0
مشکل در لاگین کردن به اکتیو دایرکتوری
با سلام و خسته نباشید
دوستان من اکتیو دایرکتوریم به مشکل خورد مجبور شدم بکاپ دو هفته پیشش رو برگردونم . بکاپ به درستی برگشت ولی میخوام بهش لاگین کنم میگه : there are no logon servers available to service the logon request
چه باید کرد ؟
ممنون
15 پاسخ
1
"در مورد اول متوجه منظورتون نشدم . ما دو مدل کلا پسوورد برای اکانت کلاینتها داریم . یکی پسوورد یوزر لوکالشون هست یکی پسوورد یوزر دامینشون . این دو مدل پسوورد ارتباطشون با پسوورد DC چیه ؟!"
به غیر از User account ها و Service account ها ، Computer account ها هم پسورد دارن و این پسورد هنگام جوین شدن کلاینت به دامین توسط دامین کنترلر Generate میشه و طولش 120 کاراکتره. سرویس Netlogon زمانی که به دنبال DC حین فرآیند لاگین میگرده (تو مرحله ایجاد Secure Channel) از DC میپرسه که پسورد کامپیوتر اکانت کلاینت چیه و اگه مقداری رو برگردونه و با پسورد کامپیوتر اکانتی که توی کلید رجیستری سیستم کلاینت Match نباشه DC میگه Trust بین من و کلاینت برقرار نیست و باید این پسورد ریست بشه تا بتونم مجددا به کلاینت اعتماد کنم. پسورد کامپیوتر اکانت به دلایل امنیتی هر 30 روز یه بار ریست میشه و DC یه پسورد تازه به کلاینت میده تا بتونه تو فرآیند احرازهویتش ازش استفاده کنه.
0
منظورتون رو متوجه نشدم. منظورتون از داخل اکتیو هست یا داخل اینجا سایت ؟
0
DC زمانش رو داره با HyperVisor ای که توش در حال اجرا هست Sync می کنه ؟ اگه همینطوره نزارید این کار رو انجام بده. سرویس KDC به شدت روی بحث زمان حساسه.
همینطور اینکه به نظر میاد پسورد Computer account های کلاینت ها با DC یکی نیست ... پالسی Disable machine account password changes رو فعال کنید از این مسیر :
Computer Config\Policies\Windows Settings\Security Settings\Local Policies\Security Options
چند تا DC تو شبکه دارید ؟ سیستم عامل هاشون چی هست ؟
خروجی دستور زیر رو ارسال کنید :
اگه IPv6 رو فعال کردید روی کارت شبکه DC ها غیرفعالش کنید بعد DCDIAG /fix رو اجرا کنید.
حالا خروجی دستور زیر رو ارسال کنید :
dcdiag /test:dns /dnsall
0
0
لطفا خروجی DCDiag رو (همراه با Flag هایی که گفتم) ارسال کنید. ممنون میشم در قالب پست جداگونه ارسالش کنید. متشکرم
0
ولی تست دیاگی که گفتی رو گرفتم بعضی چیزاش fail بود !
0
پس این computer account password توسط ما قابل رویت یا عوض شدن نیست درسته ؟
0
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Windows\system32>dcdiag /test:dns /dnsall
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = ADDS
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\ADDS
Starting test: Connectivity
......................... ADDS passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\ADDS
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
......................... ADDS passed test DNS
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : pars
Running enterprise tests on : pars.local
Starting test: DNS
Test results for domain controllers:
DC: ADDS.pars.local
Domain: pars.local
TEST: Basic (Basc)
Warning: adapter
[00000011] Intel(R) 82574L Gigabit Network Connection has
invalid DNS server: 4.2.2.4 (<name unavailable>)
Warning: adapter
[00000011] Intel(R) 82574L Gigabit Network Connection has
invalid DNS server: 4.2.2.4 (<name unavailable>)
TEST: Records registration (RReg)
Network Adapter
[00000011] Intel(R) 82574L Gigabit Network Connection:
Warning:
Missing CNAME record at DNS server 4.2.2.4:
3bf18ec5-1ece-4eb4-ac91-0d30e87f69a1._msdcs.pars.local
Warning:
Missing A record at DNS server 4.2.2.4:
ADDS.pars.local
Error:
Missing SRV record at DNS server 4.2.2.4:
_ldap._tcp.pars.local
Error:
Missing SRV record at DNS server 4.2.2.4:
_ldap._tcp.9f7ee029-129b-4d47-808e-c04ecf6f108b.domains._ms
dcs.pars.local
Error:
Missing SRV record at DNS server 4.2.2.4:
_kerberos._tcp.dc._msdcs.pars.local
Error:
Missing SRV record at DNS server 4.2.2.4:
_ldap._tcp.dc._msdcs.pars.local
Error:
Missing SRV record at DNS server 4.2.2.4:
_kerberos._tcp.pars.local
Error:
Missing SRV record at DNS server 4.2.2.4:
_kerberos._udp.pars.local
Error:
Missing SRV record at DNS server 4.2.2.4:
_kpasswd._tcp.pars.local
Error:
Missing SRV record at DNS server 4.2.2.4:
_ldap._tcp.Default-First-Site-Name._sites.pars.local
Error:
Missing SRV record at DNS server 4.2.2.4:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.par
s.local
Error:
Missing SRV record at DNS server 4.2.2.4:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.pars.lo
cal
Error:
Missing SRV record at DNS server 4.2.2.4:
_kerberos._tcp.Default-First-Site-Name._sites.pars.local
Error:
Missing SRV record at DNS server 4.2.2.4:
_ldap._tcp.gc._msdcs.pars.local
Warning:
Missing A record at DNS server 4.2.2.4:
gc._msdcs.pars.local
Error:
Missing SRV record at DNS server 4.2.2.4:
_gc._tcp.Default-First-Site-Name._sites.pars.local
Error:
Missing SRV record at DNS server 4.2.2.4:
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.pars.lo
cal
Error:
Missing SRV record at DNS server 4.2.2.4:
_ldap._tcp.pdc._msdcs.pars.local
Warning:
Missing CNAME record at DNS server 4.2.2.4:
3bf18ec5-1ece-4eb4-ac91-0d30e87f69a1._msdcs.pars.local
Warning:
Missing A record at DNS server 4.2.2.4:
ADDS.pars.local
Error:
Missing SRV record at DNS server 4.2.2.4:
_ldap._tcp.pars.local
Error:
Missing SRV record at DNS server 4.2.2.4:
_ldap._tcp.9f7ee029-129b-4d47-808e-c04ecf6f108b.domains._ms
dcs.pars.local
Error:
Missing SRV record at DNS server 4.2.2.4:
_kerberos._tcp.dc._msdcs.pars.local
Error:
Missing SRV record at DNS server 4.2.2.4:
_ldap._tcp.dc._msdcs.pars.local
Error:
Missing SRV record at DNS server 4.2.2.4:
_kerberos._tcp.pars.local
Error:
Missing SRV record at DNS server 4.2.2.4:
_kerberos._udp.pars.local
Error:
Missing SRV record at DNS server 4.2.2.4:
_kpasswd._tcp.pars.local
Error:
Missing SRV record at DNS server 4.2.2.4:
_ldap._tcp.Default-First-Site-Name._sites.pars.local
Error:
Missing SRV record at DNS server 4.2.2.4:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.par
s.local
Error:
Missing SRV record at DNS server 4.2.2.4:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.pars.lo
cal
Error:
Missing SRV record at DNS server 4.2.2.4:
_kerberos._tcp.Default-First-Site-Name._sites.pars.local
Error:
Missing SRV record at DNS server 4.2.2.4:
_ldap._tcp.gc._msdcs.pars.local
Warning:
Missing A record at DNS server 4.2.2.4:
gc._msdcs.pars.local
Error:
Missing SRV record at DNS server 4.2.2.4:
_gc._tcp.Default-First-Site-Name._sites.pars.local
Error:
Missing SRV record at DNS server 4.2.2.4:
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.pars.lo
cal
Error:
Missing SRV record at DNS server 4.2.2.4:
_ldap._tcp.pdc._msdcs.pars.local
Error: Record registrations cannot be found for all the network
adapters
Summary of test results for DNS servers used by the above domain
controllers:
DNS server: 4.2.2.4 (<name unavailable>)
3 test failure on this DNS server
Name resolution is not functional. _ldap._tcp.pars.local. failed
on the DNS server 4.2.2.4
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
_________________________________________________________________
Domain: pars.local
ADDS PASS WARN PASS PASS PASS FAIL PASS
......................... pars.local failed test DNS
C:\Windows\system32>
0
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Windows\system32>DCDiag /c /v /e /q
[ADDS] No security related replication errors were found on this DC!
To target the connection to a specific source DC use /ReplSource:<DC>.
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... ADDS failed test DFSREvent
** Did not run Outbound Secure Channels test because /testdomain: was
not entered
An error event occurred. EventID: 0x0000410B
Time Generated: 12/15/2019 13:36:03
Event String:
The request for a new account-identifier pool failed. The operation
will be retried until the request succeeds. The error is
An error event occurred. EventID: 0x40000004
Time Generated: 12/15/2019 13:37:34
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the se
rver additionalds$. The target name used was RPC/a78498b0-70bc-4231-a443-7a7c55e
3677d._msdcs.pars.local. This indicates that the target server failed to decrypt
the ticket provided by the client. This can occur when the target server princi
pal name (SPN) is registered on an account other than the account the target ser
vice is using. Ensure that the target SPN is only registered on the account used
by the server. This error can also happen if the target service account passwor
d is different than what is configured on the Kerberos Key Distribution Center f
or that target service. Ensure that the service on the server and the KDC are bo
th configured to use the same password. If the server name is not fully qualifie
d, and the target domain (pars.local) is different from the client domain (PARS.
LOCAL), check if there are identically named server accounts in these two domain
s, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 12/15/2019 13:37:34
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the se
rver additionalds$. The target name used was LDAP/a78498b0-70bc-4231-a443-7a7c55
e3677d._msdcs.pars.local. This indicates that the target server failed to decryp
t the ticket provided by the client. This can occur when the target server princ
ipal name (SPN) is registered on an account other than the account the target se
rvice is using. Ensure that the target SPN is only registered on the account use
d by the server. This error can also happen if the target service account passwo
rd is different than what is configured on the Kerberos Key Distribution Center
for that target service. Ensure that the service on the server and the KDC are b
oth configured to use the same password. If the server name is not fully qualifi
ed, and the target domain (PARS.LOCAL) is different from the client domain (PARS
.LOCAL), check if there are identically named server accounts in these two domai
ns, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x0000272C
Time Generated: 12/15/2019 13:38:24
Event String:
DCOM was unable to communicate with the computer 4.2.2.4 using any o
f the configured protocols; requested by PID b50 (C:\Windows\system32\dcdia
g.exe).
An error event occurred. EventID: 0x0000272C
Time Generated: 12/15/2019 13:38:47
Event String:
DCOM was unable to communicate with the computer 8.8.8.8 using any o
f the configured protocols; requested by PID b50 (C:\Windows\system32\dcdia
g.exe).
......................... ADDS failed test SystemLog
[ADDITIONALDS] No security related replication errors were found on
this DC! To target the connection to a specific source DC use
/ReplSource:<DC>.
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... ADDITIONALDS failed test DFSREvent
** Did not run Outbound Secure Channels test because /testdomain: was
not entered
An error event occurred. EventID: 0x00000422
Time Generated: 12/15/2019 13:37:37
Event String:
The processing of Group Policy failed. Windows attempted to read the
file \\pars.local\sysvol\pars.local\Policies\{31B2F340-016D-11D2-945F-00C04FB98
4F9}\gpt.ini from a domain controller and was not successful. Group Policy setti
ngs may not be applied until this event is resolved. This issue may be transient
and could be caused by one or more of the following:
An error event occurred. EventID: 0x00000422
Time Generated: 12/15/2019 13:42:38
Event String:
The processing of Group Policy failed. Windows attempted to read the
file \\pars.local\sysvol\pars.local\Policies\{31B2F340-016D-11D2-945F-00C04FB98
4F9}\gpt.ini from a domain controller and was not successful. Group Policy setti
ngs may not be applied until this event is resolved. This issue may be transient
and could be caused by one or more of the following:
An error event occurred. EventID: 0x00000422
Time Generated: 12/15/2019 13:47:39
Event String:
The processing of Group Policy failed. Windows attempted to read the
file \\pars.local\sysvol\pars.local\Policies\{31B2F340-016D-11D2-945F-00C04FB98
4F9}\gpt.ini from a domain controller and was not successful. Group Policy setti
ngs may not be applied until this event is resolved. This issue may be transient
and could be caused by one or more of the following:
An error event occurred. EventID: 0x00000422
Time Generated: 12/15/2019 13:52:40
Event String:
The processing of Group Policy failed. Windows attempted to read the
file \\pars.local\sysvol\pars.local\Policies\{31B2F340-016D-11D2-945F-00C04FB98
4F9}\gpt.ini from a domain controller and was not successful. Group Policy setti
ngs may not be applied until this event is resolved. This issue may be transient
and could be caused by one or more of the following:
An error event occurred. EventID: 0x00000422
Time Generated: 12/15/2019 13:57:41
Event String:
The processing of Group Policy failed. Windows attempted to read the
file \\pars.local\sysvol\pars.local\Policies\{31B2F340-016D-11D2-945F-00C04FB98
4F9}\gpt.ini from a domain controller and was not successful. Group Policy setti
ngs may not be applied until this event is resolved. This issue may be transient
and could be caused by one or more of the following:
An error event occurred. EventID: 0x00000422
Time Generated: 12/15/2019 14:02:41
Event String:
The processing of Group Policy failed. Windows attempted to read the
file \\pars.local\sysvol\pars.local\Policies\{31B2F340-016D-11D2-945F-00C04FB98
4F9}\gpt.ini from a domain controller and was not successful. Group Policy setti
ngs may not be applied until this event is resolved. This issue may be transient
and could be caused by one or more of the following:
An error event occurred. EventID: 0x00000422
Time Generated: 12/15/2019 14:07:42
Event String:
The processing of Group Policy failed. Windows attempted to read the
file \\pars.local\sysvol\pars.local\Policies\{31B2F340-016D-11D2-945F-00C04FB98
4F9}\gpt.ini from a domain controller and was not successful. Group Policy setti
ngs may not be applied until this event is resolved. This issue may be transient
and could be caused by one or more of the following:
An error event occurred. EventID: 0x00000422
Time Generated: 12/15/2019 14:12:43
Event String:
The processing of Group Policy failed. Windows attempted to read the
file \\pars.local\sysvol\pars.local\Policies\{31B2F340-016D-11D2-945F-00C04FB98
4F9}\gpt.ini from a domain controller and was not successful. Group Policy setti
ngs may not be applied until this event is resolved. This issue may be transient
and could be caused by one or more of the following:
An error event occurred. EventID: 0x00000422
Time Generated: 12/15/2019 14:17:44
Event String:
The processing of Group Policy failed. Windows attempted to read the
file \\pars.local\sysvol\pars.local\Policies\{31B2F340-016D-11D2-945F-00C04FB98
4F9}\gpt.ini from a domain controller and was not successful. Group Policy setti
ngs may not be applied until this event is resolved. This issue may be transient
and could be caused by one or more of the following:
......................... ADDITIONALDS failed test SystemLog
Test results for domain controllers:
DC: ADDS.pars.local
Domain: pars.local
TEST: Records registration (RReg)
Error: Record registrations cannot be found for all the network
adapters
DC: AdditionalDS.pars.local
Domain: pars.local
TEST: Records registration (RReg)
Error: Record registrations cannot be found for all the network
adapters
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
_________________________________________________________________
Domain: pars.local
ADDS PASS WARN PASS PASS PASS FAIL n/a
AdditionalDS PASS WARN PASS PASS PASS FAIL n/a
......................... pars.local failed test DNS
C:\Windows\system32>
1
وقتی کلاینت لاگین می کنه به دامین این ارور ظاهر میشه ؟ اگه آره موارد زیر رو چک کنید :
DC سالمه ؟ خروجی دستور DCDiag /c /v /e /q رو ارسال کنید.
چند تا DC دارید ؟
محتویات پوشه SYSVOL share اوکیه ؟
اگه هنگام لاگین به DC این ارور نشون داده میشه وارد محیط DSRM بشید و از توی MSCONFIG تیک DSRM رو بردارید.
0
لطفا فایل رو ضمیمه کنید و یا اینکه از گزینه پاراگراف -> بلوک ها -> پیش برای ارسال خروجی دستور استفاده کنید تا راحت تر بشه خروجی رو خوند.
0
آره زمان ورود به DC اصلی که بکاپش رو برگردونده بودم اینجوری میشد. یه بکاپ دیگه نزدیکتر برگردوندم اومد بالا باز همونجوری بود ولی خودش بعد از 5مین ریست شد و اومد بالا درست شد. ممنون امیر جان
1
قابل رؤیت نیست ولی میشه عوضش کرد با Reset کردن Computer account object.
0
در مورد اول متوجه منظورتون نشدم . ما دو مدل کلا پسوورد برای اکانت کلاینتها داریم . یکی پسوورد یوزر لوکالشون هست یکی پسوورد یوزر دامینشون . این دو مدل پسوورد ارتباطشون با پسوورد DC چیه ؟!
در مورد دوم بگم که Esxi ما از اکتیو دایرکتوری ساعتش رو میگیره .
در مورد دوم باید بگم که یک اکتیو دایرکتوری وجود داره توو این شبکه و یک additional dc که هر دوی اونها ویندوز سرور 2012 و ipv6 همه ی سرورها خاموش هست .
1
ظاهرا آدرس 4.2.2.4 رو روی کارت شبکه DC ها ست کردین. توی کارت شبکه دامین کنترلر ADDS آدرس DNS اول رو آدرس IP دامین کنترلر Additional ست کنید و DNS دوم رو 127.0.0.1 ست کنید. توی کارت شبکه دامین کنترلر Additional هم DNS اول رو آدرس IP دامین کنترلر ADDS و DNS دوم رو 127.0.0.1 ست کنید.
ADDS::
Primary DNS: Additional IP address ; Alternate DNS: 127.0.0.1
Additional::
Primary DNS: ADDS IP address ; Alternate DNS: 127.0.0.1
حالا IPConfig /flushdns رو روی هر دو DC اجرا کنید و بعد IPConfig /registerdns رو اجرا کنید تا رکورد ها پاکسازی و مجددا آپدیت بشه.