所有 DC 均未通過 DNS:RReg 測試,報告 PDC 上缺少 SRV 記錄 - 它們存在
背景
我們目前正在進行多個域控制器升級。在我開始之前,以前的管理員已經開始將我們的 DC 從 2008 R2 Standard 遷移到 2008 R2 Enterprise 的過程。有一個 PDC DC2008S-0 和一個額外的 DC DC2008E-1 正在執行。有一個 2008 年第三個企業 DC 位於已關閉的 VM 上。所有這一切都是從 2003 年升級 DC 的遺留項目。之前的管理員認為標準對 DC 來說還不夠,並且這些許可證是錯誤購買的,所以在浮動兩個標準 DC 之後,添加了企業 DC 和一個標準 DC被降級。
企業 DC 根本沒有複製 SYSVOL。企業 DC 上也缺少 MSDCS 區域。對於完全墓碑化的 DC(位於關閉 VM 上的備用 2008E),還必須進行一些元數據清理。經過相當多的故障排除後,我們從 PDC 進行了權威恢復。之後 SYSVOL 似乎可以正確複製,我們手動添加了 MSDCS 並將所有記錄拉入。這可能是 8 或 9 個月前。從那以後,一切都進行得很順利;登錄、gpo 複製、新 gpos、新 AD 帳戶 - 以及到 O365 的混合遷移,以及所有 AD 同步和 Dir 同步的東西都執行良好。
在那段時間之後,我們回到了這個 DC 項目。我的任務清單如下:
從 2003 年到 2008 年更新域和林的功能級別(包括從 FRS 遷移到 DFRS) 核對關閉的第二個企業 DC,重新安裝它,給它一個 DC 角色並將其添加到域中。將 FSMO 角色等移動到第一個 Enterprise DC 並使其成為 PDC。停用標準 DC。
當這個 DNS RReg 問題曝光時,我正處於停用標準 DC 的邊緣。我不相信它在複製 SYSVOL 和 AD 和 DNS 項目後存在,但我可能是錯的。
目前的問題
我們所有的 DC 均未通過 DCDIAG 的 RReg 測試。
這是我們使用 DCDIAG 針對每個 DC 檢查 DC 執行狀況時唯一的失敗。執行 gui AD 複製狀態工具 v1.0 以及來自 TechNET 的兩個 PS 腳本時,AD 和 SYSVOL 複製/延遲收斂檢查。
這是 DCDIAG DNS 測試的失敗輸出
Summary of DNS test results: Auth Basc Forw Del Dyn RReg Ext _________________________________________________________________ Domain: domain.com DC2008S-0 PASS PASS PASS PASS PASS FAIL n/a DC2008E-0 PASS PASS PASS PASS PASS FAIL n/a DC2008E-1 PASS PASS PASS PASS PASS FAIL n/a Total Time taken to test all the DCs:2 min. 55 sec. ......................... domain.com failed test DNS
故障均與新 PDC DC2008E-0 上的單個 CNAME 和單個 A 記錄和多個 SRV 記錄有關
Starting test: DNS Test results for domain controllers: DC: DC2008E-0.domain.com Domain: domain.com TEST: Records registration (RReg) Network Adapter [00000007] vmxnet3 Ethernet Adapter: Warning: Missing CNAME record at DNS server 10.1.1.27: 7ae71958-74b2-4dc3-bf0e-224ec881bafa._msdcs.domain.com Warning: Missing A record at DNS server 10.1.1.27: DC2008E-0.domain.com Error: Missing SRV record at DNS server 10.1.1.27: _ldap._tcp.domain.com Error: Missing SRV record at DNS server 10.1.1.27: _ldap._tcp.5f315a51-10e4-4785-a4db-50312543bf35.domains._msdcs.domain.com Error: Missing SRV record at DNS server 10.1.1.27: _kerberos._tcp.dc._msdcs.domain.com Error: Missing SRV record at DNS server 10.1.1.27: _ldap._tcp.dc._msdcs.domain.com Error: Missing SRV record at DNS server 10.1.1.27: _kerberos._tcp.domain.com Error: Missing SRV record at DNS server 10.1.1.27: _kerberos._udp.domain.com Error: Missing SRV record at DNS server 10.1.1.27: _kpasswd._tcp.domain.com Error: Missing SRV record at DNS server 10.1.1.27: _ldap._tcp.siteName._sites.domain.com Error: Missing SRV record at DNS server 10.1.1.27: _kerberos._tcp.siteName._sites.dc._msdcs.domain.com Error: Missing SRV record at DNS server 10.1.1.27: _ldap._tcp.siteName._sites.dc._msdcs.domain.com Error: Missing SRV record at DNS server 10.1.1.27: _kerberos._tcp.siteName._sites.domain.com Error: Missing SRV record at DNS server 10.1.1.27: _ldap._tcp.gc._msdcs.domain.com Warning: Missing A record at DNS server 10.1.1.27: gc._msdcs.domain.com Error: Missing SRV record at DNS server 10.1.1.27: _gc._tcp.siteName._sites.domain.com Error: Missing SRV record at DNS server 10.1.1.27: _ldap._tcp.siteName._sites.gc._msdcs.domain.com Error: Missing SRV record at DNS server 10.1.1.27: _ldap._tcp.pdc._msdcs.domain.com Error: Record registrations cannot be found for all the network adapters Summary of DNS test results: Auth Basc Forw Del Dyn RReg Ext _________________________________________________________________ Domain: domain.com DC2008E-0 PASS PASS PASS PASS PASS FAIL n/a ......................... domain.com failed test DNS
到目前為止的調查
我已經手動檢查了所有這些記錄,並且可以確認所有記錄都存在於我的所有 DC 上。
我還比較了所有 DC 上的 MCDCS 區域,並且所有其他記錄都匹配。
SOA 上的區域序列號與所有 DC 上的匹配,對於所有 DC 上的所有區域也是如此,而不僅僅是 MCDCS 區域。
我不確定這是否是表達我可以手動找到記錄的最佳方式,但是我針對上面列出的記錄之一對所有三個 DC 執行了 NSLOOKUP,並且似乎在所有三個上都找到了它。
c:\Users\userName\Desktop\replication>nslookup -type=SRV _ldap._tcp.pdc._msdcs.domain.com Server: DC2008E-0.domain.com Address: 10.1.1.27 _ldap._tcp.pdc._msdcs.domain.com SRV service location: priority = 0 weight = 100 port = 389 svr hostname = DC2008E-0.domain.com DC2008E-0.domain.com internet address = 10.1.1.27 c:\Users\userName\Desktop\replication>nslookup -type=SRV _ldap._tcp.pdc._msdcs.domain.com DC2008S-0 Server: DC2008S-0.domain.com Address: 10.1.1.3 _ldap._tcp.pdc._msdcs.domain.com SRV service location: priority = 0 weight = 100 port = 389 svr hostname = DC2008E-0.domain.com DC2008E-0.domain.com internet address = 10.1.1.27 c:\Users\userName\Desktop\replication>nslookup -type=SRV _ldap._tcp.pdc._msdcs.domain.com DC2008E-1 Server: DC2008E-1.domain.com Address: 10.1.1.28 _ldap._tcp.pdc._msdcs.domain.com SRV service location: priority = 0 weight = 100 port = 389 svr hostname = DC2008E-0.domain.com DC2008E-0.domain.com internet address = 10.1.1.27
我還從 _MSDCS 區域的根目錄檢查了 CNAME 記錄,這是我發現奇怪的唯一地方。記錄本身都是 100% 正確的,並且權限看起來是正確的 - 至少,我應該說,它們都匹配 3 個 CNAME 記錄以及每個 DC 如何查看 CNAME 記錄。但是,所有者的設置不同。DC2008S-0 的記錄由SYSTEM擁有,DC2008E-0 的記錄由DC2008E-0$擁有,DC2008E-1 的記錄由DC2008E-1擁有 $ (DOMAIN\DC2008E-1 $ ) . 無論我在哪個 DC 上查看記錄,這都是一樣的。
我不知道這是否相關,但這似乎是我能找到的唯一不匹配和/或遵循相同模式的東西。這很可能是用詞不當。
從 DC2008E-0 開始,我還執行了ipconfig /registerdns並且沒有向事件查看器報告錯誤。我也執行了nltest /dsregdns
C:\Windows\system32>nltest /dsregdns Flags: 0 Connection Status = 0 0x0 NERR_Success The command completed successfully
這似乎無法解決問題。
進一步調查
我似乎忽略了我正在執行的完整 DCDIAG 測試集的一些輸出。報告了一些更具體的錯誤。當涉及到如何報告 DNS SRV 記錄時,還有更多的粒度。
我將從dcdiag.exe /V /C /D /E /s:dc0發布相關輸出 (實際上,當我達到字元限制時,我必鬚髮布片段)
DC:DC2008S-0.domain.com 域:domain.com 適配器
$$ 00000012 $$英特爾(R) PRO/1000 MT 網路連接:
MAC address is 00:0C:29:9A:77:BA IP Address is static IP address: 10.1.1.3 DNS servers: 10.1.1.3 (DC2008S-0) [Valid] 10.1.1.27 (DC2008E-0) [Valid] 127.0.0.1 (DC2008S-0) [Valid] The A host record(s) for this DC was found The SOA record for the Active Directory zone was found The Active Directory zone on this DC/DNS server was found primary Root zone on this DC/DNS server was not found TEST: Records registration (RReg) Network Adapter [00000012] Intel(R) PRO/1000 MT Network Connection: Matching CNAME record found at DNS server 10.1.1.3: f11ae1a7-ab57-47d9-bf47-11eca1e33936._msdcs.domain.com Matching A record found at DNS server 10.1.1.3: DC2008S-0.domain.com Matching SRV record found at DNS server 10.1.1.3: _ldap._tcp.domain.com Matching SRV record found at DNS server 10.1.1.3: _ldap._tcp.5f315a51-10e4-4785-a4db-50312543bf35.domains._msdcs.domain.com
$$ … $$
Matching CNAME record found at DNS server 10.1.1.27: f11ae1a7-ab57-47d9-bf47-11eca1e33936._msdcs.domain.com Matching A record found at DNS server 10.1.1.27: DC2008S-0.domain.com Matching SRV record found at DNS server 10.1.1.27: _ldap._tcp.domain.com Matching SRV record found at DNS server 10.1.1.27: _ldap._tcp.5f315a51-10e4-4785-a4db-50312543bf35.domains._msdcs.domain.com
$$ … $$
Warning: Missing CNAME record at DNS server 10.1.1.3: f11ae1a7-ab57-47d9-bf47-11eca1e33936._msdcs.domain.com [Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)] Warning: Missing A record at DNS server 10.1.1.3: DC2008S-0.domain.com [Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)] Error: Missing SRV record at DNS server 10.1.1.3: _ldap._tcp.domain.com [Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)] Error: Missing SRV record at DNS server 10.1.1.3: _ldap._tcp.5f315a51-10e4-4785-a4db-50312543bf35.domains._msdcs.domain.com [Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)] Error: Record registrations cannot be found for all the network adapters Total query time:0 min. 0 sec.. Total RPC connection time:0 min. 0 sec. Total WMI connection time:1 min. 3 sec. Total Netuse connection time:0 min. 0 sec.
$$ … $$
DC: DC2008E-0.domain.com Domain: domain.com Network adapters information: Adapter [00000007] vmxnet3 Ethernet Adapter: MAC address is 00:50:56:12:34:56 IP Address is static IP address: 10.1.1.27, fe80::3464:a8c8:13fa:7116 DNS servers: 10.1.1.3 (DC2008S-0) [Valid] 10.1.1.27 (DC2008E-0) [Valid] 127.0.0.1 (DC2008E-0) [Valid] The A host record(s) for this DC was found The SOA record for the Active Directory zone was found The Active Directory zone on this DC/DNS server was found primary Root zone on this DC/DNS server was not found TEST: Records registration (RReg) Network Adapter [00000007] vmxnet3 Ethernet Adapter: Matching CNAME record found at DNS server 10.1.1.3: 7ae71958-74b2-4dc3-bf0e-224ec881bafa._msdcs.domain.com Matching A record found at DNS server 10.1.1.3: DC2008E-0.domain.com Matching SRV record found at DNS server 10.1.1.3: _ldap._tcp.domain.com Matching SRV record found at DNS server 10.1.1.3: _ldap._tcp.5f315a51-10e4-4785-a4db-50312543bf35.domains._msdcs.domain.com
$$ … $$
Matching CNAME record found at DNS server 10.1.1.27: 7ae71958-74b2-4dc3-bf0e-224ec881bafa._msdcs.domain.com Matching A record found at DNS server 10.1.1.27: DC2008E-0.domain.com Matching SRV record found at DNS server 10.1.1.27: _ldap._tcp.domain.com Matching SRV record found at DNS server 10.1.1.27: _ldap._tcp.5f315a51-10e4-4785-a4db-50312543bf35.domains._msdcs.domain.com
$$ … $$
Warning: Missing CNAME record at DNS server 10.1.1.27: 7ae71958-74b2-4dc3-bf0e-224ec881bafa._msdcs.domain.com [Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)] Warning: Missing A record at DNS server 10.1.1.27: DC2008E-0.domain.com [Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)] Error: Missing SRV record at DNS server 10.1.1.27: _ldap._tcp.domain.com [Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)] Error: Missing SRV record at DNS server 10.1.1.27: _ldap._tcp.5f315a51-10e4-4785-a4db-50312543bf35.domains._msdcs.domain.com [Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)]
$$ … $$
Error: Record registrations cannot be found for all the network adapters Total query time:0 min. 4 sec.. Total RPC connection time:0 min. 0 sec. Total WMI connection time:1 min. 3 sec. Total Netuse connection time:0 min. 0 sec.
$$ … $$
DC: DC2008E-1.domain.com Domain: domain.com Network adapters information: Adapter [00000007] Intel(R) PRO/1000 MT Network Connection: MAC address is 00:0C:29:75:FF:46 IP Address is static IP address: 10.1.1.28, fe80::b81a:c109:24a0:9d3d DNS servers: 10.1.1.3 (DC2008S-0) [Valid] 10.1.1.27 (DC2008E-0) [Valid] 127.0.0.1 (DC2008E-1) [Valid] The A host record(s) for this DC was found The SOA record for the Active Directory zone was found The Active Directory zone on this DC/DNS server was found primary Root zone on this DC/DNS server was not found TEST: Records registration (RReg) Network Adapter [00000007] Intel(R) PRO/1000 MT Network Connection: Matching CNAME record found at DNS server 10.1.1.3: eafe6486-f76c-4900-8a20-46404fdbae57._msdcs.domain.com Matching A record found at DNS server 10.1.1.3: DC2008E-1.domain.com Matching SRV record found at DNS server 10.1.1.3: _ldap._tcp.domain.com Matching SRV record found at DNS server 10.1.1.3: _ldap._tcp.5f315a51-10e4-4785-a4db-50312543bf35.domains._msdcs.domain.com
$$ … $$
Matching CNAME record found at DNS server 10.1.1.27: eafe6486-f76c-4900-8a20-46404fdbae57._msdcs.domain.com Matching A record found at DNS server 10.1.1.27: DC2008E-1.domain.com Matching SRV record found at DNS server 10.1.1.27: _ldap._tcp.domain.com Matching SRV record found at DNS server 10.1.1.27: _ldap._tcp.5f315a51-10e4-4785-a4db-50312543bf35.domains._msdcs.domain.com
$$ … $$
Warning: Missing CNAME record at DNS server 10.1.1.28: eafe6486-f76c-4900-8a20-46404fdbae57._msdcs.domain.com [Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)] Warning: Missing A record at DNS server 10.1.1.28: DC2008E-1.domain.com [Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)] Error: Missing SRV record at DNS server 10.1.1.28: _ldap._tcp.domain.com [Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)] Error: Missing SRV record at DNS server 10.1.1.28: _ldap._tcp.5f315a51-10e4-4785-a4db-50312543bf35.domains._msdcs.domain.com [Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)] Error: Record registrations cannot be found for all the network adapters Total query time:0 min. 0 sec.. Total RPC connection time:0 min. 0 sec. Total WMI connection time:0 min. 44 sec. Total Netuse connection time:0 min. 0 sec.
所以看起來網卡設置可能有問題?這就是我現在開始傾斜的地方。
網卡配置
DC2008S-0
Ethernet adapter Local Area Connection 2: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection #2 Physical Address. . . . . . . . . : 00-0C-29-9A-77-BA DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 10.1.1.3(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.1.1.1 DNS Servers . . . . . . . . . . . : 10.1.1.3 10.1.1.27 127.0.0.1 NetBIOS over Tcpip. . . . . . . . : Enabled
DC2008E-0
Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter Physical Address. . . . . . . . . : 00-50-56-12-34-56 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::3464:a8c8:13fa:7116%15(Preferred) IPv4 Address. . . . . . . . . . . : 10.1.1.27(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.1.1.1 DHCPv6 IAID . . . . . . . . . . . : 335564886 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-22-4A-CD-9F-00-50-56-12-34-56 DNS Servers . . . . . . . . . . . : ::1 10.1.1.3 10.1.1.27 127.0.0.1 NetBIOS over Tcpip. . . . . . . . : Enabled
DC2008E-1
Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection Physical Address. . . . . . . . . : 00-0C-29-75-FF-46 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::b81a:c109:24a0:9d3d%10(Preferred) IPv4 Address. . . . . . . . . . . : 10.1.1.28(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.1.1.1 DHCPv6 IAID . . . . . . . . . . . : 251661353 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-23-34-D6-43-00-0C-29-75-FF-46 DNS Servers . . . . . . . . . . . : ::1 10.1.1.3 10.1.1.27 127.0.0.1 NetBIOS over Tcpip. . . . . . . . : Enabled
通過在執行 IPv6 的兩個 DC 上刪除 IPv6,以及重新安排網卡上的 DNS 配置,解決了這個問題。
DC2008S-0
Ethernet adapter Local Area Connection 2: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection #2 Physical Address. . . . . . . . . : 00-0C-29-9A-77-BA DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 10.1.1.3(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.1.1.1 DNS Servers . . . . . . . . . . . : 10.1.1.27 10.1.1.3 NetBIOS over Tcpip. . . . . . . . : Enabled
DC2008E-0
Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter Physical Address. . . . . . . . . : 00-50-56-12-34-56 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 10.1.1.27(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.1.1.1 DNS Servers . . . . . . . . . . . : 10.1.1.28 10.1.1.27 NetBIOS over Tcpip. . . . . . . . : Enabled
DC2008E-1
Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection Physical Address. . . . . . . . . : 00-0C-29-75-FF-46 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 10.1.1.28(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.1.1.1 DNS Servers . . . . . . . . . . . : 10.1.1.27 10.1.1.28 NetBIOS over Tcpip. . . . . . . . : Enabled