مشكل در اعمال GPO هاي دامين
با سلام خدمت دوستان و همكاران گرامي
قبل از عيد يكي از همكاران ما DNSSec را در سرور dns فعال كردن و به دليل اينكه از نحوه ي پياده سازي اطلاع نداشتند و به روش سعي و خطا پيش رفتن منجر به اين شد كه ارتباط تمام كلاينتهاي ما با سرور اكتيو و dns دچار مشكل شد و مجبور به جوين مجدد تمامي سيستم ها شديم و بعد از اون اتفاق متوجه شديم كه اعمال پاليسي ها هم دچار مشكل شده است و بعضي مواقع پاليسي هاي قديم روي سيستم ها اعمال مي شود و بعضي مواقع جديدترين پاليسي ها اعمال ميشود.تمامي روشها براي حذف پاليسي هاي لوكال و كش شده دامين را انجام داديم ولي نمي دانيم كه پاليسي هاي قديم چرا و از كجا روي سيستم اعمال مي شود.
كسي از دوستان مي تواند در اين زمينه مارا راهنمايي كند ؟
اديشنال دامين كنترلر نيز داريم و replication ظاهرا اوكي هست.دستورات براي تست dns هم انجام داديم ولي نميدانيم كه مشكل ما از سمت سرور اكتيو و dns هست يا از سمت كلاينتهاس
17 پاسخ
لطفا دستور DCDIAG /c /v /e /q رو روی DC ها اجرا کنید و خروجی ها رو با Dropbox ، Google Drive یا ... ارسال کنید.
سیستم عامل DC ها چیه ؟
آقاي كريم پور حقيقتا مشكل رو پيدا نكردم همونطور كه توضيح دادم همه دستورات نشون ميدادن كه رپليكيشن با اديشنال اوكي هست ولي در عمل كه پوشه هاي sysvol رو مقايسه ميكردم ميديدم همسان نيستن و همين تناقض باعث ميشد كه اديشنال پاليسي هاي قديم رو به كلاينتها بده و مشكل ايجاد ميشد.هرچي دستور بود رو زدم ولي در عمل سرور اصلي با اديشنال سينك نميشدن و هيچ خطايي هم دستورات نميدادن.در اخر مجبور شدم اديشنال رو حذف كنم چون بيشتر از اين اطلاعات فني و جزئي نداشتم و نمي تونستم وقت بذارم
خروجی DCDIAG تون اوکیه. لطفا خروجی Repadmin /replsummary رو هم ارسال کنید.
سلام چه خبر ؟ پیشرفتی داشتید ؟
Windows Server 2022 Standard
روي يكي از سيستم ها چك ميكنم و موردي كه گفتم رو ديدم اسكرين شات ميفرستم
يه سوال ديگه اينكه چرا هربار خروجي دستوري dcdiag فرق ميكنه و خطاهاش فرق ميكنه؟طبيعيه؟
چه خطایی میاره ؟؟ فقط لطفا اون قسمت هایی فرق می کنه رو بفرستید نگاه کنم.
روي سيستم جديدي هنوز تست نكردم.حتما نتيجه رو توي تاپيك اعلام مي كنم و ممنونم بابت پيگيرتون
آقاي كريم پور آموزشي كه توي لينك زير توضيح داده بوديد رو انجام دادم قبل از اينكه اين پرسش رو ايجاد كنم.احتمال داره كه مشكلمون حل شده باشه؟
https://tosinso.com/articles/40902/%D8%A2%D9%85%D9%88%D8%B2%D8%B4-%D8%A7%D9%86%D8%AC%D8%A7%D9%85-Non-authoritative-SYSVOL-Restore-%D8%A8%D8%B1-%D9%BE%D8%A7%DB%8C%D9%87-DFSR
سرور اصلي :
Replication Summary Start Time: 2024-05-19 08:38:10
Beginning data collection for replication summary, this may take awhile:
.....
Source DSA largest delta fails/total %% error
SERVER-AD 22m:18s 0 / 5 0
SERVER-DC 11m:57s 0 / 5 0
Destination DSA largest delta fails/total %% error
SERVER-AD 11m:57s 0 / 5 0
SERVER-DC 22m:18s 0 / 5 0
سرور اديشنال:
Replication Summary Start Time: 2024-05-19 08:38:59
Beginning data collection for replication summary, this may take awhile:
.....
Source DSA largest delta fails/total %% error
SERVER-AD 23m:07s 0 / 5 0
SERVER-DC 12m:46s 0 / 5 0
Destination DSA largest delta fails/total %% error
SERVER-AD 12m:46s 0 / 5 0
SERVER-DC 23m:07s 0 / 5 0
سلام ، منظورتون از پالسی های قدیمی و جدید چیه ؟
روي سرور اكتيو اصلي :
dcdiag /c /v /e /q
[SERVER-AD] No security related replication errors were found on this DC! To target the connection to a specific source DC use
/ReplSource:<DC>.
** Did not run Outbound Secure Channels test because /testdomain: was not entered
An error event occurred. EventID: 0x0000272C
Time Generated: 05/18/2024 13:53:43
Event String:
DCOM was unable to communicate with the computer 217.218.127.127 using any of the configured protocols; requested by PID 1480 (C:\Windows\system32\dcdiag.exe), while activating CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820}.
An error event occurred. EventID: 0x0000272C
Time Generated: 05/18/2024 13:53:47
Event String:
DCOM was unable to communicate with the computer 4.2.2.4 using any of the configured protocols; requested by PID 1480 (C:\Windows\system32\dcdiag.exe), while activating CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820}.
An error event occurred. EventID: 0x0000272C
Time Generated: 05/18/2024 13:54:05
Event String:
DCOM was unable to communicate with the computer 8.8.4.4 using any of the configured protocols; requested by PID 1480 (C:\Windows\system32\dcdiag.exe), while activating CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820}.
An error event occurred. EventID: 0x0000272C
Time Generated: 05/18/2024 13:54:09
Event String:
DCOM was unable to communicate with the computer 8.8.8.8 using any of the configured protocols; requested by PID 1480 (C:\Windows\system32\dcdiag.exe), while activating CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820}.
......................... SERVER-AD failed test SystemLog
[SERVER-DC] No security related replication errors were found on this DC! To target the connection to a specific source DC use
/ReplSource:<DC>.
** Did not run Outbound Secure Channels test because /testdomain: was not entered
An error event occurred. EventID: 0x000016C3
Time Generated: 05/18/2024 13:10:09
Event String: The Netlogon service denied a vulnerable Netlogon secure channel connection from a machine account.
An error event occurred. EventID: 0x0000272C
Time Generated: 05/18/2024 13:53:16
Event String:
DCOM was unable to communicate with the computer 217.218.127.127 using any of the configured protocols; requested by PID 1688 (C:\Windows\system32\dcdiag.exe), while activating CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820}.
An error event occurred. EventID: 0x0000272C
Time Generated: 05/18/2024 13:53:20
Event String:
DCOM was unable to communicate with the computer 4.2.2.4 using any of the configured protocols; requested by PID 1688 (C:\Windows\system32\dcdiag.exe), while activating CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820}.
An error event occurred. EventID: 0x0000272C
Time Generated: 05/18/2024 13:53:38
Event String:
DCOM was unable to communicate with the computer 8.8.4.4 using any of the configured protocols; requested by PID 1688 (C:\Windows\system32\dcdiag.exe), while activating CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820}.
An error event occurred. EventID: 0x0000272C
Time Generated: 05/18/2024 13:53:42
Event String:
DCOM was unable to communicate with the computer 8.8.8.8 using any of the configured protocols; requested by PID 1688 (C:\Windows\system32\dcdiag.exe), while activating CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820}.
An error event occurred. EventID: 0x0000272C
Time Generated: 05/18/2024 14:06:30
Event String:
DCOM was unable to communicate with the computer 217.218.127.127 using any of the configured protocols; requested by PID 4c6c (C:\Windows\system32\dcdiag.exe), while activating CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820}.
An error event occurred. EventID: 0x0000272C
Time Generated: 05/18/2024 14:06:30
Event String:
DCOM was unable to communicate with the computer 4.2.2.4 using any of the configured protocols; requested by PID 4c6c (C:\Windows\system32\dcdiag.exe), while activating CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820}.
An error event occurred. EventID: 0x0000272C
Time Generated: 05/18/2024 14:06:51
Event String:
DCOM was unable to communicate with the computer 8.8.4.4 using any of the configured protocols; requested by PID 4c6c (C:\Windows\system32\dcdiag.exe), while activating CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820}.
An error event occurred. EventID: 0x0000272C
Time Generated: 05/18/2024 14:06:51
Event String:
DCOM was unable to communicate with the computer 8.8.8.8 using any of the configured protocols; requested by PID 4c6c (C:\Windows\system32\dcdiag.exe), while activating CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820}.
......................... SERVER-DC failed test SystemLog
روي سرور اديشنال :
dcdiag /c /v /e /q
[SERVER-AD] No security related replication errors were found on this DC! To target the connection to a
specific source DC use /ReplSource:<DC>.
** Did not run Outbound Secure Channels test because /testdomain: was not entered
An error event occurred. EventID: 0x0000272C
Time Generated: 05/18/2024 13:53:43
Event String:
DCOM was unable to communicate with the computer 217.218.127.127 using any of the configured protocols; requested by PID 1480 (C:\Windows\system32\dcdiag.exe), while activating CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820}.
An error event occurred. EventID: 0x0000272C
Time Generated: 05/18/2024 13:53:47
Event String:
DCOM was unable to communicate with the computer 4.2.2.4 using any of the configured protocols; requested by PID 1480 (C:\Windows\system32\dcdiag.exe), while activating CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820}.
An error event occurred. EventID: 0x0000272C
Time Generated: 05/18/2024 13:54:05
Event String:
DCOM was unable to communicate with the computer 8.8.4.4 using any of the configured protocols; requested by PID 1480 (C:\Windows\system32\dcdiag.exe), while activating CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820}.
An error event occurred. EventID: 0x0000272C
Time Generated: 05/18/2024 13:54:09
Event String:
DCOM was unable to communicate with the computer 8.8.8.8 using any of the configured protocols; requested by PID 1480 (C:\Windows\system32\dcdiag.exe), while activating CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820}.
......................... SERVER-AD failed test SystemLog
[SERVER-DC] No security related replication errors were found on this DC! To target the connection to a
specific source DC use /ReplSource:<DC>.
** Did not run Outbound Secure Channels test because /testdomain: was not entered
An error event occurred. EventID: 0x000016C3
Time Generated: 05/18/2024 13:10:09
Event String:
The Netlogon service denied a vulnerable Netlogon secure channel connection from a machine account.
An error event occurred. EventID: 0x0000272C
Time Generated: 05/18/2024 13:53:16
Event String:
DCOM was unable to communicate with the computer 217.218.127.127 using any of the configured protocols; requested by PID 1688 (C:\Windows\system32\dcdiag.exe), while activating CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820}.
An error event occurred. EventID: 0x0000272C
Time Generated: 05/18/2024 13:53:20
Event String:
DCOM was unable to communicate with the computer 4.2.2.4 using any of the configured protocols; requested by PID 1688 (C:\Windows\system32\dcdiag.exe), while activating CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820}.
An error event occurred. EventID: 0x0000272C
Time Generated: 05/18/2024 13:53:38
Event String:
DCOM was unable to communicate with the computer 8.8.4.4 using any of the configured protocols; requested by PID 1688 (C:\Windows\system32\dcdiag.exe), while activating CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820}.
An error event occurred. EventID: 0x0000272C
Time Generated: 05/18/2024 13:53:42
Event String:
DCOM was unable to communicate with the computer 8.8.8.8 using any of the configured protocols; requested by PID 1688 (C:\Windows\system32\dcdiag.exe), while activating CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820}.
An error event occurred. EventID: 0x0000272C
Time Generated: 05/18/2024 14:06:30
Event String:
DCOM was unable to communicate with the computer 217.218.127.127 using any of the configured protocols; requested by PID 4c6c (C:\Windows\system32\dcdiag.exe), while activating CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820}.
An error event occurred. EventID: 0x0000272C
Time Generated: 05/18/2024 14:06:30
Event String:
DCOM was unable to communicate with the computer 4.2.2.4 using any of the configured protocols; requested by PID 4c6c (C:\Windows\system32\dcdiag.exe), while activating CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820}.
An error event occurred. EventID: 0x0000272C
Time Generated: 05/18/2024 14:06:51
Event String:
DCOM was unable to communicate with the computer 8.8.4.4 using any of the configured protocols; requested by PID 4c6c (C:\Windows\system32\dcdiag.exe), while activating CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820}.
An error event occurred. EventID: 0x0000272C
Time Generated: 05/18/2024 14:06:51
Event String:
DCOM was unable to communicate with the computer 8.8.8.8 using any of the configured protocols; requested by PID 4c6c (C:\Windows\system32\dcdiag.exe), while activating CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820}.
......................... SERVER-DC failed test SystemLog
منظورم اينه كه يكسري تغييرات در پاليسي ها داشتيم كه بعضي مواقع جديدترين ها اعمال مي شود و در دستور RSOP جديدترينها نمايش داده مي شود و بعضي مواقع پاليسي هاي قبل
مثلا اسم سرور wsus قبلا srv-wsus بود و بعد در پاليسي ها به server-wsus تغيير داديم ولي هنوز بعضي مواقع تنظيم قبلي اعمال مي شود و در نتيجه با سرور wsus نمي توانند ارتباط برقرار كنند.يا اينكه lock screen time فعال كرديم ولي بعضي مواقع اعمال نمي شود.
احتمال دارد كه با وجود رپليكيشن پاليسي ها رپليكيت نشده باشد؟
در سرور اديشنال پاليسي هاي جديد را مشاهده مي كنم ولي فكر كنم در sysvol اپديت نشده باشد.
آقاي كريم پور ميشه راهنماييم كنيد كه سرور اكتيو و dns و رپليكيشن و پاليسي ها رو چك كنم كه از سرورم خيالم راحت بشه.
يه مورد ديگه اينكه پوشه sysvol اكتيو اصلي 10 تا پاليسي داخلش بود ولي توي اديشنال 12 تا و با راهنمايي كه در سايت بود اپديت زدم
آقاي كريم پور با وجود اينكه در ظاهر همه چيز اوكي بود ولي سرور اديشنال مشكل داشت و هرچي دستور بود رو ميزدم نشون ميداد كه اوكي هست و در اخر مجبور به حذف اديشنال شدم تا مشكل حل شد.مجددا سرور اديشنال جديد راه اندازي مي كنيم.
ازتون بابت تمام راهنمايي هاي كامل و جامع و مفيدتون تشكر مي كنم
نه Non-Auth restore کمکی نمی کنه.
مشکل Replication هم که ندارید خیلی خوبه.
ببینید زمانیکه دستور GPResult رو روی کلاینت ها اجرا میکنید تو خروجیش خطایی تو قسمت Group Policy was applied from مشاهده می کنید ؟ Last time GP was applied رو هم چک کنید. اصلا خروجی رو اسکرین شات کنید ارسال کنید تا ببینم. ممنونم
خوشحالم از اینکه مشکلتون برطرف شد اما خوب الان بعد از اینهمه وقتی که برای سوالتون گذاشتم فکر نمی کردید باید اینجا بهم اطلاع میدادید که مشکل چی بود ؟