PDC와 CDC간의 Trust 수동 Reset
[Explanation]
아래 운영하는 AD 환경은 1 Forest-Multi Domain 환경에서 전체 Forest를 관리하는 PDC와 신규로 구성된 CDC간의 Trust관계를 기반으로 정책 및 관련 정보를 복제/통신 합니다.
신규로 CDC를 구성하였지만, AD 관련 콘솔에서는 PDC와의 Trust간의 문제가 보이지 않았음에도 불구하고 CDC에서 PDC로의 복제가 안되는 현상이 발생하였습니다.
Active Directory Domains & Trusts 에서 Enterprise Administrator 권한을 지닌 계정으로 Validate를 수행하였어도 특이 사항없이 Trust 관계를 맺고 있는 상태였지만 오류는 지속되었습니다.
PDC에서 복제 시도시 정상 동작되었지만 CDC에서 복제 시도 Access is denied 발생하며 복제가 실패하였습니다.
Repadmin: running command /showrepl against full DC localhost
CDC1-IDC\CDC1SCCDC01V
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 617c0ea8-d38e-4cf4-8ffe-3e6d2b1eb5b4
DSA invocationID: 81cb6e0c-89fa-491c-83cd-68628cc60277
Source: PDC-IDC\PDCSCPDC00
******* 1 CONSECUTIVE FAILURES since 2017-10-17 09:35:24
Last error: 5 (0x5): Access is denied.
Naming Context: DC=CDC4,DC=domain,DC=com
Source: PDC-IDC\PDCSCPDC00
******* WARNING: KCC could not add this REPLICA LINK due to error.
Naming Context: CN=Configuration,DC=domain,DC=com
Source: PDC-IDC\PDCSCPDC00
******* WARNING: KCC could not add this REPLICA LINK due to error.
Naming Context: DC=CDC3,DC=domain,DC=com
Source: PDC-IDC\PDCSCPDC00
******* WARNING: KCC could not add this REPLICA LINK due to error.
Naming Context: DC=CDC5,DC=domain,DC=com
Source: PDC-IDC\PDCSCPDC00
******* WARNING: KCC could not add this REPLICA LINK due to error.
Naming Context: DC=CDC6,DC=domain,DC=com
Source: PDC-IDC\PDCSCPDC00
******* WARNING: KCC could not add this REPLICA LINK due to error.
Naming Context: DC=CDC7,DC=domain,DC=com
Source: PDC-IDC\PDCSCPDC00
******* WARNING: KCC could not add this REPLICA LINK due to error.
Naming Context: DC=ForestDnsZones,DC=domain,DC=com
Source: PDC-IDC\PDCSCPDC00
******* WARNING: KCC could not add this REPLICA LINK due to error.
또한 Event Viewer에서 'Directory Service'에서는 아래와 같이 Connectivity에 대한 에러 메시지가 지속적으로 발생하였습니다. (Event ID 1311, 1865)
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 10/19/2017 1:06:59 PM
Event ID: 1311
Task Category: Knowledge Consistency Checker
Level: Error
Keywords: Classic
User: ANONYMOUS LOGON
Computer: CDC2SCCDC01V.CDC2.domain.com
Description:
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
Directory partition:
CN=Configuration,DC=domain,DC=com
There is insufficient site connectivity information for the KCC to create a spanning tree replication topology. Or, one or more directory servers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible directory servers.
User Action
Perform one of the following actions:
- Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.
- Add a Connection object to a directory service that contains the directory partition in this site from a directory service that contains the same directory partition in another site.
If neither of the tasks correct this condition, see previous events logged by the KCC that identify the inaccessible directory servers.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS KCC" />
<EventID Qualifiers="49152">1311</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2017-10-19T04:06:59.690323100Z" />
<EventRecordID>6348</EventRecordID>
<Correlation />
<Execution ProcessID="540" ThreadID="1224" />
<Channel>Directory Service</Channel>
<Computer>CDC2SCCDC01V.CDC2.domain.com</Computer>
<Security UserID="S-1-5-7" />
</System>
<EventData>
<Data>CN=Configuration,DC=domain,DC=com</Data>
</EventData>
</Event>
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 10/19/2017 1:06:59 PM
Event ID: 1865
Task Category: Knowledge Consistency Checker
Level: Warning
Keywords: Classic
User: ANONYMOUS LOGON
Computer: CDC2SCCDC01V.CDC2.domain.com
Description:
The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.
Sites:
CN=CDC1-IDC,CN=Sites,CN=Configuration,DC=domain,DC=com
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS KCC" />
<EventID Qualifiers="32768">1865</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2017-10-19T04:06:59.690323100Z" />
<EventRecordID>6347</EventRecordID>
<Correlation />
<Execution ProcessID="540" ThreadID="1224" />
<Channel>Directory Service</Channel>
<Computer>CDC2SCCDC01V.CDC2.domain.com</Computer>
<Security UserID="S-1-5-7" />
</System>
<EventData>
<Data>CN=CDC1-IDC,CN=Sites,CN=Configuration,DC=domain,DC=com</Data>
<Data>
♔♔♔♔♔♔♔♔♔♔
[Resolution]
기존에 Trust를 reset를 하는 명령어로 기존에 Active Directory Domains & Trusts 에서 Enterprise Administrator 권한을 지닌 계정으로 Validate를 수행하였던 방식은 기존 Trust를 유지 및 확인하는 단계인 반면에,
이 경우 문제가 발생한 CDC에서 하기 명령어를 수행하면 됩니다. 하기 명령어는 그 Trust 관계를 reset(초기화)를 수행한다. 이후 시간이 지나면 정상적으로 복제되는지 확인해본다.
netdom trust <child domain> /domain:<parent domain> /userd:<parent domain>\administrator /passwordd:* /userO:<child domain>\administrator /passwordO:* /reset
댓글이나 의견은 언제든지 환영합니다.
Your Comments are Always Welcome!
0 comments:
Post a Comment