將子 Active Directory 域添加到現有林時出錯
我正在同一個林中建構一個包含多個 Active Directory 域的測試環境,但是在嘗試將子域添加到林根域時遇到了奇怪的問題。
所有伺服器都是執行在 Azure 雲平台上的 Windows Server 2012 R2 虛擬機,連接到同一個虛擬網路;它們具有靜態保留的 IP 地址,並且可以在沒有任何網路問題的情況下相互交談。
我的域結構是(或至少應該是)如下:
A0.lab (forest root) B0.lab / \ / \ A1 A2 B1 B2 | | A3 B3因此:
- A0.lab(林根)
- A1.A0.實驗室
- A2.A0.實驗室
- A3.A1.A0.lab
- B0.lab
- B1.B0.lab
- B2.B0.lab
- B3.B1.B0.lab
我已經成功創建了林根域 (A0.lab),並且我已經定義了一個 AD 站點及其子網;域執行正常。
接下來,我已經將應該成為第一個子域(A1.A0.lab)的域控制器的伺服器配置為使用根 DC 作為其 DNS 伺服器,並且我已經啟動了升級嚮導;我已經填寫了所有參數,包括根域的域管理員的使用者帳戶和創建 DNS 委託的選項;所有先決條件檢查均成功。
當我開始實際的升級過程時,它停在“複製模式目錄分區”階段。“目錄服務”事件日誌反复填充幾個錯誤:
事件 ID 1963,源 ActiveDirectory_DomainService,任務類別 DS RPC 客戶端:
Internal event: The following local directory service received an exception from a remote procedure call (RPC) connection. Extensive RPC information was requested. This is intermediate information and might not contain a possible cause. Process ID: 540 Reported error information: Error value: Could not find the domain controller for this domain. (1908) directory service: DCA0.a0.lab Extensive error information: Error value: A security package specific error occurred. 1825 directory service: DCA1 Additional Data Internal ID: 5000e02事件 ID 1961,源 ActiveDirectory_DomainService,任務類別 DS RPC 客戶端:
Internal event: This log entry is a continuation from the preceding extended error information entry on the following error and directory service. Extended information: Error value: A security package specific error occurred. (1825) directory service: DCA1 Supplemental information: Detection location: 1461 Generating component: RPC Runtime Time at directory service: 2015-03-19 21:44:04 Additional Data Error value: A security package specific error occurred. (1825)事件 ID 2839,源 ActiveDirectory_DomainService,任務類別 DS RPC 客戶端:
Internal event: This log entry is a continuation from the preceding extended error information entry. Extended information: Extended Error Parameters: 0 Parameter 1: (NULL) Parameter 2: (NULL) Parameter 3: (NULL) Parameter 4: (NULL) Parameter 5: %6 Parameter 6: %7 Parameter 7: %8事件 ID 1962,源 ActiveDirectory_DomainService,任務類別 DS RPC 客戶端:
Internal event: The local directory service received an exception from a remote procedure call (RPC) connection. Extended error information is not available. directory service: DCA0.a0.lab Additional Data Error value: Could not find the domain controller for this domain. (1908)事件 ID 1125,源 ActiveDirectory_DomainService,任務類別設置:
The Active Directory Domain Services Installation Wizard (Dcpromo) was unable to establish connection with the following domain controller. Domain controller: DCA0.a0.lab Additional Data Error value: 1908 Could not find the domain controller for this domain.這些錯誤一次又一次地重複,但沒有進展或失敗,推廣過程只是停滯不前。
以下是該
dcpromo.log文件的內容:03/19/2015 22:43:35 [INFO] Promotion request for domain controller of new domain 03/19/2015 22:43:35 [INFO] DnsDomainName a1.a0.lab 03/19/2015 22:43:35 [INFO] FlatDomainName A1 03/19/2015 22:43:35 [INFO] SiteName Lab 03/19/2015 22:43:35 [INFO] SystemVolumeRootPath C:\Windows\SYSVOL 03/19/2015 22:43:35 [INFO] DsDatabasePath C:\Windows\NTDS, DsLogPath C:\Windows\NTDS 03/19/2015 22:43:35 [INFO] ParentDnsDomainName a0.lab 03/19/2015 22:43:35 [INFO] ParentServer DCA0.a0.lab 03/19/2015 22:43:35 [INFO] Account A0\AdmA0 03/19/2015 22:43:35 [INFO] Options 5243072 03/19/2015 22:43:35 [INFO] Validate supplied paths 03/19/2015 22:43:35 [INFO] Validating path C:\Windows\NTDS. 03/19/2015 22:43:35 [INFO] Path is a directory 03/19/2015 22:43:35 [INFO] Path is on a fixed disk drive. 03/19/2015 22:43:35 [INFO] Validating path C:\Windows\NTDS. 03/19/2015 22:43:35 [INFO] Path is a directory 03/19/2015 22:43:35 [INFO] Path is on a fixed disk drive. 03/19/2015 22:43:35 [INFO] Validating path C:\Windows\SYSVOL. 03/19/2015 22:43:35 [INFO] Path is on a fixed disk drive. 03/19/2015 22:43:35 [INFO] Path is on an NTFS volume 03/19/2015 22:43:35 [INFO] Child domain creation -- check the new domain name is child of parent domain name. 03/19/2015 22:43:35 [INFO] Domain Creation -- check that the flat name is unique. 03/19/2015 22:43:40 [INFO] Start the worker task 03/19/2015 22:43:40 [INFO] Request for promotion returning 0 03/19/2015 22:43:42 [INFO] Using supplied domain controller: DCA0.a0.lab 03/19/2015 22:43:42 [INFO] Using supplied site: Lab 03/19/2015 22:43:42 [INFO] Forcing time sync 03/19/2015 22:43:42 [INFO] Forcing a time sync with DCA0.a0.lab 03/19/2015 22:43:42 [INFO] Reading domain policy from the domain controller DCA0.a0.lab 03/19/2015 22:43:42 [INFO] Stopping service NETLOGON 03/19/2015 22:43:42 [INFO] Stopping service NETLOGON 03/19/2015 22:43:42 [INFO] ControlService(STOP) on NETLOGON returned 0(gle=1062) 03/19/2015 22:43:42 [INFO] Exiting service-stop loop after service NETLOGON entered STOPPED state 03/19/2015 22:43:42 [INFO] StopService on NETLOGON returned 0 03/19/2015 22:43:42 [INFO] Configuring service NETLOGON to 1 returned 0 03/19/2015 22:43:42 [INFO] Stopped NETLOGON 03/19/2015 22:43:42 [INFO] Creating the System Volume C:\Windows\SYSVOL 03/19/2015 22:43:42 [INFO] Deleting current sysvol path C:\Windows\SYSVOL 03/19/2015 22:43:44 [INFO] Preparing for system volume replication using root C:\Windows\SYSVOL 03/19/2015 22:43:44 [INFO] Created the system volume 03/19/2015 22:43:44 [INFO] Copying initial Directory Service database file C:\Windows\system32\ntds.dit to C:\Windows\NTDS\ntds.dit 03/19/2015 22:43:44 [INFO] Installing the Directory Service 03/19/2015 22:43:44 [INFO] Calling NtdsInstall for a1.a0.lab 03/19/2015 22:43:44 [INFO] Starting Active Directory Domain Services installation 03/19/2015 22:43:44 [INFO] Validating user supplied options 03/19/2015 22:43:44 [INFO] Determining a site in which to install 03/19/2015 22:43:44 [INFO] Examining an existing forest... 03/19/2015 22:43:44 [INFO] Configuring the local computer to host Active Directory Domain Services 03/19/2015 22:43:48 [INFO] EVENTLOG (Informational): NTDS General / Service Control : 1094 Software write caching for the following disk drive has been disabled to prevent possible data loss during system failures such as power outages or hardware component failures that can cause a sudden shutdown of the system. The disk drive that stores Active Directory Domain Services log files is the only drive affected by this change. Disk drive: c: 03/19/2015 22:43:59 [INFO] EVENTLOG (Informational): NTDS Database / Internal Processing : 2013 Active Directory Domain Services is rebuilding the following number of indices as part of the initialization process. Number of indices: 1 Indices: LCL_ABVIEW_index00000410 +ATTb590468 03/19/2015 22:43:59 [INFO] EVENTLOG (Informational): NTDS Database / Internal Processing : 2014 Active Directory Domain Services successfully completed rebuilding the following number of indices. Indices: 1 03/19/2015 22:44:00 [INFO] EVENTLOG (Informational): NTDS General / Internal Configuration : 2120 This Active Directory Domain Services server does not support the Recycle Bin. Deleted objects may be undeleted, however, when an object is undeleted, some attributes of that object may be lost. Additionally, attributes of other objects that refer to the object being undeleted may also be lost. 03/19/2015 22:44:00 [INFO] EVENTLOG (Informational): NTDS General / Internal Configuration : 2405 This Active Directory Domain Services server does not support the "Recycle Bin Feature" optional feature. 03/19/2015 22:44:00 [INFO] Replicating the schema directory partition在此之後,將記錄事件日誌中報告的相同錯誤。
我發現這篇文章指出如果管理員帳戶在新 DC 和您登錄的域上具有相同的密碼,則可能會發生此錯誤;我根本沒有使用內置管理員帳戶,因為這些是 Azure VM,但實際上我在第一次測試期間在所有伺服器上使用了相同的使用者名和密碼,因此我猜這確實可能是導致錯誤; 但是,我已經重建了所有伺服器,並在每個伺服器上創建了一個不同的本地管理員帳戶(AdmA0、AdmA1、AdmA2…),並使用不同的密碼;我還確保在表單中指定父域的憑據
A0\AdmA0;但錯誤再次發生。發生了什麼,我該如何解決?
看起來我遇到了(一個變種?)這個問題:如果我使用“長”登錄憑據,即
A0.lab\AdmA0而不是A0\AdmA0.但是,根據這篇文章,只有在 TCP/IP 上的 NetBIOS 被禁用但它實際上已啟用時才會發生此問題,這可以在
ipconfig輸出中驗證。我還嘗試使用靜態網路設置而不是使用 DHCP(Azure 需要)配置 VM,並強制 TCP/IP 上的 NetBIOS 為“啟用”,但錯誤總是發生;提升過程起作用的唯一方法是使用“長”憑證。然而,這似乎是一個特定於 Azure 的怪癖:我在本地 Hyper-V 伺服器上創建了一個相同的測試環境,並且一切正常。
看起來 Azure 在阻止 NetBIOS 的網路級別做了一些奇怪的事情,或者 Azure Windows Server 2012 R2 VM 模板有一些奇怪的與 NetBIOS 相關的行為,這使得 DC 升級以這種特殊的方式失敗。
更新:
發現罪魁禍首:https ://msdn.microsoft.com/en-us/library/azure/dn133803.aspx 。
Does Virtual Network support multicast or broadcast? No. We do not support multicast or broadcast.Azure 虛擬網路不支持廣播;因此,即使啟用了 NetBIOS,它也不起作用。看起來 Windows Server 2012 R2確實需要它來進行 DC 促銷。
解決方法:在 DC 升級期間使用“長”登錄憑據(
full.domain.fqdn\username而不是NetBIOSDomain\username)。至於為什麼Azure 虛擬網路不支持廣播,他們如何在仍然嚴重依賴 DHCP 的同時設法做到這一點……這超出了我的理解能力。而且我不太確定我是否真的想理解;眾所周知,Azure 網路相當 奇特。