我們遇到一個問題,某些計算機似乎無法取得所有 GPO。在群組原則管理編輯器中檢視時,我們會看到許多「紅色 x」、「找不到檔案」GPO(並且未指定它們是哪個 GPO)。
關於我們的環境,我們有 4 個 Server 2008 R2 功能等級的網域控制站。 2 個 DC 是本機 Server2k8R2,另外 2 個 DC 是執行 Server 2016 的異地 AWS EC2 執行個體。
運行“net share”顯示 2 個 2K8R2 DC 與 2K16 DC 在不同路徑上共享 NETLOGON 和 SYSVOL(我不知道這是否是一個問題)。
Server2016 DCs show these paths:
NETLOGON - C:\Windows\SYSVOL\sysvol\domain.local\SCRIPTS
SYSVOL - C:\Windows\SYSVOL\sysvol
Server 2008 R2 DCs show these paths:
NETLOGON - C:\Windows\SYSVOL_DFSR\sysvol\superior.local\SCRIPTS
SYSVOL - C:\Windows\SYSVOL_DFSR\sysvol
在所有情況下,C:\Windows\SYSVOL\sysvol 都是空的,除了domain.local 資料夾。
執行「DCDIAG」顯示所有四個的「SystemLog」測試失敗,並且 DFSREvent 測試出現警告:
AWSDC01 & AWSDC02:
SystemLog test-
"The Netlogon service encountered a client using RPC signing instead of RPC sealing".
"The Netlogon service denied a vulnerable Netlogon secure channel connection from a machine account.
DFSREvent test - "There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause problems with group policy"
"
OnSite-DC1:
DFRSEvent test - "There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause problems with group policy"
SystemLog test - "An error event occurred. Event ID 0xC2000001. Unexpected failure. Error code 490@01010004"
OnSite-DC2:
DFRSEvent test - "There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause problems with group policy"
and
"This computer could not authenticate with \\AWSDC01.domain.local, a Windows domain controller for domain DOMAINNAME, and therefore this computer might deny logon requests. This inability to authenticate might be caused by another computer on the same network using the same name or the password for this computer account is not recognized."
一些額外的注意事項:
-Event viewer logs (on on-site DC1 and on-site DC2) under application and services > DFS replication show only information about replication between each other. No mention of replication between the AWS DC's.
- Every hour the on-prem DCs show a DFS error "the dfs replication service is stopping communication with partner {other on-prem DC} for replication group Domain System Volume due to an error. Error 9036.
AWS DC02 only shows error logs regarding DFS replication with on-prem DC02. Same error 9036 "replication service stopping due to an error".
AWS DC01, same thing - only shows logs regarding DFS replication with on-prem DC01. Error 9036 "replication service stopped due to an error".
知道這裡會發生什麼,或下一步該去哪裡嗎?
答案1
這些錯誤確實表明存在身份驗證問題,因此最近的 kerberos 更新(由 Greg Askew 引用)很可能是原因,特別是如果您最近更新並且問題從那時開始。如果您這麼認為,請考慮暫時刪除該更新,然後當一切恢復正常後,請計劃盡快 dcpromo 2008 伺服器。
你可以試試這個工具: https://www.microsoft.com/en-us/download/details.aspx?id=30005
我確信我以前也使用過 MS 的另一個複製監控工具,但我現在不記得它叫什麼了。我只記得這是一個 MSI 安裝!也許只是 FRS diag,而不是 dfrs。
AD 複製高度依賴 DNS 和同步時間,因此請務必仔細檢查所有設定。您可以將時間與以下內容進行比較:
net time \\server
看看是否有任何差異 - 是否完全有效(即運行命令時伺服器之間是否沒有連接問題)。否則,請考慮從同一外部時間源(例如 pool.ntp.org)同步它們。
要測試 DNS,請從每個其他伺服器 ping 每個伺服器的 FQDN,將結果相互比較以及與您的預期結果進行比較。我假設您在本地和 AWS 之間有一些 VPN 或類似的非 nat L3 路由?例如,192.168.1.10 可以 ping 10.0.0.2,或本機和 AWS 上的任何「內部」IP(我只熟悉 Azure,所以可能不一樣,如果 AWS 的工作方式有所不同,請原諒我)。
您可能還想檢查 AD 站點和服務中的 AWS 和本機部署,深入 NTDS 並查看複製關係。您可以右鍵單擊並複製,看看它是否顯示(釋義)“可以”或“不能這樣做” - 可能有助於縮小問題範圍。