SRV _ldap._tcp.pdc._msdcs.domain.com
Server: DC2008E-0.domain.com
Address: 10.1.1.27
_ldap._tcp.pdc._msdcs.domain.com SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = DC2008E-0.domain.com
DC2008E-0.domain.com internet address = 10.1.1.27
c:\Users\userName\Desktop\replication>nslookup -type=SRV _ldap._tcp.pdc._msdcs.domain.com DC2008S-0
Server: DC2008S-0.domain.com
Address: 10.1.1.3
_ldap._tcp.pdc._msdcs.domain.com SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = DC2008E-0.domain.com
DC2008E-0.domain.com internet address = 10.1.1.27
c:\Users\userName\Desktop\replication>nslookup -type=SRV _ldap._tcp.pdc._msdcs.domain.com DC2008E-1
Server: DC2008E-1.domain.com
Address: 10.1.1.28
_ldap._tcp.pdc._msdcs.domain.com SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = DC2008E-0.domain.com
DC2008E-0.domain.com internet address = 10.1.1.27
我还从 _MSDCS 区域的根目录检查了 CNAME 记录,这是我发现奇怪的唯一地方。记录本身都是 100% 正确的,并且权限看起来是正确的 - 至少,我应该说,它们都匹配 3 个 CNAME 记录以及每个 DC 如何查看 CNAME 记录。但是,所有者的设置不同。DC2008S-0 的记录由SYSTEM拥有,DC2008E-0 的记录由DC2008E-0$拥有,DC2008E-1 的记录由DC2008E-1$ (DOMAIN\DC2008E-1$)拥有。无论我在哪个 DC 上查看记录,这都是一样的。
我不知道这是否相关,但这似乎是我能找到的唯一不匹配和/或遵循相同模式的东西。这很可能是用词不当。
从 DC2008E-0 开始,我还运行了ipconfig /registerdns并且没有向事件查看器报告错误。我也运行了nltest /dsregdns
C:\Windows\system32>nltest /dsregdns
Flags: 0
Connection Status = 0 0x0 NERR_Success
The command completed successfully
这似乎无法解决问题。
进一步调查
我似乎忽略了我正在运行的完整 DCDIAG 测试集的一些输出。报告了一些更具体的错误。当涉及到如何报告 DNS SRV 记录时,还有更多的粒度。
我将从dcdiag.exe /V /C /D /E /s:dc0发布相关输出 (实际上,当我达到字符限制时,我必须发布片段)
DC:DC2008S-0.domain.com 域:domain.com 适配器 [00000012] Intel(R) PRO/1000 MT 网络连接:
MAC address is 00:0C:29:9A:77:BA
IP Address is static
IP address: 10.1.1.3
DNS servers:
10.1.1.3 (DC2008S-0) [Valid]
10.1.1.27 (DC2008E-0) [Valid]
127.0.0.1 (DC2008S-0) [Valid]
The A host record(s) for this DC was found
The SOA record for the Active Directory zone was found
The Active Directory zone on this DC/DNS server was found primary
Root zone on this DC/DNS server was not found
TEST: Records registration (RReg)
Network Adapter
[00000012] Intel(R) PRO/1000 MT Network Connection:
Matching CNAME record found at DNS server 10.1.1.3:
f11ae1a7-ab57-47d9-bf47-11eca1e33936._msdcs.domain.com
Matching A record found at DNS server 10.1.1.3:
DC2008S-0.domain.com
Matching SRV record found at DNS server 10.1.1.3:
_ldap._tcp.domain.com
Matching SRV record found at DNS server 10.1.1.3:
_ldap._tcp.5f315a51-10e4-4785-a4db-50312543bf35.domains._msdcs.domain.com
[...]
Matching CNAME record found at DNS server 10.1.1.27:
f11ae1a7-ab57-47d9-bf47-11eca1e33936._msdcs.domain.com
Matching A record found at DNS server 10.1.1.27:
DC2008S-0.domain.com
Matching SRV record found at DNS server 10.1.1.27:
_ldap._tcp.domain.com
Matching SRV record found at DNS server 10.1.1.27:
_ldap._tcp.5f315a51-10e4-4785-a4db-50312543bf35.domains._msdcs.domain.com
[...]
Warning:
Missing CNAME record at DNS server 10.1.1.3:
f11ae1a7-ab57-47d9-bf47-11eca1e33936._msdcs.domain.com
[Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)]
Warning:
Missing A record at DNS server 10.1.1.3:
DC2008S-0.domain.com
[Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)]
Error:
Missing SRV record at DNS server 10.1.1.3:
_ldap._tcp.domain.com
[Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)]
Error:
Missing SRV record at DNS server 10.1.1.3:
_ldap._tcp.5f315a51-10e4-4785-a4db-50312543bf35.domains._msdcs.domain.com
[Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)]
Error: Record registrations cannot be found for all the network
adapters
Total query time:0 min. 0 sec.. Total RPC connection
time:0 min. 0 sec.
Total WMI connection time:1 min. 3 sec. Total Netuse connection
time:0 min. 0 sec.
[...]
DC: DC2008E-0.domain.com
Domain: domain.com
Network adapters information:
Adapter [00000007] vmxnet3 Ethernet Adapter:
MAC address is 00:50:56:12:34:56
IP Address is static
IP address: 10.1.1.27, fe80::3464:a8c8:13fa:7116
DNS servers:
10.1.1.3 (DC2008S-0) [Valid]
10.1.1.27 (DC2008E-0) [Valid]
127.0.0.1 (DC2008E-0) [Valid]
The A host record(s) for this DC was found
The SOA record for the Active Directory zone was found
The Active Directory zone on this DC/DNS server was found primary
Root zone on this DC/DNS server was not found
TEST: Records registration (RReg)
Network Adapter [00000007] vmxnet3 Ethernet Adapter:
Matching CNAME record found at DNS server 10.1.1.3:
7ae71958-74b2-4dc3-bf0e-224ec881bafa._msdcs.domain.com
Matching A record found at DNS server 10.1.1.3:
DC2008E-0.domain.com
Matching SRV record found at DNS server 10.1.1.3:
_ldap._tcp.domain.com
Matching SRV record found at DNS server 10.1.1.3:
_ldap._tcp.5f315a51-10e4-4785-a4db-50312543bf35.domains._msdcs.domain.com
[...]
Matching CNAME record found at DNS server 10.1.1.27:
7ae71958-74b2-4dc3-bf0e-224ec881bafa._msdcs.domain.com
Matching A record found at DNS server 10.1.1.27:
DC2008E-0.domain.com
Matching SRV record found at DNS server 10.1.1.27:
_ldap._tcp.domain.com
Matching SRV record found at DNS server 10.1.1.27:
_ldap._tcp.5f315a51-10e4-4785-a4db-50312543bf35.domains._msdcs.domain.com
[...]
Warning:
Missing CNAME record at DNS server 10.1.1.27:
7ae71958-74b2-4dc3-bf0e-224ec881bafa._msdcs.domain.com
[Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)]
Warning:
Missing A record at DNS server 10.1.1.27:
DC2008E-0.domain.com
[Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)]
Error:
Missing SRV record at DNS server 10.1.1.27:
_ldap._tcp.domain.com
[Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)]
Error:
Missing SRV record at DNS server 10.1.1.27:
_ldap._tcp.5f315a51-10e4-4785-a4db-50312543bf35.domains._msdcs.domain.com
[Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)]
[...]
Error: Record registrations cannot be found for all the network
adapters
Total query time:0 min. 4 sec.. Total RPC connection
time:0 min. 0 sec.
Total WMI connection time:1 min. 3 sec. Total Netuse connection
time:0 min. 0 sec.
[...]
DC: DC2008E-1.domain.com
Domain: domain.com
Network adapters information:
Adapter [00000007] Intel(R) PRO/1000 MT Network Connection:
MAC address is 00:0C:29:75:FF:46
IP Address is static
IP address: 10.1.1.28, fe80::b81a:c109:24a0:9d3d
DNS servers:
10.1.1.3 (DC2008S-0) [Valid]
10.1.1.27 (DC2008E-0) [Valid]
127.0.0.1 (DC2008E-1) [Valid]
The A host record(s) for this DC was found
The SOA record for the Active Directory zone was found
The Active Directory zone on this DC/DNS server was found primary
Root zone on this DC/DNS server was not found
TEST: Records registration (RReg)
Network Adapter
[00000007] Intel(R) PRO/1000 MT Network Connection:
Matching CNAME record found at DNS server 10.1.1.3:
eafe6486-f76c-4900-8a20-46404fdbae57._msdcs.domain.com
Matching A record found at DNS server 10.1.1.3:
DC2008E-1.domain.com
Matching SRV record found at DNS server 10.1.1.3:
_ldap._tcp.domain.com
Matching SRV record found at DNS server 10.1.1.3:
_ldap._tcp.5f315a51-10e4-4785-a4db-50312543bf35.domains._msdcs.domain.com
[...]
Matching CNAME record found at DNS server 10.1.1.27:
eafe6486-f76c-4900-8a20-46404fdbae57._msdcs.domain.com
Matching A record found at DNS server 10.1.1.27:
DC2008E-1.domain.com
Matching SRV record found at DNS server 10.1.1.27:
_ldap._tcp.domain.com
Matching SRV record found at DNS server 10.1.1.27:
_ldap._tcp.5f315a51-10e4-4785-a4db-50312543bf35.domains._msdcs.domain.com
[...]
Warning:
Missing CNAME record at DNS server 10.1.1.28:
eafe6486-f76c-4900-8a20-46404fdbae57._msdcs.domain.com
[Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)]
Warning:
Missing A record at DNS server 10.1.1.28:
DC2008E-1.domain.com
[Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)]
Error:
Missing SRV record at DNS server 10.1.1.28:
_ldap._tcp.domain.com
[Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)]
Error:
Missing SRV record at DNS server 10.1.1.28:
_ldap._tcp.5f315a51-10e4-4785-a4db-50312543bf35.domains._msdcs.domain.com
[Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)]
Error: Record registrations cannot be found for all the network
adapters
Total query time:0 min. 0 sec.. Total RPC connection
time:0 min. 0 sec.
Total WMI connection time:0 min. 44 sec. Total Netuse connection
time:0 min. 0 sec.
所以看起来网卡设置可能有问题?这就是我现在开始倾斜的地方。
网卡配置
DC2008S-0
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection #2
Physical Address. . . . . . . . . : 00-0C-29-9A-77-BA
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.1.1.3(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.1.1.1
DNS Servers . . . . . . . . . . . : 10.1.1.3
10.1.1.27
127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
DC2008E-0
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
Physical Address. . . . . . . . . : 00-50-56-12-34-56
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::3464:a8c8:13fa:7116%15(Preferred)
IPv4 Address. . . . . . . . . . . : 10.1.1.27(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.1.1.1
DHCPv6 IAID . . . . . . . . . . . : 335564886
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-22-4A-CD-9F-00-50-56-12-34-56
DNS Servers . . . . . . . . . . . : ::1
10.1.1.3
10.1.1.27
127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
DC2008E-1
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-0C-29-75-FF-46
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::b81a:c109:24a0:9d3d%10(Preferred)
IPv4 Address. . . . . . . . . . . : 10.1.1.28(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.1.1.1
DHCPv6 IAID . . . . . . . . . . . : 251661353
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-23-34-D6-43-00-0C-29-75-FF-46
DNS Servers . . . . . . . . . . . : ::1
10.1.1.3
10.1.1.27
127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
通过在运行 IPv6 的两个 DC 上删除 IPv6,以及重新安排网卡上的 DNS 配置,解决了这个问题。
DC2008S-0
DC2008E-0
DC2008E-1