Проблема AD с контроллером домена Svr 2012 R2: невозможно присоединить виртуальные машины XP к домену, но виртуальные машины Win7, 8 и Win10 могут присоединиться к
Контроллер домена - это физический сервер под управлением Windows Server 2012 R2. Уровень FF - 2008 R2, уровень DF - 2012 R2. Однако, Я нашел статью MS, в которой говорится, что XP полностью совместима даже с 2012 R2 FFL. Эта проблема затрагивает только виртуальные машины Windows XP (и более старые). Точная ошибка при попытке присоединить машину к домену:
При попытке присоединиться к домену «MyDomain» произошла следующая ошибка: Указанное сетевое имя больше не доступно.
На данный момент предпринята попытка устранения неполадок:
- Перезагрузка DC
- Повторное включение SMB1 и перезагрузка контроллера домена (уже был включен)
- Перезапуск службы NETLOGON на DC (без проблем) и на виртуальных машинах XP (не остается включенной)
- Запуск DCDIAG (все тесты пройдены)
- Отключение IPv6 на контроллере домена
- Отключение адаптера ISATAP NIC (скрытое устройство) в DevMgmt.msc
Вот результат DCDiag / v
PS C:\> DCDiag /v
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the local machine MY-SERVER, is a Directory Server.
Home Server = MY-SERVER
* Connecting to directory service on server MY-SERVER.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=acme,DC=com,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme,DC=com
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=acme,DC=com,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=MY-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme,DC=com
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 1 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\MY-SERVER
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... MY-SERVER passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\MY-SERVER
Starting test: Advertising
The DC MY-SERVER is advertising itself as a DC and having a DS.
The DC MY-SERVER is advertising as an LDAP server
The DC MY-SERVER is advertising as having a writeable directory
The DC MY-SERVER is advertising as a Key Distribution Center
The DC MY-SERVER is advertising as a time server
The DS MY-SERVER is advertising as a GC.
......................... MY-SERVER passed test Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Starting test: FrsEvent
* The File Replication Service Event log test
Skip the test because the server is running DFSR.
......................... MY-SERVER passed test FrsEvent
Starting test: DFSREvent
The DFS Replication Event Log.
......................... MY-SERVER passed test DFSREvent
Starting test: SysVolCheck
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... MY-SERVER passed test SysVolCheck
Starting test: KccEvent
* The KCC Event log test
Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
......................... MY-SERVER passed test KccEvent
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=MY-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme,DC=com
Role Domain Owner = CN=NTDS Settings,CN=MY-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme,DC=com
Role PDC Owner = CN=NTDS Settings,CN=MY-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme,DC=com
Role Rid Owner = CN=NTDS Settings,CN=MY-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme,DC=com
Role Infrastructure Update Owner = CN=NTDS Settings,CN=MY-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme,DC=com
......................... MY-SERVER passed test KnowsOfRoleHolders
Starting test: MachineAccount
Checking machine account for DC MY-SERVER on DC MY-SERVER.
* SPN found :LDAP/MY-SERVER.acme.com/acme.com
* SPN found :LDAP/MY-SERVER.acme.com
* SPN found :LDAP/MY-SERVER
* SPN found :LDAP/MY-SERVER.acme.com/acme
* SPN found :LDAP/121ee01d-112f-4dff-8dd1-ba8463ea8203._msdcs.acme.com
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/121ee01d-112f-4dff-8dd1-ba8463ea8203/acme.com
* SPN found :HOST/MY-SERVER.acme.com/acme.com
* SPN found :HOST/MY-SERVER.acme.com
* SPN found :HOST/MY-SERVER
* SPN found :HOST/MY-SERVER.acme.com/acme
* SPN found :GC/MY-SERVER.acme.com/acme.com
......................... MY-SERVER passed test MachineAccount
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC MY-SERVER.
* Security Permissions Check for
DC=ForestDnsZones,DC=acme,DC=com
(NDNC,Version 3)
* Security Permissions Check for
DC=DomainDnsZones,DC=acme,DC=com
(NDNC,Version 3)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=acme,DC=com
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=acme,DC=com
(Configuration,Version 3)
* Security Permissions Check for
DC=acme,DC=com
(Domain,Version 3)
......................... MY-SERVER passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\MY-SERVER\netlogon
Verified share \\MY-SERVER\sysvol
......................... MY-SERVER passed test NetLogons
Starting test: ObjectsReplicated
MY-SERVER is in domain DC=acme,DC=com
Checking for CN=MY-SERVER,OU=Domain Controllers,DC=acme,DC=com in domain DC=acme,DC=com on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=MY-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme,DC=com in domain CN=Configurat
ion,DC=acme,DC=com on 1 servers
Object is up-to-date on all servers.
......................... MY-SERVER passed test ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Starting test: Replications
* Replications Check
* Replication Latency Check
......................... MY-SERVER passed test Replications
Starting test: RidManager
* Available RID Pool for the Domain is 1601 to 1073741823
* MY-SERVER.acme.com is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 1101 to 1600
* rIDPreviousAllocationPool is 1101 to 1600
* rIDNextRID: 1147
......................... MY-SERVER passed test RidManager
Starting test: Services
* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
* Checking Service: DnsCache
* Checking Service: DFSR
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... MY-SERVER passed test Services
Starting test: SystemLog
* The System Event log test
Found no errors in "System" Event log in the last 60 minutes.
......................... MY-SERVER passed test SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Starting test: VerifyReferences
The system object reference (serverReference) CN=MY-SERVER,OU=Domain Controllers,DC=acme,DC=com and backlink on
CN=MY-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme,DC=com are correct.
The system object reference (serverReferenceBL) CN=MY-SERVER,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=acme,DC=com
and backlink on CN=NTDS Settings,CN=MY-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme,DC=com are correct.
The system object reference (msDFSR-ComputerReferenceBL)
CN=MY-SERVER,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=acme,DC=com and backlink on
CN=MY-SERVER,OU=Domain Controllers,DC=acme,DC=com are correct.
......................... MY-SERVER passed test VerifyReferences
Test omitted by user request: VerifyReplicas
Test omitted by user request: DNS
Test omitted by user request: DNS
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : acme
Starting test: CheckSDRefDom
......................... acme passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... acme passed test CrossRefValidation
Running enterprise tests on : acme.com
Test omitted by user request: DNS
Test omitted by user request: DNS
Starting test: LocatorCheck
GC Name: \\MY-SERVER.acme.com
Locator Flags: 0xe000f1fd
PDC Name: \\MY-SERVER.acme.com
Locator Flags: 0xe000f1fd
Time Server Name: \\MY-SERVER.acme.com
Locator Flags: 0xe000f1fd
Preferred Time Server Name: \\MY-SERVER.acme.com
Locator Flags: 0xe000f1fd
KDC Name: \\MY-SERVER.acme.com
Locator Flags: 0xe000f1fd
......................... acme.com passed test LocatorCheck
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope provided by the command line arguments provided.
......................... acme.com passed test Intersite
PS C:\>
На данный момент у меня нет идей? Что это может быть, проблема NTLM?
2
задан KidACrimson
5 January 2019 в 19:24
Ссылка
2 ответа
Теперь эта проблема решена. Контроллер домена неправильно сообщал о состоянии SMB1 (показывал, что включен, хотя на самом деле он еще не был включен):
Выполнение этой команды PowerShell устранило проблему ( ссылка на ресурс здесь ):
Set-SmbServerConfiguration -EnableSMB1Protocol $ true
3
Настроена ли у вас групповая политика для ограничения устаревших типов шифрования Kerberos? Некоторые руководства по усилению защиты или политики аудита вынуждают вас настраивать это, что может сделать устаревшие клиенты, такие как XP, не смогут правильно аутентифицироваться.
Параметр находится в Параметры Windows - Параметры безопасности - Локальные политики - Параметры безопасности - Сетевая безопасность: Настроить шифрование типы, разрешенные для Kerberos . Дополнительная информация здесь:
1