无法联系 Active Directory 域控制器
Active Directory Domain Controller could not be contacted
我正在设置一个 AD/DNS 服务器用于开发目的,但是我无法从任何客户端连接到它。该服务器是 Windows Server 2019 安装在 public 云计算环境中,设置遵循 this virtualgyanis guide。客户端是我们内部 LAN 上的 Windows 10 框。
设置很顺利,但我无法让客户端连接到 DC。任何意见都将不胜感激。
在 Windows10 中,尝试加入域时,我收到消息“无法联系域“simon.adtest”的 Active Directory 域控制器 (AC DC)”,更多信息:
The query was for the SRV record for _ldap._tcp.dc._msdcs.simon.adtest
The following domain controllers were identified by the query:
simondc2019.simon.adtest
However no domain controllers could be contacted.
需要注意的是,为了排除故障,服务器端和客户端都关闭了防火墙。还应注意,这不是生产系统,我通常不提倡降低防火墙。
这是来自客户端的 ipconfig /all:
Windows IP Configuration
Host Name . . . . . . . . . . . . : SIMONMCALOO9364
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection #2
Physical Address. . . . . . . . . : 00-0C-29-4A-58-02
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.1.120(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : 30 September 2021 12:05:31 pm
Lease Expires . . . . . . . . . . : 6 November 2157 9:03:20 pm
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 45.76.xx.xx (correct address of AD/DNS server confirmed)
NetBIOS over Tcpip. . . . . . . . : Enabled
我可以 ping AD (simon.adtest) 和服务器 (SimonDC2019.simon.adtest):
Reply from 45.76.xx.xx: bytes=32 time=17ms TTL=116
Reply from 45.76.xx.xx: bytes=32 time=16ms TTL=116
Reply from 45.76.xx.xx: bytes=32 time=16ms TTL=116
Reply from 45.76.xx.xx: bytes=32 time=16ms TTL=116
Ping statistics for 45.76.xx.xx:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 16ms, Maximum = 17ms, Average = 16ms
nslookup 正确解析正向和反向查找区域:
Server: SimonDC2019.SIMON.adtest
Address: 45.76.xx.xx
Name: simon.adtest
Address: 45.76.xx.xx
C:\Users\simon>nslookup 45.76.xx.xx
Server: SimonDC2019.SIMON.adtest
Address: 45.76.xx.xx
Name: SimonDC2019.SIMON.adtest
Address: 45.76.xx.xx
C:\Users\simon>nslookup SimonDC2019.SIMON.adtest
Server: SimonDC2019.SIMON.adtest
Address: 45.76.xx.xx
Name: SimonDC2019.SIMON.adtest
Address: 45.76.xx.xx
在尝试排除故障时,我在服务器和客户端上 运行 dcdiag。服务器通过了所有测试,唯一的例外是:
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL
replication problems may cause Group Policy problems.
......................... SIMONEVERYWHERE failed test DFSREvent
客户端上的另一个故事,输出如下:
Performing initial setup:
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\SIMON
Starting test: Connectivity
......................... SIMON passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\SIMON
Starting test: Advertising
Fatal Error:DsGetDcName (SIMON) call failed, error 1722
The Locator could not find the server.
......................... SIMON failed test Advertising
Starting test: FrsEvent
......................... SIMON passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL
replication problems may cause Group Policy problems.
......................... SIMON failed test DFSREvent
Starting test: SysVolCheck
[SIMON] An net use or LsaPolicy operation failed with error 2,
The system cannot find the file specified..
The SysVol is not ready. This can cause the DC to not advertise itself as a DC for netlogon after dcpromo.
Also trouble with FRS SysVol replication can cause Group Policy problems. Check the FRS event log on this DC.
......................... SIMON failed test SysVolCheck
Starting test: KccEvent
......................... SIMON passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... SIMON passed test KnowsOfRoleHolders
Starting test: MachineAccount
Could not open pipe with [SIMON]:failed with 2: The system cannot find the file specified.
Could not get NetBIOSDomainName
Failed can not test for HOST SPN
Failed can not test for HOST SPN
......................... SIMON passed test MachineAccount
Starting test: NCSecDesc
......................... SIMON passed test NCSecDesc
Starting test: NetLogons
[SIMON] An net use or LsaPolicy operation failed with error 2,
The system cannot find the file specified..
......................... SIMON failed test NetLogons
Starting test: ObjectsReplicated
......................... SIMON passed test ObjectsReplicated
Starting test: Replications
......................... SIMON passed test Replications
Starting test: RidManager
......................... SIMON passed test RidManager
Starting test: Services
......................... SIMON passed test Services
Starting test: SystemLog
......................... SIMON passed test SystemLog
Starting test: VerifyReferences
......................... SIMON passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : SIMON
Starting test: CheckSDRefDom
......................... SIMON passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... SIMON passed test CrossRefValidation
Running enterprise tests on : SIMON.adtest
Starting test: LocatorCheck
Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1722
A Global Catalog Server could not be located - All GC's are down.
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1722
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(TIME_SERVER) call failed, error 1722
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1722
A Good Time Server could not be located.
Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1722
A KDC could not be located - All the KDCs are down.
......................... SIMON.adtest failed test LocatorCheck
Starting test: Intersite
......................... SIMON.adtest passed test Intersite
错误 1722 似乎很模糊,因为它是一般的 RPC 失败。我用 Google 搜索了一下,发现有很多帖子出于某种原因不适用于我们的设置,所以我完全被困住了。
• 检查域控制器上的注册表“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTFRS\Parameters\SysVol\DomainName”。如果 SYSVOL 复制在域控制器上正确进行并且 sysvol 目录已正确发布,则此项不应存在。此外,如果此键不存在,则意味着域中所有潜在的源域控制器本身应该共享 NETLOGON 和 SYSVOL 共享并应用默认域和域控制器策略。
• 请在域控制器的应用程序日志中检查事件 1704,因为“企业域控制器”组应该具有在默认域控制器策略中分配的“从网络访问此计算机”权限。
• 此外,请检查 CN='域系统卷'、CN=文件复制服务、CN=系统、CN= 以及 运行 域控制器上的命令'NTFRSUTL DS [DCNAME]'。输出显示提到的域控制器对象出现在“CN=Domain System Volume(SYSVOL share),CN=NTFRS Subscriptions,CN=%DCNAME%,OU=Domain Controllers,DC=”中。这将主要解决 SYSVOL 共享不发布和与客户端网络通信的问题。
• 通过 运行 执行以下命令检查域中 DC 中的 DFS 复制状态:-
'For /f %i IN ('dsquery server -o rdn') do @echo %i && @wmic /node:"%i"
/namespace:\root\microsoftdfs path dfsrreplicatedfolderinfo WHERE
replicatedfoldername='SYSVOL share' get
replicationgroupname,replicatedfoldername,state '
它将报告 SYSVOL 共享和 DFS 服务的状态。此外,在事件日志中检查 DFS 复制服务状态的事件 ID 2213。
请查看以下链接以获取更多信息:-
我正在设置一个 AD/DNS 服务器用于开发目的,但是我无法从任何客户端连接到它。该服务器是 Windows Server 2019 安装在 public 云计算环境中,设置遵循 this virtualgyanis guide。客户端是我们内部 LAN 上的 Windows 10 框。
设置很顺利,但我无法让客户端连接到 DC。任何意见都将不胜感激。
在 Windows10 中,尝试加入域时,我收到消息“无法联系域“simon.adtest”的 Active Directory 域控制器 (AC DC)”,更多信息:
The query was for the SRV record for _ldap._tcp.dc._msdcs.simon.adtest
The following domain controllers were identified by the query:
simondc2019.simon.adtest
However no domain controllers could be contacted.
需要注意的是,为了排除故障,服务器端和客户端都关闭了防火墙。还应注意,这不是生产系统,我通常不提倡降低防火墙。
这是来自客户端的 ipconfig /all:
Windows IP Configuration
Host Name . . . . . . . . . . . . : SIMONMCALOO9364
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection #2
Physical Address. . . . . . . . . : 00-0C-29-4A-58-02
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.1.120(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : 30 September 2021 12:05:31 pm
Lease Expires . . . . . . . . . . : 6 November 2157 9:03:20 pm
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 45.76.xx.xx (correct address of AD/DNS server confirmed)
NetBIOS over Tcpip. . . . . . . . : Enabled
我可以 ping AD (simon.adtest) 和服务器 (SimonDC2019.simon.adtest):
Reply from 45.76.xx.xx: bytes=32 time=17ms TTL=116
Reply from 45.76.xx.xx: bytes=32 time=16ms TTL=116
Reply from 45.76.xx.xx: bytes=32 time=16ms TTL=116
Reply from 45.76.xx.xx: bytes=32 time=16ms TTL=116
Ping statistics for 45.76.xx.xx:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 16ms, Maximum = 17ms, Average = 16ms
nslookup 正确解析正向和反向查找区域:
Server: SimonDC2019.SIMON.adtest
Address: 45.76.xx.xx
Name: simon.adtest
Address: 45.76.xx.xx
C:\Users\simon>nslookup 45.76.xx.xx
Server: SimonDC2019.SIMON.adtest
Address: 45.76.xx.xx
Name: SimonDC2019.SIMON.adtest
Address: 45.76.xx.xx
C:\Users\simon>nslookup SimonDC2019.SIMON.adtest
Server: SimonDC2019.SIMON.adtest
Address: 45.76.xx.xx
Name: SimonDC2019.SIMON.adtest
Address: 45.76.xx.xx
在尝试排除故障时,我在服务器和客户端上 运行 dcdiag。服务器通过了所有测试,唯一的例外是:
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL
replication problems may cause Group Policy problems.
......................... SIMONEVERYWHERE failed test DFSREvent
客户端上的另一个故事,输出如下:
Performing initial setup:
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\SIMON
Starting test: Connectivity
......................... SIMON passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\SIMON
Starting test: Advertising
Fatal Error:DsGetDcName (SIMON) call failed, error 1722
The Locator could not find the server.
......................... SIMON failed test Advertising
Starting test: FrsEvent
......................... SIMON passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL
replication problems may cause Group Policy problems.
......................... SIMON failed test DFSREvent
Starting test: SysVolCheck
[SIMON] An net use or LsaPolicy operation failed with error 2,
The system cannot find the file specified..
The SysVol is not ready. This can cause the DC to not advertise itself as a DC for netlogon after dcpromo.
Also trouble with FRS SysVol replication can cause Group Policy problems. Check the FRS event log on this DC.
......................... SIMON failed test SysVolCheck
Starting test: KccEvent
......................... SIMON passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... SIMON passed test KnowsOfRoleHolders
Starting test: MachineAccount
Could not open pipe with [SIMON]:failed with 2: The system cannot find the file specified.
Could not get NetBIOSDomainName
Failed can not test for HOST SPN
Failed can not test for HOST SPN
......................... SIMON passed test MachineAccount
Starting test: NCSecDesc
......................... SIMON passed test NCSecDesc
Starting test: NetLogons
[SIMON] An net use or LsaPolicy operation failed with error 2,
The system cannot find the file specified..
......................... SIMON failed test NetLogons
Starting test: ObjectsReplicated
......................... SIMON passed test ObjectsReplicated
Starting test: Replications
......................... SIMON passed test Replications
Starting test: RidManager
......................... SIMON passed test RidManager
Starting test: Services
......................... SIMON passed test Services
Starting test: SystemLog
......................... SIMON passed test SystemLog
Starting test: VerifyReferences
......................... SIMON passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : SIMON
Starting test: CheckSDRefDom
......................... SIMON passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... SIMON passed test CrossRefValidation
Running enterprise tests on : SIMON.adtest
Starting test: LocatorCheck
Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1722
A Global Catalog Server could not be located - All GC's are down.
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1722
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(TIME_SERVER) call failed, error 1722
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1722
A Good Time Server could not be located.
Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1722
A KDC could not be located - All the KDCs are down.
......................... SIMON.adtest failed test LocatorCheck
Starting test: Intersite
......................... SIMON.adtest passed test Intersite
错误 1722 似乎很模糊,因为它是一般的 RPC 失败。我用 Google 搜索了一下,发现有很多帖子出于某种原因不适用于我们的设置,所以我完全被困住了。
• 检查域控制器上的注册表“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTFRS\Parameters\SysVol\DomainName”。如果 SYSVOL 复制在域控制器上正确进行并且 sysvol 目录已正确发布,则此项不应存在。此外,如果此键不存在,则意味着域中所有潜在的源域控制器本身应该共享 NETLOGON 和 SYSVOL 共享并应用默认域和域控制器策略。
• 请在域控制器的应用程序日志中检查事件 1704,因为“企业域控制器”组应该具有在默认域控制器策略中分配的“从网络访问此计算机”权限。
• 此外,请检查 CN='域系统卷'、CN=文件复制服务、CN=系统、CN= 以及 运行 域控制器上的命令'NTFRSUTL DS [DCNAME]'。输出显示提到的域控制器对象出现在“CN=Domain System Volume(SYSVOL share),CN=NTFRS Subscriptions,CN=%DCNAME%,OU=Domain Controllers,DC=”中。这将主要解决 SYSVOL 共享不发布和与客户端网络通信的问题。
• 通过 运行 执行以下命令检查域中 DC 中的 DFS 复制状态:-
'For /f %i IN ('dsquery server -o rdn') do @echo %i && @wmic /node:"%i"
/namespace:\root\microsoftdfs path dfsrreplicatedfolderinfo WHERE
replicatedfoldername='SYSVOL share' get
replicationgroupname,replicatedfoldername,state '
它将报告 SYSVOL 共享和 DFS 服务的状态。此外,在事件日志中检查 DFS 复制服务状态的事件 ID 2213。
请查看以下链接以获取更多信息:-