我遇到了幾天前開始的一個相當大的問題。讓我簡單地闡述到底發生了什麼事——我也繼承了這個環境,請記住這一點。
第一個網域控制站 - Windows Server 2003 R2 標準
第二個網域控制站 - Windows Server 2008 R2 Ent
在過去的幾天裡,當使用者啟動並嘗試從我最近新安裝的任何工作站登入時,在登入時會遇到信任錯誤。因此,我以本機管理員身分登入並重新加入網域 - 然而,當信任在多台電腦上多次失敗時,我進行了更深入的挖掘。
在其中一個工作站上,我檢查了事件檢視器並發現了這一點:
Log Name: System
Source: NETLOGON
Date: 5/16/2013 12:06:07 PM
Event ID: 3210
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: WIN7-2083.Domain.DomainName.com
Description:
This computer could not authenticate with \\BDCName.Domain.DomainName.com, a Windows domain controller for domain DOMAIN, and therefore this computer might deny logon requests. This inability to authenticate might be caused by another computer on the same network using the same name or the password for this computer account is not recognized. If this message appears again, contact your system administrator.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="NETLOGON" />
<EventID Qualifiers="0">3210</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2013-05-16T17:06:07.000000000Z" />
<EventRecordID>52991</EventRecordID>
<Channel>System</Channel>
<Computer>WIN7-2083.Domain.DomainName.com</Computer>
<Security />
</System>
<EventData>
<Data>DOMAIN</Data>
<Data>\\BDCName.Domain.DomainName.com</Data>
<Binary>220000C0</Binary>
</EventData>
</Event>
因此,出於某種原因,它讓我相信工作站直接向第二個 DC 而非第一個 DC 進行身份驗證。
查看第一個 DC 事件檢視器,我發現此錯誤:
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
Directory partition:
CN=Configuration,DC=Domain,DC=DomainName,DC=com
There is insufficient site connectivity information for the KCC to create a spanning tree replication topology. Or, one or more directory servers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible directory servers.
User Action
Perform one of the following actions:
- Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.
- Add a Connection object to a directory service that contains the directory partition in this site from a directory service that contains the same directory partition in another site.
If neither of the tasks correct this condition, see previous events logged by the KCC that identify the inaccessible directory servers.
其次是:
The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.
Sites:
CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Domain,DC=DomainName,DC=com
所以我查看了第一個 DC 發現幾乎相同的錯誤:
The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.
Sites:
CN=Jackson,CN=Sites,CN=Configuration,DC=Domain,DC=DomainName,DC=com
我查看了幾種解決方案,其中許多都涉及查找 DNS 條目和其他內容,但是我不完全確定錯誤出在哪裡,因為這才剛開始發生。環境中的任何路由均未發生變化。確實是最近幾天的事。我猜此時他們都沒有正確地互相溝通。如果我在一個 DC 上進行更改,它應該會顯示在另一個 DC 上,對嗎?例如,更改一個 DC 上的使用者屬性應該很快也會顯示在第二個 DC 上嗎?目前還沒有發生這種情況。
我可以採取哪些步驟來真正解決這個問題?