Ocorreu um problema ao instalar nosso Exchange 2010
server no qual a autenticação de acesso do cliente não funciona, a menos que o servidor esteja configurado como um controlador de domínio com global catalogue
.
Eu fui para produção com isso por causa das restrições de tempo, mas eu realmente preciso consertar isso agora. Não tenho ideia de onde o problema poderia estar ou como identificar o problema.
Minha (s) pergunta (s) é (são):
What could cause this issue? How could I test it and repair it?
Eu realmente não sei quais informações seriam relevantes para o problema, mas
O SO do servidor é Win 2008 R2
e todos os DCs são iguais.
O servidor Exchange possui CAS
, Hub Transport
e Mailbox Server
funções.
O correio externo é recebido por outro servidor Exchange 2010 executando a função Edge no DMZ. (isso funciona bem e servidor de borda não é um DC ... obviamente;))
Por favor, deixe-me saber que informações adicionais podem ser adicionadas para melhorar esta questão. Vou adicioná-lo assim que puder.
Esta é uma continuação da pergunta this .
dcsdiag / v
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the local machine DC2, is a Directory Server.
Home Server = DC2
* Connecting to directory service on server DC2.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=corp,DC=domain,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=corp,DC=domain,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=DC3,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=MX1,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 3 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Brisbane\DC2
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... DC2 passed test Connectivity
Doing primary tests
Testing server: Brisbane\DC2
Starting test: Advertising
The DC DC2 is advertising itself as a DC and having a DS.
The DC DC2 is advertising as an LDAP server
The DC DC2 is advertising as having a writeable directory
The DC DC2 is advertising as a Key Distribution Center
The DC DC2 is advertising as a time server
The DS DC2 is advertising as a GC.
......................... DC2 passed test Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Starting test: FrsEvent
* The File Replication Service Event log test
Skip the test because the server is running DFSR.
......................... DC2 passed test FrsEvent
Starting test: DFSREvent
The DFS Replication Event Log.
......................... DC2 passed test DFSREvent
Starting test: SysVolCheck
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... DC2 passed test SysVolCheck
Starting test: KccEvent
* The KCC Event log test
Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
......................... DC2 passed test KccEvent
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
Role Domain Owner = CN=NTDS Settings,CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
Role PDC Owner = CN=NTDS Settings,CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
Role Rid Owner = CN=NTDS Settings,CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
Role Infrastructure Update Owner = CN=NTDS Settings,CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
......................... DC2 passed test KnowsOfRoleHolders
Starting test: MachineAccount
Checking machine account for DC DC2 on DC DC2.
* SPN found :LDAP/DC2.corp.domain/corp.domain
* SPN found :LDAP/DC2.corp.domain
* SPN found :LDAP/DC2
* SPN found :LDAP/DC2.corp.domain/corpdomain
* SPN found :LDAP/ef6459ec-28d5-4ab4-85bc-778547782ce7._msdcs.corp.domain
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/ef6459ec-28d5-4ab4-85bc-778547782ce7/corp.domain
* SPN found :HOST/DC2.corp.domain/corp.domain
* SPN found :HOST/DC2.corp.domain
* SPN found :HOST/DC2
* SPN found :HOST/DC2.corp.domain/corpdomain
* SPN found :GC/DC2.corp.domain/corp.domain
......................... DC2 passed test MachineAccount
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC DC2.
* Security Permissions Check for
DC=ForestDnsZones,DC=corp,DC=domain
(NDNC,Version 3)
* Security Permissions Check for
DC=DomainDnsZones,DC=corp,DC=domain
(NDNC,Version 3)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=corp,DC=domain
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=corp,DC=domain
(Configuration,Version 3)
* Security Permissions Check for
DC=corp,DC=domain
(Domain,Version 3)
......................... DC2 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \DC2\netlogon
Verified share \DC2\sysvol
......................... DC2 passed test NetLogons
Starting test: ObjectsReplicated
DC2 is in domain DC=corp,DC=domain
Checking for CN=DC2,OU=Domain Controllers,DC=corp,DC=domain in domain DC=corp,DC=domain on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain in domain CN=Configuration,DC=corp,DC=domain on 1 servers
Object is up-to-date on all servers.
......................... DC2 passed test ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Starting test: Replications
* Replications Check
* Replication Latency Check
DC=ForestDnsZones,DC=corp,DC=domain
Latency information for 1 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=DomainDnsZones,DC=corp,DC=domain
Latency information for 1 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=corp,DC=domain
Latency information for 1 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=corp,DC=domain
Latency information for 1 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=corp,DC=domain
Latency information for 1 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
......................... DC2 passed test Replications
Starting test: RidManager
* Available RID Pool for the Domain is 3102 to 1073741823
* DC2.corp.domain is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 1602 to 2101
* rIDPreviousAllocationPool is 1602 to 2101
* rIDNextRID: 1818
......................... DC2 passed test RidManager
Starting test: Services
* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
* Checking Service: DnsCache
* Checking Service: DFSR
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... DC2 passed test Services
Starting test: SystemLog
* The System Event log test
An error event occurred. EventID: 0x80000003
Time Generated: 03/19/2013 13:15:51
Event String:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 3:15:51.0000 3/19/2013 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: CORP.domain
Server Name: [email protected]
Target Name: [email protected]@CORP.domain
Error Text:
File: 9
Line: f09
Error Data is in record data.
An error event occurred. EventID: 0x80000003
Time Generated: 03/19/2013 13:30:51
Event String:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 3:30:51.0000 3/19/2013 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: CORP.domain
Server Name: [email protected]
Target Name: [email protected]@CORP.domain
Error Text:
File: 9
Line: f09
Error Data is in record data.
An error event occurred. EventID: 0x80000003
Time Generated: 03/19/2013 13:45:52
Event String:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 3:45:52.0000 3/19/2013 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: CORP.domain
Server Name: [email protected]
Target Name: [email protected]@CORP.domain
Error Text:
File: 9
Line: f09
Error Data is in record data.
An error event occurred. EventID: 0x80000003
Time Generated: 03/19/2013 13:53:46
Event String:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 3:53:46.0000 3/19/2013 Z
Error Code: 0x29 KRB_AP_ERR_MODIFIED
Extended Error:
Client Realm:
Client Name:
Server Realm: CORP.domain
Server Name: dc2$
Target Name:
Error Text:
File: 3
Line: 576
Error Data is in record data.
An error event occurred. EventID: 0x80000003
Time Generated: 03/19/2013 14:00:52
Event String:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 4:0:52.0000 3/19/2013 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: CORP.domain
Server Name: [email protected]
Target Name: [email protected]@CORP.domain
Error Text:
File: 9
Line: f09
Error Data is in record data.
......................... DC2 failed test SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Starting test: VerifyReferences
The system object reference (serverReference)
CN=DC2,OU=Domain Controllers,DC=corp,DC=domain and
backlink on
CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
are correct.
The system object reference (serverReferenceBL)
CN=DC2,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=corp,DC=domain
and backlink on
CN=NTDS Settings,CN=DC2,CN=Servers,CN=Brisbane,CN=Sites,CN=Configuration,DC=corp,DC=domain
are correct.
The system object reference (msDFSR-ComputerReferenceBL)
CN=DC2,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=corp,DC=domain
and backlink on
CN=DC2,OU=Domain Controllers,DC=corp,DC=domain are
correct.
......................... DC2 passed test VerifyReferences
Test omitted by user request: VerifyReplicas
Test omitted by user request: DNS
Test omitted by user request: DNS
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : corp
Starting test: CheckSDRefDom
......................... corp passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... corp passed test CrossRefValidation
Running enterprise tests on : corp.domain
Test omitted by user request: DNS
Test omitted by user request: DNS
Starting test: LocatorCheck
GC Name: \DC2.corp.domain
Locator Flags: 0xe00031fd
PDC Name: \DC2.corp.domain
Locator Flags: 0xe00031fd
Time Server Name: \DC2.corp.domain
Locator Flags: 0xe00031fd
Preferred Time Server Name: \DC2.corp.domain
Locator Flags: 0xe00031fd
KDC Name: \DC2.corp.domain
Locator Flags: 0xe00031fd
......................... corp.domain passed test
LocatorCheck
Starting test: Intersite
Skipping site Brisbane, this site is outside the scope provided by the
command line arguments provided.
......................... corp.domain passed test Intersite
dcsdiag / test: topologia
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = DC2
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Brisbane\DC2
Starting test: Connectivity
......................... DC2 passed test Connectivity
Doing primary tests
Testing server: Brisbane\DC2
Starting test: Topology
......................... DC2 passed test Topology
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : corp
Running enterprise tests on : corp.domain
dcsdiag / test: replicações
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = DC2
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Brisbane\DC2
Starting test: Connectivity
......................... DC2 passed test Connectivity
Doing primary tests
Testing server: Brisbane\DC2
Starting test: Replications
......................... DC2 passed test Replications
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : corp
Running enterprise tests on : corp.domain
dnslint / ad 10.1.1.21 / s 10.1.1.21
DNSLint Report
System Date: Tue Mar 19 14:43:20 2013
Command run:
c:\dnslint\dnslint /ad 10.1.1.21 /s 10.1.1.21
Root of Active Directory Forest:
corp.domain
Active Directory Forest Replication GUIDs Found:
DC: DC2
GUID: ef6459ec-28d5-4ab4-85bc-778547782ce7
DC: DC3
GUID: 232f1e47-aa8e-44ae-8a19-6e1e5ecd6346
DC: MX1
GUID: 579be28b-006e-4f1c-911a-780458c5d081
Total GUIDs found: 3
--------------------------------------------------------------------------------
The following 2 DNS servers were checked for records related to AD forest replication:
DNS server: dc2.corp.domain
IP Address: 10.1.1.21
UDP port 53 responding to queries: YES
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: YES
SOA record data from server:
Authoritative name server: dc2.corp.domain
Hostmaster: hostmaster.corp.domain
Zone serial number: 150
Zone expires in: 1.00 day(s)
Refresh period: 900 seconds
Retry delay: 600 seconds
Default (minimum) TTL: 3600 seconds
Additional authoritative (NS) records from server:
dc2.corp.domain Unknown
dc3.corp.domain Unknown
Alias (CNAME) and glue (A) records for forest GUIDs from server:
CNAME: ef6459ec-28d5-4ab4-85bc-778547782ce7._msdcs.corp.domain
Alias: dc2.corp.domain
Glue: 10.1.1.21
CNAME: 232f1e47-aa8e-44ae-8a19-6e1e5ecd6346._msdcs.corp.domain
Alias: dc3.corp.domain
Glue: 10.1.1.22
CNAME: 579be28b-006e-4f1c-911a-780458c5d081._msdcs.corp.domain
Alias: mx1.corp.domain
Glue: 10.1.1.25
Total number of CNAME records found on this server: 3
Total number of CNAME records missing on this server: 0
Total number of glue (A) records this server could not find: 0
--------------------------------------------------------------------------------
DNS server: dc3.corp.domain
IP Address: 10.1.1.22
UDP port 53 responding to queries: YES
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: YES
SOA record data from server:
Authoritative name server: dc3.corp.domain
Hostmaster: hostmaster.corp.domain
Zone serial number: 150
Zone expires in: 1.00 day(s)
Refresh period: 900 seconds
Retry delay: 600 seconds
Default (minimum) TTL: 3600 seconds
Additional authoritative (NS) records from server:
dc2.corp.domain Unknown
dc3.corp.domain Unknown
Alias (CNAME) and glue (A) records for forest GUIDs from server:
CNAME: ef6459ec-28d5-4ab4-85bc-778547782ce7._msdcs.corp.domain
Alias: dc2.corp.domain
Glue: 10.1.1.21
CNAME: 232f1e47-aa8e-44ae-8a19-6e1e5ecd6346._msdcs.corp.domain
Alias: dc3.corp.domain
Glue: 10.1.1.22
CNAME: 579be28b-006e-4f1c-911a-780458c5d081._msdcs.corp.domain
Alias: mx1.corp.domain
Glue: 10.1.1.25
Total number of CNAME records found on this server: 3
Total number of CNAME records missing on this server: 0
dnscmd / zoneinfo corp.domain
Zone query result:
Zone info:
ptr = 0000000000197AB0
zone name = corp.domain
zone type = 1
shutdown = 0
paused = 0
update = 2
DS integrated = 1
read only zone = 0
in DS loading queue = 0
currently DS loading = 0
data file = (null)
using WINS = 0
using Nbstat = 0
aging = 0
refresh interval = 168
no refresh = 168
scavenge available = 0
Zone Masters NULL IP Array.
Zone Secondaries NULL IP Array.
secure secs = 1
directory partition = AD-Domain flags 00000015
zone DN = DC=corp.domain,cn=MicrosoftDNS,DC=DomainDnsZones,DC=corp,DC=domain
Command completed successfully.
repadmin / showrepl
Repadmin: running command /showrepl against full DC localhost
Brisbane\DC2
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: ef6459ec-28d5-4ab4-85bc-778547782ce7
DSA invocationID: d2eb9fee-f5ee-458d-b37f-813d6cc41d9b
==== INBOUND NEIGHBORS ======================================
DC=corp,DC=domain
Brisbane\MX1 via RPC
DSA object GUID: 579be28b-006e-4f1c-911a-780458c5d081
Last attempt @ 2013-03-19 14:58:35 was successful.
Brisbane\DC3 via RPC
DSA object GUID: 232f1e47-aa8e-44ae-8a19-6e1e5ecd6346
Last attempt @ 2013-03-19 14:59:08 was successful.
CN=Configuration,DC=corp,DC=domain
Brisbane\DC3 via RPC
DSA object GUID: 232f1e47-aa8e-44ae-8a19-6e1e5ecd6346
Last attempt @ 2013-03-19 14:55:31 was successful.
Brisbane\MX1 via RPC
DSA object GUID: 579be28b-006e-4f1c-911a-780458c5d081
Last attempt @ 2013-03-19 14:55:31 was successful.
CN=Schema,CN=Configuration,DC=corp,DC=domain
Brisbane\DC3 via RPC
DSA object GUID: 232f1e47-aa8e-44ae-8a19-6e1e5ecd6346
Last attempt @ 2013-03-19 14:55:31 was successful.
Brisbane\MX1 via RPC
DSA object GUID: 579be28b-006e-4f1c-911a-780458c5d081
Last attempt @ 2013-03-19 14:55:31 was successful.
DC=DomainDnsZones,DC=corp,DC=domain
Brisbane\DC3 via RPC
DSA object GUID: 232f1e47-aa8e-44ae-8a19-6e1e5ecd6346
Last attempt @ 2013-03-19 14:55:31 was successful.
DC=ForestDnsZones,DC=corp,DC=domain
Brisbane\DC3 via RPC
DSA object GUID: 232f1e47-aa8e-44ae-8a19-6e1e5ecd6346
Last attempt @ 2013-03-19 14:55:31 was successful.
repadmin / replsummary
Replication Summary Start Time: 2013-03-19 14:59:31
Beginning data collection for replication summary, this may take awhile:
......
Source DSA largest delta fails/total %% error
DC2 12m:51s 0 / 8 0
DC3 12m:51s 0 / 8 0
MX1 11m:11s 0 / 6 0
Destination DSA largest delta fails/total %% error
DC2 04m:00s 0 / 8 0
DC3 11m:11s 0 / 8 0
MX1 12m:51s 0 / 6 0
repadmin / kcc
Repadmin: running command /kcc against full DC localhost
Brisbane
Current Site Options: (none)
Consistency check on localhost successful.
Netdom -query fsmo
Schema master DC2.corp.domain
Domain naming master DC2.corp.domain
PDC DC2.corp.domain
RID pool manager DC2.corp.domain
Infrastructure master DC2.corp.domain
The command completed successfully.