域控制器是运行 Windows Server 2012 R2 的物理服务器。FF 级别是 2008 R2,DF 级别是 2012 R2。但是,我发现一篇 MS 文章指出 XP 甚至与 2012 R2 FFL 完全兼容。此问题仅影响 Windows XP(和更早版本)VM。当我尝试将机器加入域时的确切错误是:
尝试加入域“MyDomain”时发生以下错误:指定的网络名称不再可用。
迄今为止尝试的故障排除步骤:
- 重新启动 DC
- 重新启用 SMB1 并重新启动 DC(已启用)编辑:不正确!继续阅读...
- 在 DC(没有问题)和 XP VM 上重新启动 NETLOGON 服务(不保持启动状态)
- 运行 DCDIAG(所有测试通过)
- 在 DC 上禁用 IPv6
- 在 DevMgmt 中禁用 ISATAP NIC 适配器(隐藏设备) .msc
这是DCDiag /v的输出
PS C:\> DCDiag /v
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the local machine MY-SERVER, is a Directory Server.
Home Server = MY-SERVER
* Connecting to directory service on server MY-SERVER.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=acme,DC=com,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme,DC=com
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=acme,DC=com,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=MY-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme,DC=com
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 1 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\MY-SERVER
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... MY-SERVER passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\MY-SERVER
Starting test: Advertising
The DC MY-SERVER is advertising itself as a DC and having a DS.
The DC MY-SERVER is advertising as an LDAP server
The DC MY-SERVER is advertising as having a writeable directory
The DC MY-SERVER is advertising as a Key Distribution Center
The DC MY-SERVER is advertising as a time server
The DS MY-SERVER is advertising as a GC.
......................... MY-SERVER passed test Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Starting test: FrsEvent
* The File Replication Service Event log test
Skip the test because the server is running DFSR.
......................... MY-SERVER passed test FrsEvent
Starting test: DFSREvent
The DFS Replication Event Log.
......................... MY-SERVER passed test DFSREvent
Starting test: SysVolCheck
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... MY-SERVER passed test SysVolCheck
Starting test: KccEvent
* The KCC Event log test
Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
......................... MY-SERVER passed test KccEvent
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=MY-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme,DC=com
Role Domain Owner = CN=NTDS Settings,CN=MY-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme,DC=com
Role PDC Owner = CN=NTDS Settings,CN=MY-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme,DC=com
Role Rid Owner = CN=NTDS Settings,CN=MY-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme,DC=com
Role Infrastructure Update Owner = CN=NTDS Settings,CN=MY-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme,DC=com
......................... MY-SERVER passed test KnowsOfRoleHolders
Starting test: MachineAccount
Checking machine account for DC MY-SERVER on DC MY-SERVER.
* SPN found :LDAP/MY-SERVER.acme.com/acme.com
* SPN found :LDAP/MY-SERVER.acme.com
* SPN found :LDAP/MY-SERVER
* SPN found :LDAP/MY-SERVER.acme.com/acme
* SPN found :LDAP/121ee01d-112f-4dff-8dd1-ba8463ea8203._msdcs.acme.com
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/121ee01d-112f-4dff-8dd1-ba8463ea8203/acme.com
* SPN found :HOST/MY-SERVER.acme.com/acme.com
* SPN found :HOST/MY-SERVER.acme.com
* SPN found :HOST/MY-SERVER
* SPN found :HOST/MY-SERVER.acme.com/acme
* SPN found :GC/MY-SERVER.acme.com/acme.com
......................... MY-SERVER passed test MachineAccount
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC MY-SERVER.
* Security Permissions Check for
DC=ForestDnsZones,DC=acme,DC=com
(NDNC,Version 3)
* Security Permissions Check for
DC=DomainDnsZones,DC=acme,DC=com
(NDNC,Version 3)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=acme,DC=com
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=acme,DC=com
(Configuration,Version 3)
* Security Permissions Check for
DC=acme,DC=com
(Domain,Version 3)
......................... MY-SERVER passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\MY-SERVER\netlogon
Verified share \\MY-SERVER\sysvol
......................... MY-SERVER passed test NetLogons
Starting test: ObjectsReplicated
MY-SERVER is in domain DC=acme,DC=com
Checking for CN=MY-SERVER,OU=Domain Controllers,DC=acme,DC=com in domain DC=acme,DC=com on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=MY-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme,DC=com in domain CN=Configurat
ion,DC=acme,DC=com on 1 servers
Object is up-to-date on all servers.
......................... MY-SERVER passed test ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Starting test: Replications
* Replications Check
* Replication Latency Check
......................... MY-SERVER passed test Replications
Starting test: RidManager
* Available RID Pool for the Domain is 1601 to 1073741823
* MY-SERVER.acme.com is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 1101 to 1600
* rIDPreviousAllocationPool is 1101 to 1600
* rIDNextRID: 1147
......................... MY-SERVER passed test RidManager
Starting test: Services
* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
* Checking Service: DnsCache
* Checking Service: DFSR
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... MY-SERVER passed test Services
Starting test: SystemLog
* The System Event log test
Found no errors in "System" Event log in the last 60 minutes.
......................... MY-SERVER passed test SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Starting test: VerifyReferences
The system object reference (serverReference) CN=MY-SERVER,OU=Domain Controllers,DC=acme,DC=com and backlink on
CN=MY-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme,DC=com are correct.
The system object reference (serverReferenceBL) CN=MY-SERVER,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=acme,DC=com
and backlink on CN=NTDS Settings,CN=MY-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme,DC=com are correct.
The system object reference (msDFSR-ComputerReferenceBL)
CN=MY-SERVER,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=acme,DC=com and backlink on
CN=MY-SERVER,OU=Domain Controllers,DC=acme,DC=com are correct.
......................... MY-SERVER passed test VerifyReferences
Test omitted by user request: VerifyReplicas
Test omitted by user request: DNS
Test omitted by user request: DNS
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : acme
Starting test: CheckSDRefDom
......................... acme passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... acme passed test CrossRefValidation
Running enterprise tests on : acme.com
Test omitted by user request: DNS
Test omitted by user request: DNS
Starting test: LocatorCheck
GC Name: \\MY-SERVER.acme.com
Locator Flags: 0xe000f1fd
PDC Name: \\MY-SERVER.acme.com
Locator Flags: 0xe000f1fd
Time Server Name: \\MY-SERVER.acme.com
Locator Flags: 0xe000f1fd
Preferred Time Server Name: \\MY-SERVER.acme.com
Locator Flags: 0xe000f1fd
KDC Name: \\MY-SERVER.acme.com
Locator Flags: 0xe000f1fd
......................... acme.com passed test LocatorCheck
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope provided by the command line arguments provided.
......................... acme.com passed test Intersite
PS C:\>
在这一点上我完全没有想法?这可能是什么,NTLM 问题?
现在这个问题已经解决了。DC 错误地报告了 SMB1 的状态(显示已启用,而实际上它尚未启用):
运行这个 PowerShell 命令解决了这个问题(资源链接在这里):
Set-SmbServerConfiguration -EnableSMB1Protocol $true
您是否已配置组策略来限制旧版 Kerberos 加密类型?一些强化指南或审核策略会强制您进行配置,这可能会导致 XP 等旧版客户端无法正确进行身份验证。
设置在
Windows Settings - Security Settings - Local Policies - Security Options - Network security: Configure encryption types allowed for Kerberos
. 更多信息在这里:https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos