Упал AD ошибка
Active Directory Domain Services did not perform an authenticated remote procedure call (RPC) to another directory server because the desired service principal name (SPN) for the destination directory server is not registered on the Key Distribution Center (KDC) domain controller that resolves the SPN.

Что может быть и как восстановить?
__________________________________________________________________
THE TRUTH IS OUT THERE

добавлял домен в AD
через unix net ads join -U admin
и добавлял название домена dc1 случайно
и контролер у меня dc1
могло ли это привести к сбою?

AndreTMА что именно делали перед "падением"?
Делегирование прав?

Впрочем, отрубите DC от сети, и делайте DCDIAG, DCPROMO...

Как вариант (ИМХО) - придётся сначала понизить роль до изолированного сервера, затем сделать SDC, затем перенести права, затем сделать PDC...
ИМХО, "прочтите, наконец, инструкцию"
Захват ролей не прокатывает, ЕСТЬ DC и PDC, какой из них отключать.
Они между собой никак могут завязаться...

AndreTMmr_maxЗахват ролей не прокатывает, ЕСТЬ DC и PDC, какой из них отключать.AndreTMИМХО, "прочтите, наконец, инструкцию"

Какую инструкцию?

Я вносил юниксовый домен в АД.
и перепутал в нёс туда имя самого же контроллера. Могло ли это повредить?

Т.е. я настраивал авторизацию пользователей на сайте через AD с помощью kerberos

mr_max,

не получается выполнить принудительный захват ролей.
Был глобальный каталог, который сдох, не могу его поднять..
.Но был второй контроллер доменов(рядовой) и я хочу его сделать глобальным
ошибка в скрине

AndreTMmr_maxКакую инструкцию?По управлению AD в WinServer. Хотя бы хелп самого сервера...
Если же вы "типа скрыли", что у вас два сервера, причём ActiveDirectory развернута на WIN, а вы ломитесь из-под *nix (скажем, Suse или Debian) - то кто виноват??
От кого скрывать. У меня была два контроллера dc1 и dc2.
Unix тут виноват?

AndreTM,

dcdiag на втором контроллере.


авторDirectory Server Diagnosis


Performing initial setup:

Trying to find home server...

Home Server = SRV-FS1

* Identified AD Forest.
Done gathering initial info.


Doing initial required tests


Testing server: Default-First-Site\SRV-FS1

Starting test: Connectivity

......................... SRV-FS1 passed test Connectivity



Doing primary tests


Testing server: Default-First-Site\SRV-FS1

Starting test: Advertising

......................... SRV-FS1 passed test Advertising

Starting test: FrsEvent

......................... SRV-FS1 passed test FrsEvent

Starting test: DFSREvent

......................... SRV-FS1 passed test DFSREvent

Starting test: SysVolCheck

......................... SRV-FS1 passed test SysVolCheck

Starting test: KccEvent

A warning event occurred. EventID: 0x8000072D

Time Generated: 09/05/2012 23:29:35

Event String:

An attempt to transfer the operations master role represented by the following object failed.


A warning event occurred. EventID: 0x8000072D

Time Generated: 09/05/2012 23:32:55

Event String:

An attempt to transfer the operations master role represented by the following object failed.


......................... SRV-FS1 passed test KccEvent

Starting test: KnowsOfRoleHolders

[SRV-DC1] DsBindWithSpnEx() failed with error 1722,

The RPC server is unavailable..
Warning: SRV-DC1 is the Domain Owner, but is not responding to DS RPC

Bind.

Ldap search capabality attribute search failed on server SRV-DC1,

return value = 81
Warning: SRV-DC1 is the Domain Owner, but is not responding to LDAP

Bind.

Warning: SRV-DC1 is the PDC Owner, but is not responding to DS RPC

Bind.

Warning: SRV-DC1 is the PDC Owner, but is not responding to LDAP Bind.

Warning: SRV-DC1 is the Rid Owner, but is not responding to DS RPC

Bind.

Warning: SRV-DC1 is the Rid Owner, but is not responding to LDAP Bind.

......................... SRV-FS1 failed test KnowsOfRoleHolders

Starting test: MachineAccount

......................... SRV-FS1 passed test MachineAccount

Starting test: NCSecDesc

Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

Replicating Directory Changes In Filtered Set
access rights for the naming context:

DC=ForestDnsZones,DC=draeger-ru,DC=com
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

Replicating Directory Changes In Filtered Set
access rights for the naming context:

DC=DomainDnsZones,DC=draeger-ru,DC=com
......................... SRV-FS1 failed test NCSecDesc

Starting test: NetLogons

......................... SRV-FS1 passed test NetLogons

Starting test: ObjectsReplicated

......................... SRV-FS1 passed test ObjectsReplicated

Starting test: Replications

[Replications Check,SRV-FS1] A recent replication attempt failed:

From SRV-DC1 to SRV-FS1

Naming Context: DC=ForestDnsZones,DC=draeger-ru,DC=com

The replication generated an error (1256):

The remote system is not available. For information about network troubleshooting, see Windows Help.



The failure occurred at 2012-09-05 22:49:32.

The last success occurred at 2012-09-05 17:49:31.

5 failures have occurred since the last success.

[Replications Check,SRV-FS1] A recent replication attempt failed:

From SRV-DC1 to SRV-FS1

Naming Context: DC=DomainDnsZones,DC=draeger-ru,DC=com

The replication generated an error (1256):

The remote system is not available. For information about network troubleshooting, see Windows Help.



The failure occurred at 2012-09-05 22:49:32.

The last success occurred at 2012-09-05 17:49:30.

5 failures have occurred since the last success.

[Replications Check,SRV-FS1] A recent replication attempt failed:

From SRV-DC1 to SRV-FS1

Naming Context: CN=Schema,CN=Configuration,DC=draeger-ru,DC=com

The replication generated an error (1396):

Logon Failure: The target account name is incorrect.

The failure occurred at 2012-09-05 22:49:32.

The last success occurred at 2012-09-05 17:49:30.

5 failures have occurred since the last success.

Kerberos Error.

The KDC could not find the SPN for the server SRV-DC1.

This can be for several reasons:


(1) - The SPN is not registered on the KDC (usually SRV-FS1).

Check that the SPN is registered on at least one other server

besides SRV-DC1, and that replication is progressing between

this server and the KDC. The tool repadmin/syncall can be used

for this purpose.

(2) - This server could be a deleted server (and deleted DSA

object), and this deletion has not replicated across the

enterprise yet. This will rectify itself within the general

replication latency plus the latency of the KCC. Should be less

than a day.

(3) - It's possible that this server was reclaimed, but it's

DSA object was not deleted and an old DNS record representing

the server is present. This can result in this error for the

duration of a DNS record lease. Often about 2 weeks. To fix

this, please clean up the DSA's metadata with ntdsutil.

(4) - Finally, it's possible that this server has acquired a

new IP address, the server's old IP address has been reused, and

DNS hasn't been updated to reflect the new IP address. If this

problem persists, stop and restart the "Net Logon" service on

SRV-DC1, and delete the old DNS record.
[Replications Check,SRV-FS1] A recent replication attempt failed:

From SRV-DC1 to SRV-FS1

Naming Context: CN=Configuration,DC=draeger-ru,DC=com

The replication generated an error (1396):

Logon Failure: The target account name is incorrect.

The failure occurred at 2012-09-05 22:49:32.

The last success occurred at 2012-09-05 17:49:30.

5 failures have occurred since the last success.

Kerberos Error.

The KDC could not find the SPN for the server SRV-DC1.

This can be for several reasons:


(1) - The SPN is not registered on the KDC (usually SRV-FS1).

Check that the SPN is registered on at least one other server

besides SRV-DC1, and that replication is progressing between

this server and the KDC. The tool repadmin/syncall can be used

for this purpose.

(2) - This server could be a deleted server (and deleted DSA

object), and this deletion has not replicated across the

enterprise yet. This will rectify itself within the general

replication latency plus the latency of the KCC. Should be less

than a day.

(3) - It's possible that this server was reclaimed, but it's

DSA object was not deleted and an old DNS record representing

the server is present. This can result in this error for the

duration of a DNS record lease. Often about 2 weeks. To fix

this, please clean up the DSA's metadata with ntdsutil.

(4) - Finally, it's possible that this server has acquired a

new IP address, the server's old IP address has been reused, and

DNS hasn't been updated to reflect the new IP address. If this

problem persists, stop and restart the "Net Logon" service on

SRV-DC1, and delete the old DNS record.
[Replications Check,SRV-FS1] A recent replication attempt failed:

From SRV-DC1 to SRV-FS1

Naming Context: DC=draeger-ru,DC=com

The replication generated an error (1396):

Logon Failure: The target account name is incorrect.

The failure occurred at 2012-09-05 22:49:32.

The last success occurred at 2012-09-05 18:21:25.

30 failures have occurred since the last success.

Kerberos Error.

The KDC could not find the SPN for the server SRV-DC1.

This can be for several reasons:


(1) - The SPN is not registered on the KDC (usually SRV-FS1).

Check that the SPN is registered on at least one other server

besides SRV-DC1, and that replication is progressing between

this server and the KDC. The tool repadmin/syncall can be used

for this purpose.

(2) - This server could be a deleted server (and deleted DSA

object), and this deletion has not replicated across the

enterprise yet. This will rectify itself within the general

replication latency plus the latency of the KCC. Should be less

than a day.

(3) - It's possible that this server was reclaimed, but it's

DSA object was not deleted and an old DNS record representing

the server is present. This can result in this error for the

duration of a DNS record lease. Often about 2 weeks. To fix

this, please clean up the DSA's metadata with ntdsutil.

(4) - Finally, it's possible that this server has acquired a

new IP address, the server's old IP address has been reused, and

DNS hasn't been updated to reflect the new IP address. If this

problem persists, stop and restart the "Net Logon" service on

SRV-DC1, and delete the old DNS record.
......................... SRV-FS1 failed test Replications

Starting test: RidManager

......................... SRV-FS1 failed test RidManager

Starting test: Services

......................... SRV-FS1 passed test Services

Starting test: SystemLog

A warning event occurred. EventID: 0x0000A001

Time Generated: 09/05/2012 22:41:10

Event String:

The Security System could not establish a secured connection with the server ldap/SRV-DC1.draeger-ru.com/draeger-ru.com@DRAEGER-RU.COM. No authentication protocol was available.

An error event occurred. EventID: 0x40000004

Time Generated: 09/05/2012 23:04:13

Event String:

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server srv-dc1$. The target name used was cifs/srv-dc1.draeger-ru.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (DRAEGER-RU.COM) is different from the client domain (DRAEGER-RU.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

An error event occurred. EventID: 0x40000004

Time Generated: 09/05/2012 23:12:11

Event String:

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server srv-dc1$. The target name used was cifs/SRV-DC1.draeger-ru.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (DRAEGER-RU.COM) is different from the client domain (DRAEGER-RU.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

An error event occurred. EventID: 0x00000457

Time Generated: 09/05/2012 23:34:26

Event String:

Driver Solid Converter PDF required for printer Solid Converter PDF is unknown. Contact the administrator to install the driver before you log in again.

An error event occurred. EventID: 0x00000457

Time Generated: 09/05/2012 23:34:26

Event String:

Driver Send To Microsoft OneNote 2010 Driver required for printer ЋвЇа ўЁвм ў OneNote 2010 is unknown. Contact the administrator to install the driver before you log in again.

......................... SRV-FS1 failed test SystemLog

Starting test: VerifyReferences

......................... SRV-FS1 passed test VerifyReferences



Running partition tests on : ForestDnsZones

Starting test: CheckSDRefDom

......................... ForestDnsZones passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... ForestDnsZones passed test

CrossRefValidation


Running partition tests on : DomainDnsZones

Starting test: CheckSDRefDom

......................... DomainDnsZones passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... DomainDnsZones passed test

CrossRefValidation


Running partition tests on : Schema

Starting test: CheckSDRefDom

......................... Schema passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... Schema passed test CrossRefValidation


Running partition tests on : Configuration

Starting test: CheckSDRefDom

......................... Configuration passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... Configuration passed test CrossRefValidation


Running partition tests on : draeger-ru

Starting test: CheckSDRefDom

......................... draeger-ru passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... draeger-ru passed test CrossRefValidation


Running enterprise tests on : draeger-ru.com

Starting test: LocatorCheck

AndreTMКстати, каким образом " упал глобальный каталог"?
После манипуляции с керберосом через UNIX

AndreTMmr_maxБыл глобальный каталог, который сдох, не могу его поднять..
Но был второй контроллер доменов(рядовой) и я хочу его сделать глобальнымЕсли между PDC и DC не была нормально настроена синхронизация, то рядовой DC вы до PDC поднять не сможете...

Я пытаюсь захватить контроллер, а выдает invalid syntaksis на скриншоте, все роли захватились, а последнюю не могу.

Последнюю роль не получается захватить(

mr_max,

всё мы захватили полностью dc2, как теперь dc1 понизить ?

AndreTM,

а как убедиться что dc2 контроллер завёлся нормально. Чтобы они опять не конфликтовали?

и DC2 все ещё не стал глобальным каталогом, что делать?

Лучше помочь)