新提升的域控制器顯示許多錯誤但 dcpromo 沒有抱怨?
我有一個分為四個站點的域。在我的一個遠端站點,我推廣了一個新的 DC,並將在幾週內停用現有的 DC。我在進行 dcpromo 時沒有收到任何錯誤,但我不得不在促銷後延遲重新啟動伺服器幾天。
重新啟動後,這個新 DC 上似乎存在一些嚴重問題:
- 目錄服務日誌中充滿了事件 1864 (
This directory server has not recently received replication information from a number of directory servers.)、2089 (This directory partition has not been backed up since at least the following number of days.) 和 2093 (The remote server which is the owner of a FSMO role is not responding. This server has not replicated with the FSMO role owner recently.)。- 系統日誌包含許多事件 1006 (
The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.) - 來自詳細資訊選項卡的資訊如下:SupportInfo1 1 SupportInfo2 5012 ProcessingMode 0 ProcessingTimeInMilliseconds 2184 ErrorCode 49 ErrorDescription Invalid Credentials DCName以及錯誤 4 (
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server kelethdc01$. The target name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2/2ee10a9d-dcf0-4940-b2e5-25044f90869c/domain.com@domain.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (DOMAIN.COM) is different from the client domain (DOMAIN.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.) 和錯誤 5782 (Dynamic registration or deregistration of one or more DNS records failed with the following error: TCP/IP network protocol not installed.)。誰能建議這裡可能發生了什麼,以及如何糾正?
我以前從未見過這種情況,但我最初的想法是,由於 Kerberos 票證是基於時間的,因此
dcpromo重啟之間的延遲可能會導致問題。您是否嘗試過取消升級新伺服器並執行新的 dcpromo 並重新啟動?
關於“此目錄分區至少在以下天數內沒有備份過。”。執行系統狀態備份並備份 Active Directory 時,它會更新分區上的屬性。
您可以使用以下命令確認是否/何時執行備份:
repadmin /showbackup <dcname>可以抑制屬性的更新。如果此消息僅針對模式分區顯示,則可能已將其關閉。