Я столкнулся с проблемой при установке нашего Exchange 2010 сервер, на котором аутентификация клиентского доступа не работает, если сервер не настроен как контроллер домена с global catalogue.
Я пошел в производство с этим из-за нехватки времени, но мне действительно нужно исправить это сейчас. Я понятия не имею, в чем может быть проблема и как ее определить.
Мой вопрос (ы):
Что могло вызвать эту проблему? Как я мог проверить и отремонтировать?
Я действительно не знаю, какая информация будет иметь отношение к проблеме, но;
Серверная ОС есть Win 2008 R2 и все DC одинаковы. Сервер Exchange имеет CAS, Hub Transport и Mailbox Server роли. Внешняя почта принимается другим сервером Exchange 2010, выполняющим роль Edge в DMZ. (это работает нормально, и пограничный сервер не является контроллером домена ... очевидно;))
Пожалуйста, дайте мне знать, какую дополнительную информацию можно добавить, чтобы улучшить этот вопрос. Я добавлю его, как только смогу.
Это следующий вопрос от этот.
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the local machine DC2, is a Directory Server.
Home Server = DC2
* Connecting to directory service on server DC2.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=corp,DC=domain,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=corp,DC=domain,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=DC3,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=MX1,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 3 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Brisbane\DC2
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... DC2 passed test Connectivity
Doing primary tests
Testing server: Brisbane\DC2
Starting test: Advertising
The DC DC2 is advertising itself as a DC and having a DS.
The DC DC2 is advertising as an LDAP server
The DC DC2 is advertising as having a writeable directory
The DC DC2 is advertising as a Key Distribution Center
The DC DC2 is advertising as a time server
The DS DC2 is advertising as a GC.
......................... DC2 passed test Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Starting test: FrsEvent
* The File Replication Service Event log test
Skip the test because the server is running DFSR.
......................... DC2 passed test FrsEvent
Starting test: DFSREvent
The DFS Replication Event Log.
......................... DC2 passed test DFSREvent
Starting test: SysVolCheck
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... DC2 passed test SysVolCheck
Starting test: KccEvent
* The KCC Event log test
Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
......................... DC2 passed test KccEvent
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
Role Domain Owner = CN=NTDS Settings,CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
Role PDC Owner = CN=NTDS Settings,CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
Role Rid Owner = CN=NTDS Settings,CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
Role Infrastructure Update Owner = CN=NTDS Settings,CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
......................... DC2 passed test KnowsOfRoleHolders
Starting test: MachineAccount
Checking machine account for DC DC2 on DC DC2.
* SPN found :LDAP/DC2.corp.domain/corp.domain
* SPN found :LDAP/DC2.corp.domain
* SPN found :LDAP/DC2
* SPN found :LDAP/DC2.corp.domain/corpdomain
* SPN found :LDAP/ef6459ec-28d5-4ab4-85bc-778547782ce7._msdcs.corp.domain
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/ef6459ec-28d5-4ab4-85bc-778547782ce7/corp.domain
* SPN found :HOST/DC2.corp.domain/corp.domain
* SPN found :HOST/DC2.corp.domain
* SPN found :HOST/DC2
* SPN found :HOST/DC2.corp.domain/corpdomain
* SPN found :GC/DC2.corp.domain/corp.domain
......................... DC2 passed test MachineAccount
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC DC2.
* Security Permissions Check for
DC=ForestDnsZones,DC=corp,DC=domain
(NDNC,Version 3)
* Security Permissions Check for
DC=DomainDnsZones,DC=corp,DC=domain
(NDNC,Version 3)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=corp,DC=domain
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=corp,DC=domain
(Configuration,Version 3)
* Security Permissions Check for
DC=corp,DC=domain
(Domain,Version 3)
......................... DC2 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\DC2\netlogon
Verified share \\DC2\sysvol
......................... DC2 passed test NetLogons
Starting test: ObjectsReplicated
DC2 is in domain DC=corp,DC=domain
Checking for CN=DC2,OU=Domain Controllers,DC=corp,DC=domain in domain DC=corp,DC=domain on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain in domain CN=Configuration,DC=corp,DC=domain on 1 servers
Object is up-to-date on all servers.
......................... DC2 passed test ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Starting test: Replications
* Replications Check
* Replication Latency Check
DC=ForestDnsZones,DC=corp,DC=domain
Latency information for 1 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=DomainDnsZones,DC=corp,DC=domain
Latency information for 1 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=corp,DC=domain
Latency information for 1 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=corp,DC=domain
Latency information for 1 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=corp,DC=domain
Latency information for 1 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
......................... DC2 passed test Replications
Starting test: RidManager
* Available RID Pool for the Domain is 3102 to 1073741823
* DC2.corp.domain is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 1602 to 2101
* rIDPreviousAllocationPool is 1602 to 2101
* rIDNextRID: 1818
......................... DC2 passed test RidManager
Starting test: Services
* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
* Checking Service: DnsCache
* Checking Service: DFSR
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... DC2 passed test Services
Starting test: SystemLog
* The System Event log test
An error event occurred. EventID: 0x80000003
Time Generated: 03/19/2013 13:15:51
Event String:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 3:15:51.0000 3/19/2013 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: CORP.domain
Server Name: dc2$@CORP.domain
Target Name: dc2$@CORP.domain@CORP.domain
Error Text:
File: 9
Line: f09
Error Data is in record data.
An error event occurred. EventID: 0x80000003
Time Generated: 03/19/2013 13:30:51
Event String:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 3:30:51.0000 3/19/2013 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: CORP.domain
Server Name: dc2$@CORP.domain
Target Name: dc2$@CORP.domain@CORP.domain
Error Text:
File: 9
Line: f09
Error Data is in record data.
An error event occurred. EventID: 0x80000003
Time Generated: 03/19/2013 13:45:52
Event String:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 3:45:52.0000 3/19/2013 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: CORP.domain
Server Name: dc2$@CORP.domain
Target Name: dc2$@CORP.domain@CORP.domain
Error Text:
File: 9
Line: f09
Error Data is in record data.
An error event occurred. EventID: 0x80000003
Time Generated: 03/19/2013 13:53:46
Event String:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 3:53:46.0000 3/19/2013 Z
Error Code: 0x29 KRB_AP_ERR_MODIFIED
Extended Error:
Client Realm:
Client Name:
Server Realm: CORP.domain
Server Name: dc2$
Target Name:
Error Text:
File: 3
Line: 576
Error Data is in record data.
An error event occurred. EventID: 0x80000003
Time Generated: 03/19/2013 14:00:52
Event String:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 4:0:52.0000 3/19/2013 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: CORP.domain
Server Name: dc2$@CORP.domain
Target Name: dc2$@CORP.domain@CORP.domain
Error Text:
File: 9
Line: f09
Error Data is in record data.
......................... DC2 failed test SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Starting test: VerifyReferences
The system object reference (serverReference)
CN=DC2,OU=Domain Controllers,DC=corp,DC=domain and
backlink on
CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
are correct.
The system object reference (serverReferenceBL)
CN=DC2,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=corp,DC=domain
and backlink on
CN=NTDS Settings,CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
are correct.
The system object reference (msDFSR-ComputerReferenceBL)
CN=DC2,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=corp,DC=domain
and backlink on
CN=DC2,OU=Domain Controllers,DC=corp,DC=domain are
correct.
......................... DC2 passed test VerifyReferences
Test omitted by user request: VerifyReplicas
Test omitted by user request: DNS
Test omitted by user request: DNS
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : corp
Starting test: CheckSDRefDom
......................... corp passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... corp passed test CrossRefValidation
Running enterprise tests on : corp.domain
Test omitted by user request: DNS
Test omitted by user request: DNS
Starting test: LocatorCheck
GC Name: \\DC2.corp.domain
Locator Flags: 0xe00031fd
PDC Name: \\DC2.corp.domain
Locator Flags: 0xe00031fd
Time Server Name: \\DC2.corp.domain
Locator Flags: 0xe00031fd
Preferred Time Server Name: \\DC2.corp.domain
Locator Flags: 0xe00031fd
KDC Name: \\DC2.corp.domain
Locator Flags: 0xe00031fd
......................... corp.domain passed test
LocatorCheck
Starting test: Intersite
Skipping site Brisbane, this site is outside the scope provided by the
command line arguments provided.
......................... corp.domain passed test Intersite
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = DC2
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Brisbane\DC2
Starting test: Connectivity
......................... DC2 passed test Connectivity
Doing primary tests
Testing server: Brisbane\DC2
Starting test: Topology
......................... DC2 passed test Topology
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : corp
Running enterprise tests on : corp.domain
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = DC2
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Brisbane\DC2
Starting test: Connectivity
......................... DC2 passed test Connectivity
Doing primary tests
Testing server: Brisbane\DC2
Starting test: Replications
......................... DC2 passed test Replications
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : corp
Running enterprise tests on : corp.domain
DNSLint Report
System Date: Tue Mar 19 14:43:20 2013
Command run:
c:\dnslint\dnslint /ad 10.1.1.21 /s 10.1.1.21
Root of Active Directory Forest:
corp.domain
Active Directory Forest Replication GUIDs Found:
DC: DC2
GUID: ef6459ec-28d5-4ab4-85bc-778547782ce7
DC: DC3
GUID: 232f1e47-aa8e-44ae-8a19-6e1e5ecd6346
DC: MX1
GUID: 579be28b-006e-4f1c-911a-780458c5d081
Total GUIDs found: 3
--------------------------------------------------------------------------------
The following 2 DNS servers were checked for records related to AD forest replication:
DNS server: dc2.corp.domain
IP Address: 10.1.1.21
UDP port 53 responding to queries: YES
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: YES
SOA record data from server:
Authoritative name server: dc2.corp.domain
Hostmaster: hostmaster.corp.domain
Zone serial number: 150
Zone expires in: 1.00 day(s)
Refresh period: 900 seconds
Retry delay: 600 seconds
Default (minimum) TTL: 3600 seconds
Additional authoritative (NS) records from server:
dc2.corp.domain Unknown
dc3.corp.domain Unknown
Alias (CNAME) and glue (A) records for forest GUIDs from server:
CNAME: ef6459ec-28d5-4ab4-85bc-778547782ce7._msdcs.corp.domain
Alias: dc2.corp.domain
Glue: 10.1.1.21
CNAME: 232f1e47-aa8e-44ae-8a19-6e1e5ecd6346._msdcs.corp.domain
Alias: dc3.corp.domain
Glue: 10.1.1.22
CNAME: 579be28b-006e-4f1c-911a-780458c5d081._msdcs.corp.domain
Alias: mx1.corp.domain
Glue: 10.1.1.25
Total number of CNAME records found on this server: 3
Total number of CNAME records missing on this server: 0
Total number of glue (A) records this server could not find: 0
--------------------------------------------------------------------------------
DNS server: dc3.corp.domain
IP Address: 10.1.1.22
UDP port 53 responding to queries: YES
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: YES
SOA record data from server:
Authoritative name server: dc3.corp.domain
Hostmaster: hostmaster.corp.domain
Zone serial number: 150
Zone expires in: 1.00 day(s)
Refresh period: 900 seconds
Retry delay: 600 seconds
Default (minimum) TTL: 3600 seconds
Additional authoritative (NS) records from server:
dc2.corp.domain Unknown
dc3.corp.domain Unknown
Alias (CNAME) and glue (A) records for forest GUIDs from server:
CNAME: ef6459ec-28d5-4ab4-85bc-778547782ce7._msdcs.corp.domain
Alias: dc2.corp.domain
Glue: 10.1.1.21
CNAME: 232f1e47-aa8e-44ae-8a19-6e1e5ecd6346._msdcs.corp.domain
Alias: dc3.corp.domain
Glue: 10.1.1.22
CNAME: 579be28b-006e-4f1c-911a-780458c5d081._msdcs.corp.domain
Alias: mx1.corp.domain
Glue: 10.1.1.25
Total number of CNAME records found on this server: 3
Total number of CNAME records missing on this server: 0
Zone query result:
Zone info:
ptr = 0000000000197AB0
zone name = corp.domain
zone type = 1
shutdown = 0
paused = 0
update = 2
DS integrated = 1
read only zone = 0
in DS loading queue = 0
currently DS loading = 0
data file = (null)
using WINS = 0
using Nbstat = 0
aging = 0
refresh interval = 168
no refresh = 168
scavenge available = 0
Zone Masters NULL IP Array.
Zone Secondaries NULL IP Array.
secure secs = 1
directory partition = AD-Domain flags 00000015
zone DN = DC=corp.domain,cn=MicrosoftDNS,DC=DomainDnsZones,DC=corp,DC=domain
Command completed successfully.
Repadmin: running command /showrepl against full DC localhost
Brisbane\DC2
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: ef6459ec-28d5-4ab4-85bc-778547782ce7
DSA invocationID: d2eb9fee-f5ee-458d-b37f-813d6cc41d9b
==== INBOUND NEIGHBORS ======================================
DC=corp,DC=domain
Brisbane\MX1 via RPC
DSA object GUID: 579be28b-006e-4f1c-911a-780458c5d081
Last attempt @ 2013-03-19 14:58:35 was successful.
Brisbane\DC3 via RPC
DSA object GUID: 232f1e47-aa8e-44ae-8a19-6e1e5ecd6346
Last attempt @ 2013-03-19 14:59:08 was successful.
CN=Configuration,DC=corp,DC=domain
Brisbane\DC3 via RPC
DSA object GUID: 232f1e47-aa8e-44ae-8a19-6e1e5ecd6346
Last attempt @ 2013-03-19 14:55:31 was successful.
Brisbane\MX1 via RPC
DSA object GUID: 579be28b-006e-4f1c-911a-780458c5d081
Last attempt @ 2013-03-19 14:55:31 was successful.
CN=Schema,CN=Configuration,DC=corp,DC=domain
Brisbane\DC3 via RPC
DSA object GUID: 232f1e47-aa8e-44ae-8a19-6e1e5ecd6346
Last attempt @ 2013-03-19 14:55:31 was successful.
Brisbane\MX1 via RPC
DSA object GUID: 579be28b-006e-4f1c-911a-780458c5d081
Last attempt @ 2013-03-19 14:55:31 was successful.
DC=DomainDnsZones,DC=corp,DC=domain
Brisbane\DC3 via RPC
DSA object GUID: 232f1e47-aa8e-44ae-8a19-6e1e5ecd6346
Last attempt @ 2013-03-19 14:55:31 was successful.
DC=ForestDnsZones,DC=corp,DC=domain
Brisbane\DC3 via RPC
DSA object GUID: 232f1e47-aa8e-44ae-8a19-6e1e5ecd6346
Last attempt @ 2013-03-19 14:55:31 was successful.
Replication Summary Start Time: 2013-03-19 14:59:31
Beginning data collection for replication summary, this may take awhile:
......
Source DSA largest delta fails/total %% error
DC2 12m:51s 0 / 8 0
DC3 12m:51s 0 / 8 0
MX1 11m:11s 0 / 6 0
Destination DSA largest delta fails/total %% error
DC2 04m:00s 0 / 8 0
DC3 11m:11s 0 / 8 0
MX1 12m:51s 0 / 6 0
Repadmin: running command /kcc against full DC localhost
Brisbane
Current Site Options: (none)
Consistency check on localhost successful.
Schema master DC2.corp.domain
Domain naming master DC2.corp.domain
PDC DC2.corp.domain
RID pool manager DC2.corp.domain
Infrastructure master DC2.corp.domain
The command completed successfully.
Для серверов Exchange 2010 требуется контроллер домена с GC на том же сайте.
Также не рекомендуется запускать Exchange на контроллере домена. И вы определенно не можете повысить уровень Exchange-сервера до контроллера домена.
Судя по вашему описанию, вы нарушили хотя бы два из этих правил, если не все три.
Решение, предложенное Ashdrewness
Не поддерживается запуск dcpromo на сервере после установки Exchange. Также не поддерживается обновление на месте со std до ent с установленным Exchange. Вам необходимо удалить Exchange или выполнить установку Exchange для аварийного восстановления (setup.com / recoveryserver).
Из http://technet.microsoft.com/en-us/library/aa996719(v=exchg.141).aspx
Установка Exchange 2010 на серверы каталогов
По соображениям безопасности и производительности мы рекомендуем устанавливать Exchange 2010 только на рядовых серверах, а не на серверах каталогов Active Directory. Однако вы не можете запустить DCPromo на компьютере под управлением Exchange 2010. После установки Exchange 2010 изменение его роли с рядового сервера на сервер каталогов или наоборот не поддерживается.