خطا در اکتیودایرکتوری

چیزی که  log داره نشون میده چند تا مورد هستش که باید توجه بشه:

1- تعداد DC ها دو سرور هستش (server2016dc2 ,server2019dc2)

2-  DNS IP ادرس DC ها 8.8.8.8 هستش که باید 100% عوض بشه به IP ADDRESS خود DC یا (DC با DNS+INTEGRATED ZONE DOMAIN)

3- در نهایت بعد از تصحیح DNS سرور باید (AD DS service) یا سرور restart  بشه

4- replication بین سرورها چک بشه (repadmin)

5- اگر فقط یک DC هستش با دستور NETDOM  کامیپیوتر اکانت DC رو رست کن. در حین COMMAND از FQDN استفاده بشه

 Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
         ......................... SERVER2016DC2 failed test Connectivity
         Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
         ......................... SERVER2019DC2 failed test Connectivity
         Warning: DsGetDcName returned information for \\server2019dc2.khayam.local, when we were trying to reach
         SERVER-AC2012.
         SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
         ......................... SERVER-AC2012 failed test Advertising
         [SERVER-AC2012] LDAP bind failed with error 8341. A directory service error has occurred.
         Unable to verify the machine account (CN=SERVER-AC2012,OU=Domain Controllers,DC=khayam,DC=local) for
         SERVER-AC2012 on SERVER2019DC2.
         [SERVER-AC2012] No security related replication errors were found on this DC!  To target the connection to a
         specific source DC use /ReplSource:<DC>.
         There are warning or error events within the last 24 hours after the SYSVOL has been shared.  Failing SYSVOL
         replication problems may cause Group Policy problems.
         ......................... SERVER-AC2012 failed test DFSREvent
         ** Did not run Outbound Secure Channels test because /testdomain: was not entered
         [Replications Check,SERVER-AC2012] A recent replication attempt failed:
            From SERVER2016DC2 to SERVER-AC2012
            Naming Context: DC=ForestDnsZones,DC=khayam,DC=local
            The replication generated an error (-2146893022):
            The target principal name is incorrect.
            The failure occurred at 2022-08-08 22:32:17.
            The last success occurred at 2020-06-11 08:19:29.
            19092 failures have occurred since the last success.
         [Replications Check,SERVER-AC2012] A recent replication attempt failed:
            From SERVER2016DC2 to SERVER-AC2012
            Naming Context: DC=DomainDnsZones,DC=khayam,DC=local
            The replication generated an error (-2146893022):
            The target principal name is incorrect.
            The failure occurred at 2022-08-08 22:32:17.
            The last success occurred at 2020-06-11 08:19:29.
            19092 failures have occurred since the last success.
         [Replications Check,SERVER-AC2012] A recent replication attempt failed:
            From SERVER2016DC2 to SERVER-AC2012
            Naming Context: CN=Schema,CN=Configuration,DC=khayam,DC=local
            The replication generated an error (-2146893022):
            The target principal name is incorrect.
            The failure occurred at 2022-08-08 22:32:17.
            The last success occurred at 2020-06-11 08:19:29.
            19091 failures have occurred since the last success.
         [Replications Check,SERVER-AC2012] A recent replication attempt failed:
            From SERVER2016DC2 to SERVER-AC2012
            Naming Context: CN=Configuration,DC=khayam,DC=local
            The replication generated an error (-2146893022):
            The target principal name is incorrect.
            The failure occurred at 2022-08-08 22:32:17.
            The last success occurred at 2020-06-11 08:19:29.
            19092 failures have occurred since the last success.
         [Replications Check,SERVER-AC2012] A recent replication attempt failed:
            From SERVER2016DC2 to SERVER-AC2012
            Naming Context: DC=khayam,DC=local
            The replication generated an error (-2146893022):
            The target principal name is incorrect.
            The failure occurred at 2022-08-08 22:32:17.
            The last success occurred at 2020-06-11 08:31:02.
            19089 failures have occurred since the last success.
         ......................... SERVER-AC2012 failed test Replications
            Invalid service startup type: NETLOGON on SERVER-AC2012, current value DEMAND_START, expected value
            AUTO_START
            NETLOGON Service is stopped on [SERVER-AC2012]
         ......................... SERVER-AC2012 failed test Services
         An error event occurred.  EventID: 0xC00038D4
            Time Generated: 08/08/2022   22:02:53
            Event String:
            The DFS Namespace service could not initialize the trusted domain information on this domain controller, but it will periodically retry the operation. The return code is in the record data.
         An error event occurred.  EventID: 0x40000005
            Time Generated: 08/08/2022   22:03:59
            Event String:
            The Kerberos client received a KRB_AP_ERR_TKT_NYV error from the server server2019dc2$. This indicates that the ticket presented to that server is not yet valid (due to a discrepancy between ticket and server time. Contact your system administrator to make sure the client and server times are synchronized, and that the time for the Key Distribution Center Service (KDC) in realm KHAYAM.LOCAL is synchronized with the KDC in the client realm.
         An error event occurred.  EventID: 0x40000004
            Time Generated: 08/08/2022   22:16:55
            Event String:
            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server server2019dc2$. The target name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2/c54ec21c-e264-4cb0-a5ca-4f370c223d22/khayam.local@khayam.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (KHAYAM.LOCAL) is different from the client domain (KHAYAM.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
         An error event occurred.  EventID: 0x40000004
            Time Generated: 08/08/2022   22:22:30
            Event String:
            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server server2019dc2$. The target name used was KHAYAM\SERVER2016DC2$. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (KHAYAM.LOCAL) is different from the client domain (KHAYAM.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
         An error event occurred.  EventID: 0x40000004
            Time Generated: 08/08/2022   22:30:50
            Event String:
            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server server2019dc2$. The target name used was ldap/server2016dc2.khayam.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (KHAYAM.LOCAL) is different from the client domain (KHAYAM.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
         An error event occurred.  EventID: 0x40000004
            Time Generated: 08/08/2022   22:30:50
            Event String:
            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server server2019dc2$. The target name used was LDAP/c54ec21c-e264-4cb0-a5ca-4f370c223d22._msdcs.khayam.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (KHAYAM.LOCAL) is different from the client domain (KHAYAM.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
         An error event occurred.  EventID: 0x40000004
            Time Generated: 08/08/2022   22:30:52
            Event String:
            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server server2019dc2$. The target name used was cifs/SERVER2016DC2. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (KHAYAM.LOCAL) is different from the client domain (KHAYAM.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
         An error event occurred.  EventID: 0x40000004
            Time Generated: 08/08/2022   22:30:52
            Event String:
            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server server2019dc2$. The target name used was RPCSS/server2016dc2.khayam.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (KHAYAM.LOCAL) is different from the client domain (KHAYAM.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
         An error event occurred.  EventID: 0x0000272C
            Time Generated: 08/08/2022   22:30:52
            Event String:
            DCOM was unable to communicate with the computer server2016dc2.khayam.local using any of the configured protocols; requested by PID     26c4 (C:\WINDOWS\system32\dcdiag.exe), while activating CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820}.
         An error event occurred.  EventID: 0x0000272C
            Time Generated: 08/08/2022   22:30:52
            Event String:
            DCOM was unable to communicate with the computer server2019dc2.khayam.local using any of the configured protocols; requested by PID     26c4 (C:\WINDOWS\system32\dcdiag.exe), while activating CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820}.
         An error event occurred.  EventID: 0x0000272C
            Time Generated: 08/08/2022   22:31:14
            Event String:
            DCOM was unable to communicate with the computer 8.8.8.8 using any of the configured protocols; requested by PID     26c4 (C:\WINDOWS\system32\dcdiag.exe), while activating CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820}.
         An error event occurred.  EventID: 0x0000272C
            Time Generated: 08/08/2022   22:32:17
            Event String:
            DCOM was unable to communicate with the computer server2019dc2.khayam.local using any of the configured protocols; requested by PID     17cc (C:\WINDOWS\system32\dcdiag.exe), while activating CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820}.
         An error event occurred.  EventID: 0x0000272C
            Time Generated: 08/08/2022   22:32:17
            Event String:
            DCOM was unable to communicate with the computer server2016dc2.khayam.local using any of the configured protocols; requested by PID     17cc (C:\WINDOWS\system32\dcdiag.exe), while activating CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820}.
         ......................... SERVER-AC2012 failed test SystemLog
                           ......................... SERVER2019DC2 failed test DNS
                  ......................... SERVER2016DC2 failed test DNS
         Invalid service startup type: NETLOGON on SERVER-AC2012, current value DEMAND_START, expected value AUTO_START
         NETLOGON Service is stopped on [SERVER-AC2012]
         Test results for domain controllers:

            DC: SERVER-AC2012.khayam.local
            Domain: khayam.local

               TEST: Basic (Basc)
                  Error: NETLOGON service is not running

            TEST: Records registration (RReg)
               Error: Record registrations cannot be found for all the network adapters

            DC: server2016dc2.khayam.local
            Domain: khayam.local

               TEST: Authentication (Auth)
                  Error: Authentication failed with specified credentials

               TEST: Basic (Basc)
                  Error: No LDAP connectivity
                  Error: No WMI connectivity
                  No host records (A or AAAA) were found for this DC

            DC: server2019dc2.khayam.local
            Domain: khayam.local

               TEST: Authentication (Auth)
                  Error: Authentication failed with specified credentials

               TEST: Basic (Basc)
                  Error: No LDAP connectivity
                  Error: No WMI connectivity
                  No host records (A or AAAA) were found for this DC

         Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
            _________________________________________________________________
            Domain: khayam.local
               SERVER-AC2012                PASS FAIL PASS PASS PASS FAIL n/a
               server2016dc2                FAIL FAIL n/a  n/a  n/a  n/a  n/a
               server2019dc2                FAIL FAIL n/a  n/a  n/a  n/a  n/a

         ......................... khayam.local failed test DNS
         Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
         A Primary Domain Controller could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
         A Good Time Server could not be located.
         ......................... khayam.local failed test LocatorCheck
         Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
         A Primary Domain Controller could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
         A Good Time Server could not be located.
         ......................... khayam.local failed test FsmoCheck

سلام ، لطفا خروجی دستور زیر رو ارسال کنید و بفرمایید که چند تا دامین کنترلر توی دامین تون دارید و سیستم عامل هاشون چی هست.

DCDIAG /c /v /e /q

دستور بالا فقط ارور ها رو نشون میده و تست هاش رو روی همه DC های اجرا می کنه و یه خروجی تمیز نشون میده. لطفا خروجی رو در قالب کد (پاراگراف -> بلوک ها -> کد) ارسال کنید تا خوندنش راحت تر هست. ممنونم

خروجی DCDIAG داره نشون میده که چند تا دامین کنترلر دارید (داشتید) ولی شما میگید که یدونه دامین کنترلر دارم - این میتونه به این معنی باشه که (البته خروجی DCDIAG هم اینو گواهی میده) اون دامین کنترلر ها از مدار خارج شدن اما نه بصورت درست. کاری که باید انجام بدید اینه که Metadata های باقی مونده از سایر دامین کنترلر ها رو از روی دامین کنترلری که روش DCDIAG رو اجرا کردید پاک کنید. لینک زیر رو ببینید :

https://servergurunow.wordpress.com/2017/08/08/metadata-cleanup-of-a-domain-controller-2

پیشنهاد می کنم از تو کنسول ADSI Edit هم object های مربوط به DC های قدیمی رو پاک کنید.

پ.ن : من گفتم خروجی DCDIAG رو در قالب کد (پاراگراف -> بلوک ها -> کد) ارسال کنید ولی این کار رو انجام ندادید.

سیستم عامل server2019

فقط یک عدد دومین کنترلر داره