如何強制域控制器與 PDC 同步?
DC2(VM)未同步到 DC1(物理伺服器)。在 DC2 上,我得到:
PS C:\> w32tm /query /source Local CMOS Clock我必須做什麼才能使 DC2 同步到 DC1 作為其時間源?
背景: 我不得不更換 DC1,它是我的操作大師。沒有機會優雅地降級 DC1;它只是從域中消失了。當我成功重新創建 DC1 時,DC2 是操作主機。AD DS 正確複製,我將 fsmo 角色轉移到新的 DC1 並將 DC1 設置為“0.us.pool.ntp.org”。DC1 返回一個良好的條形圖。我再次確認所有 fsmo 角色都設置為 DC1。我已確認 DC2 的 Hyper-V 集成服務未選中時間同步。
我花了一些時間研究這個,但到目前為止還沒有找到將 DC2 移出它的 CMOS 時鐘的 w32tm 序列/命令。在這一點上,我需要一點幫助或提醒如何做到這一點。
**在初始文章後添加:**我確實發現了以下 DC2 dcdiag 錯誤:
Starting test: Advertising Warning: VSVR-WBC-DC02 is not advertising as a time server. ......................... VSVR-WBC-DC02 failed test Advertising A warning event occurred. EventID: 0x00000081 Time Generated: 12/27/2018 14:50:05 Event String: NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1) Running enterprise tests on : wbc.local Starting test: LocatorCheck Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355 A Primary Domain Controller could not be located. The server holding the PDC role is down. Warning: DcGetDcName(TIME_SERVER) call failed, error 1355 A Time Server could not be located. The server holding the PDC role is down. Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, A Good Time Server could not be located. ......................... wbc.local failed test LocatorCheckDC1 dcdiag 錯誤:
Starting test: Advertising Warning: DsGetDcName returned information for \\vsvr-wbc-dc02.wbc.local, when we were trying to reach SVR-WBC-DC01. SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE. ......................... SVR-WBC-DC01 failed test Advertising Starting test: NetLogons Unable to connect to the NETLOGON share! (\\SVR-WBC-DC01\netlogon) [SVR-WBC-DC01] An net use or LsaPolicy operation failed with error 67, The network name cannot be found.. Starting test: SystemLog A warning event occurred. EventID: 0x0000002F Time Generated: 12/27/2018 14:56:32 Event String: Time Provider NtpClient: No valid response has been received from manually configured peer 0.us.pool.ntp.org after 8 attempts to contact it. This peer will be discarded as a time source and NtpClient will attempt to discover a new peer with this DNS name. The error was: The peer is unreachable. Running enterprise tests on : wbc.local Starting test: LocatorCheck Warning: DcGetDcName(TIME_SERVER) call failed, error 1355 A Time Server could not be located. The server holding the PDC role is down. Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355 A Good Time Server could not be located. ......................... wbc.local failed test LocatorCheck
這個答案解決了我的問題,但不一定是對其他人發布的問題的直接答案。我提供這個答案是因為另一個人可能會帶著同樣的問題來到這裡,而事實上,問題有很大不同,正如 Greg Askew 的第一條評論所表明的那樣。
對我來說真正的問題是新域控制器上不存在 SYSVOL 和 NETLOGON 共享,我應該儘早檢查一下——愚蠢的錯誤。這可以在 power shell 中看到:
PS C:\>net share當這些卷不存在時,就會出現更大的問題。就我而言,DCDIAG 報告了廣告失敗,這太籠統而無法查明問題。
根據此Microsoft 支持頁面,我的特定問題已通過強制對 DFSR 複製的 SYSVOL 進行權威同步來解決。
對我來說,過去失敗的廣告是因為 PDC 時間源無法正常工作而導致的。那次經歷使我對這個案例中問題的性質得出了一個結論,但這個結論是不正確的。
如果 PDC 時間源是一個問題,那麼這個ServerFault 文章可能很有價值。
因為我在沒有優雅降級的情況下突然刪除了我的一個域控制器,所以我還需要清理元數據。儘管我在Active Directory 使用者和電腦以及Active Directory 站點和電腦中正確地做到了這一點,但我在****DNS中未能做到這一點。我在清理DNS方面的經驗是失去的域控制器存在於整個DNS中,我必須遍歷每個子樹才能找到對舊控制器的引用,有時只是通過 IP 或其他數字標識,因為舊的域伺服器名稱有在某些 DNS 條目中失去。
感謝那些在上面發表評論的人為我指明了正確的方向。