积极答复者
WindowsServer2016主域和辅助域无法抄写及所有加入域的服务器客户端无法访问域
问题
-
您好,
公司昨天中午开始,几台服务器莫名中招了木马病毒,其中就包括2台主辅AD域控服务器,所有带固定IP的服务器的DNS1,2都被修改为了8.8.8.8和9.9.9.9,手动改回正确的DNS后,没多久就会自动被修改回去。我们经过使用企业版火绒安全扫描后,发现了木马病毒,并进行了清理,同时我们还发现不明的任务排程,也一并删除了。删除后,截止到今天,服务器的DNS都正常,不会被篡改了。但同时,我们两台域控服务器出现了异常,所有之前加入网域的客户端,均无法和网域服务器联系了,还有加入过域控的服务器,包括文件服务器,查看之前分享的文件,文件夹的安区页也都无法正常显示之前设置的域组或者用户,都是问号等信息,无法显示了。但2台域服务器本身基本操作均正常,包括服务器本身的某个文件夹查看属性-安区页,均能添加该域的用户信息。另外,我们尝试查询一些资料,发现这2台域控服务器也无法相互抄写。使用DCDIAG命令和DCDIAG /TEST:DNS /V /E诊断,均报错和RPC Bind失败有关,麻烦协助一下,该如何处理?谢谢。
DCDIAG诊断结果如下,是在辅助域DCSSH2上运行的结果:
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = DCSSH2
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: HX-SH\DCSSH2
Starting test: Connectivity
......................... DCSSH2 passed test Connectivity
Doing primary tests
Testing server: HX-SH\DCSSH2
Starting test: Advertising
......................... DCSSH2 passed test Advertising
Starting test: FrsEvent
......................... DCSSH2 passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL
replication problems may cause Group Policy problems.
......................... DCSSH2 failed test DFSREvent
Starting test: SysVolCheck
......................... DCSSH2 passed test SysVolCheck
Starting test: KccEvent
......................... DCSSH2 passed test KccEvent
Starting test: KnowsOfRoleHolders
[DCSSH1] DsBindWithSpnEx() failed with error 1722,
The RPC server is unavailable..
Warning: DCSSH1 is the Schema Owner, but is not responding to DS RPC Bind.
Warning: DCSSH1 is the Domain Owner, but is not responding to DS RPC Bind.
Warning: DCSSH1 is the PDC Owner, but is not responding to DS RPC Bind.
Warning: DCSSH1 is the Rid Owner, but is not responding to DS RPC Bind.
Warning: DCSSH1 is the Infrastructure Update Owner, but is not responding to DS RPC Bind.
......................... DCSSH2 failed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... DCSSH2 passed test MachineAccount
Starting test: NCSecDesc
......................... DCSSH2 passed test NCSecDesc
Starting test: NetLogons
......................... DCSSH2 passed test NetLogons
Starting test: ObjectsReplicated
......................... DCSSH2 passed test ObjectsReplicated
Starting test: Replications
[Replications Check,DCSSH2] A recent replication attempt failed:
From DCSSH1 to DCSSH2
Naming Context: DC=ForestDnsZones,DC=hx,DC=com
The replication generated an error (1256):
The remote system is not available. For information about network troubleshooting, see Windows Help.
The failure occurred at 2021-07-06 10:50:41.
The last success occurred at 2021-07-05 14:57:33.
21 failures have occurred since the last success.
[Replications Check,DCSSH2] A recent replication attempt failed:
From DCSSH1 to DCSSH2
Naming Context: DC=DomainDnsZones,DC=hx,DC=com
The replication generated an error (1256):
The remote system is not available. For information about network troubleshooting, see Windows Help.
The failure occurred at 2021-07-06 10:50:41.
The last success occurred at 2021-07-05 15:20:57.
21 failures have occurred since the last success.
[Replications Check,DCSSH2] A recent replication attempt failed:
From DCSSH1 to DCSSH2
Naming Context: CN=Schema,CN=Configuration,DC=hx,DC=com
The replication generated an error (1722):
The RPC server is unavailable.
The failure occurred at 2021-07-06 10:52:05.
The last success occurred at 2021-07-05 14:45:05.
21 failures have occurred since the last success.
The source remains down. Please check the machine.
[Replications Check,DCSSH2] A recent replication attempt failed:
From DCSSH1 to DCSSH2
Naming Context: CN=Configuration,DC=hx,DC=com
The replication generated an error (1722):
The RPC server is unavailable.
The failure occurred at 2021-07-06 10:51:23.
The last success occurred at 2021-07-05 15:09:08.
21 failures have occurred since the last success.
The source remains down. Please check the machine.
[Replications Check,DCSSH2] A recent replication attempt failed:
From DCSSH1 to DCSSH2
Naming Context: DC=hx,DC=com
The replication generated an error (1722):
The RPC server is unavailable.
The failure occurred at 2021-07-06 10:54:53.
The last success occurred at 2021-07-05 15:21:29.
22 failures have occurred since the last success.
The source remains down. Please check the machine.
......................... DCSSH2 failed test Replications
Starting test: RidManager
......................... DCSSH2 failed test RidManager
Starting test: Services
......................... DCSSH2 passed test Services
Starting test: SystemLog
An error event occurred. EventID: 0x000003F8
Time Generated: 07/06/2021 11:06:45
Event String: The DHCP service encountered the following error when backing up the database:
An error event occurred. EventID: 0x000003F8
Time Generated: 07/06/2021 11:07:05
Event String: The DHCP service encountered the following error when backing up the database:
An error event occurred. EventID: 0x000003F2
Time Generated: 07/06/2021 11:07:05
Event String: The DHCP service encountered the following error while cleaning up the database:
......................... DCSSH2 failed test SystemLog
Starting test: VerifyReferences
......................... DCSSH2 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : hx
Starting test: CheckSDRefDom
......................... hx passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... hx passed test CrossRefValidation
Running enterprise tests on : hx.com
Starting test: LocatorCheck
......................... hx.com passed test LocatorCheck
Starting test: Intersite
......................... hx.com passed test Intersite
答案
-
从无法加域等症状来看,应该是445等端口被占用,这种现象很像是服务器中了挖矿病毒的表现。个人建议参考以下方法做进一步判断:
1. 以管理员身份执行powershell,检查 IPSec 策略是否通过使用以下命令阻止 TCP 端口 445;
netsh ipsec static show policy all
netsh ipsec static show filterlist all level=verbose如果执行完出现带有关键字为“netbc ” 的安全策略
或运行gpedit 直接访问安全策略,查看详细信息
如果确认服务器有此项,则建议通过以下命令或者直接访问删除策略:
netsh ipsec static delete policy name=netbc
然后创建一个GPO,执行以下脚本,应用至所有服务器、计算机OU(每5分钟运行一次)
powershell.exe -command "Get-WMIObject -Query \"select * from CommandLineEventConsumer where name='Windows Events Consumer' \" -Namespace 'root/subscription' | remove-wmiobject"powershell.exe -command "Get-WMIObject -Query \"select * from __EventFilter where name='Windows Events Filter' \" -Namespace 'root/subscription' | remove-wmiobject"powershell.exe -command "Remove-WmiObject -Class System_Anti_Virus_Core -Namespace root\DEFAULT "schtasks /Delete /TN "WindowsLogTasks" /Fschtasks /Delete /TN "System Log Security Check" /Fnetsh ipsec static delete policy netbcpowershell.exe -command "(Get-WmiObject win32_process -filter \"Name='powershell.exe' AND CommandLine LIKE '%%W Hidden -E JABwAGkAbgAgAD0A%%'\")| ForEach-Object {$_.terminate()}" powershell.exe -command "(Get-WmiObject win32_process -filter \"Name='powershell.exe' AND CommandLine LIKE '%%System_Anti_Virus_Core%%'\")| ForEach-Object {$_.terminate()}" powershell.exe -command "(Get-WmiObject win32_process -filter \"Name='cmd.exe' AND CommandLine LIKE '%%W Hidden -E JABwAGkAbgAgAD0A%%'\")| ForEach-Object {$_.terminate()}" powershell.exe -command "(Get-WmiObject win32_process -filter \"Name='cmd.exe' AND CommandLine LIKE '%%System_Anti_Virus_Core%%'\")| ForEach-Object {$_.terminate()}"
后期建议修改2-3次域管理员密码以及部署LAPS客户端,并确保所有的机器安装了最新的安全补丁,特别是MS17-010, 这一类恶意软件的传播方式会利用SMBV1的漏洞,此漏洞已经在MS17-010中修复.
- 已建议为答案 Huang, Jason 2021年7月21日 9:20
- 已标记为答案 Michael.ZZZ 2021年8月9日 8:44
全部回复
-
再补充DNS的诊断结果:
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the local machine DCSSH2, is a Directory Server.
Home Server = DCSSH2
* Connecting to directory service on server DCSSH2.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=hx,DC=com,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hx,DC=com
Getting ISTG and options for the site
Looking at base site object: CN=NTDS Site Settings,CN=HX-SH,CN=Sites,CN=Configuration,DC=hx,DC=com
Getting ISTG and options for the site
Looking at base site object: CN=NTDS Site Settings,CN=HX-CC,CN=Sites,CN=Configuration,DC=hx,DC=com
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=hx,DC=com,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=DCSSH1,CN=Servers,CN=HX-SH,CN=Sites,CN=Configuration,DC=hx,DC=com
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=DCSSH2,CN=Servers,CN=HX-SH,CN=Sites,CN=Configuration,DC=hx,DC=com
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=DCSCC1,CN=Servers,CN=HX-CC,CN=Sites,CN=Configuration,DC=hx,DC=com
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=DCSCC2,CN=Servers,CN=HX-CC,CN=Sites,CN=Configuration,DC=hx,DC=com
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 4 DC(s). Testing 4 of them.
Done gathering initial info.
Doing initial required tests
Testing server: HX-SH\DCSSH1
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
[DCSSH1] DsBindWithSpnEx() failed with error 1722,
The RPC server is unavailable..
RPC Extended Error Info not available. Use group policy on the local machine at "Computer
Configuration/Administrative Templates/System/Remote Procedure Call" to enable it.
Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
......................... DCSSH1 failed test Connectivity
Testing server: HX-SH\DCSSH2
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... DCSSH2 passed test Connectivity
Testing server: HX-CC\DCSCC1
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... DCSCC1 passed test Connectivity
Testing server: HX-CC\DCSCC2
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... DCSCC2 passed test Connectivity
Doing primary tests
Testing server: HX-SH\DCSSH1
Test omitted by user request: Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Test omitted by user request: FrsEvent
Test omitted by user request: DFSREvent
Test omitted by user request: SysVolCheck
Test omitted by user request: KccEvent
Test omitted by user request: KnowsOfRoleHolders
Test omitted by user request: MachineAccount
Test omitted by user request: NCSecDesc
Test omitted by user request: NetLogons
Test omitted by user request: ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: Replications
Test omitted by user request: RidManager
Test omitted by user request: Services
Test omitted by user request: SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: VerifyReferences
Test omitted by user request: VerifyReplicas
Testing server: HX-SH\DCSSH2
Test omitted by user request: Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Test omitted by user request: FrsEvent
Test omitted by user request: DFSREvent
Test omitted by user request: SysVolCheck
Test omitted by user request: KccEvent
Test omitted by user request: KnowsOfRoleHolders
Test omitted by user request: MachineAccount
Test omitted by user request: NCSecDesc
Test omitted by user request: NetLogons
Test omitted by user request: ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: Replications
Test omitted by user request: RidManager
Test omitted by user request: Services
Test omitted by user request: SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: VerifyReferences
Test omitted by user request: VerifyReplicas
Testing server: HX-CC\DCSCC1
Test omitted by user request: Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Test omitted by user request: FrsEvent
Test omitted by user request: DFSREvent
Test omitted by user request: SysVolCheck
Test omitted by user request: KccEvent
Test omitted by user request: KnowsOfRoleHolders
Test omitted by user request: MachineAccount
Test omitted by user request: NCSecDesc
Test omitted by user request: NetLogons
Test omitted by user request: ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: Replications
Test omitted by user request: RidManager
Test omitted by user request: Services
Test omitted by user request: SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: VerifyReferences
Test omitted by user request: VerifyReplicas
Testing server: HX-CC\DCSCC2
Test omitted by user request: Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Test omitted by user request: FrsEvent
Test omitted by user request: DFSREvent
Test omitted by user request: SysVolCheck
Test omitted by user request: KccEvent
Test omitted by user request: KnowsOfRoleHolders
Test omitted by user request: MachineAccount
Test omitted by user request: NCSecDesc
Test omitted by user request: NetLogons
Test omitted by user request: ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: Replications
Test omitted by user request: RidManager
Test omitted by user request: Services
Test omitted by user request: SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: VerifyReferences
Test omitted by user request: VerifyReplicas
Starting test: DNS
Starting test: DNS
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
Starting test: DNS
See DNS test in enterprise tests section for results
......................... DCSCC1 passed test DNS
See DNS test in enterprise tests section for results
......................... DCSSH2 passed test DNS
See DNS test in enterprise tests section for results
......................... DCSCC2 passed test DNS
See DNS test in enterprise tests section for results
......................... DCSSH1 failed test DNS
Running partition tests on : ForestDnsZones
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : DomainDnsZones
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : Schema
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : Configuration
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : hx
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running enterprise tests on : hx.com
Starting test: DNS
Test results for domain controllers:
DC: DCSSH2.hx.com
Domain: hx.com
TEST: Authentication (Auth)
Authentication test: Successfully completed
TEST: Basic (Basc)
The OS Microsoft Windows Server 2016 Standard (Service Pack level: 0.0) is supported.
NETLOGON service is running
kdc service is running
DNSCACHE service is running
DNS service is running
DC is a DNS server
Network adapters information:
Adapter [00000002] Broadcom NetXtreme Gigabit Ethernet:
MAC address is D0:94:66:84:29:AD
IP Address is static
IP address: 10.7.1.2
DNS servers:
10.7.1.1 (dcssh1.hx.com.) [Valid]
10.7.1.2 (DCSSH2) [Valid]
The A host record(s) for this DC was found
The SOA record for the Active Directory zone was found
The Active Directory zone on this DC/DNS server was found primary
Root zone on this DC/DNS server was not found
TEST: Forwarders/Root hints (Forw)
Recursion is enabled
Forwarders Information:
10.7.1.253 (<name unavailable>) [Valid]
TEST: Delegations (Del)
Delegation information for the zone: hx.com.
Delegated domain name: _msdcs.hx.com.
DNS server: dcssh1.hx.com. IP:10.7.1.1 [Valid]
TEST: Dynamic update (Dyn)
Test record dcdiag-test-record added successfully in zone hx.com
Test record dcdiag-test-record deleted successfully in zone hx.com
TEST: Records registration (RReg)
Network Adapter [00000002] Broadcom NetXtreme Gigabit Ethernet:
Matching CNAME record found at DNS server 10.7.1.1:
ae935d44-6aeb-4575-809d-ea91d819a8d6._msdcs.hx.com
Matching A record found at DNS server 10.7.1.1:
DCSSH2.hx.com
Matching SRV record found at DNS server 10.7.1.1:
_ldap._tcp.hx.com
Matching SRV record found at DNS server 10.7.1.1:
_ldap._tcp.e826a4f8-d401-4838-a512-09a93e68a2e1.domains._msdcs.hx.com
Matching SRV record found at DNS server 10.7.1.1:
_kerberos._tcp.dc._msdcs.hx.com
Matching SRV record found at DNS server 10.7.1.1:
_ldap._tcp.dc._msdcs.hx.com
Matching SRV record found at DNS server 10.7.1.1:
_kerberos._tcp.hx.com
Matching SRV record found at DNS server 10.7.1.1:
_kerberos._udp.hx.com
Matching SRV record found at DNS server 10.7.1.1:
_kpasswd._tcp.hx.com
Matching SRV record found at DNS server 10.7.1.1:
_ldap._tcp.HX-SH._sites.hx.com
Matching SRV record found at DNS server 10.7.1.1:
_kerberos._tcp.HX-SH._sites.dc._msdcs.hx.com
Matching SRV record found at DNS server 10.7.1.1:
_ldap._tcp.HX-SH._sites.dc._msdcs.hx.com
Matching SRV record found at DNS server 10.7.1.1:
_kerberos._tcp.HX-SH._sites.hx.com
Matching SRV record found at DNS server 10.7.1.1:
_ldap._tcp.gc._msdcs.hx.com
Matching A record found at DNS server 10.7.1.1:
gc._msdcs.hx.com
Matching SRV record found at DNS server 10.7.1.1:
_gc._tcp.HX-SH._sites.hx.com
Matching SRV record found at DNS server 10.7.1.1:
_ldap._tcp.HX-SH._sites.gc._msdcs.hx.com
Matching CNAME record found at DNS server 10.7.1.2:
ae935d44-6aeb-4575-809d-ea91d819a8d6._msdcs.hx.com
Matching A record found at DNS server 10.7.1.2:
DCSSH2.hx.com
Matching SRV record found at DNS server 10.7.1.2:
_ldap._tcp.hx.com
Matching SRV record found at DNS server 10.7.1.2:
_ldap._tcp.e826a4f8-d401-4838-a512-09a93e68a2e1.domains._msdcs.hx.com
Matching SRV record found at DNS server 10.7.1.2:
_kerberos._tcp.dc._msdcs.hx.com
Matching SRV record found at DNS server 10.7.1.2:
_ldap._tcp.dc._msdcs.hx.com
Matching SRV record found at DNS server 10.7.1.2:
_kerberos._tcp.hx.com
Matching SRV record found at DNS server 10.7.1.2:
_kerberos._udp.hx.com
Matching SRV record found at DNS server 10.7.1.2:
_kpasswd._tcp.hx.com
Matching SRV record found at DNS server 10.7.1.2:
_ldap._tcp.HX-SH._sites.hx.com
Matching SRV record found at DNS server 10.7.1.2:
_kerberos._tcp.HX-SH._sites.dc._msdcs.hx.com
Matching SRV record found at DNS server 10.7.1.2:
_ldap._tcp.HX-SH._sites.dc._msdcs.hx.com
Matching SRV record found at DNS server 10.7.1.2:
_kerberos._tcp.HX-SH._sites.hx.com
Matching SRV record found at DNS server 10.7.1.2:
_ldap._tcp.gc._msdcs.hx.com
Matching A record found at DNS server 10.7.1.2:
gc._msdcs.hx.com
Matching SRV record found at DNS server 10.7.1.2:
_gc._tcp.HX-SH._sites.hx.com
Matching SRV record found at DNS server 10.7.1.2:
_ldap._tcp.HX-SH._sites.gc._msdcs.hx.com
DC: DCSCC2.hx.com
Domain: hx.com
TEST: Authentication (Auth)
Authentication test: Successfully completed
TEST: Basic (Basc)
The OS Microsoft Windows Server 2016 Standard (Service Pack level: 0.0) is supported.
NETLOGON service is running
kdc service is running
DNSCACHE service is running
DNS service is running
DC is a DNS server
Network adapters information:
Adapter [00000002] Broadcom NetXtreme Gigabit Ethernet:
MAC address is 2C:EA:7F:5A:01:9A
IP Address is static
IP address: 10.8.1.2
DNS servers:
10.8.1.1 (DCSCC1) [Valid]
10.8.1.2 (DCSCC2) [Valid]
127.0.0.1 (DCSCC2) [Valid]
The A host record(s) for this DC was found
The SOA record for the Active Directory zone was found
The Active Directory zone on this DC/DNS server was found primary
Root zone on this DC/DNS server was not found
TEST: Forwarders/Root hints (Forw)
Recursion is enabled
Forwarders Information:
10.7.1.253 (<name unavailable>) [Valid]
TEST: Delegations (Del)
Delegation information for the zone: hx.com.
Delegated domain name: _msdcs.hx.com.
DNS server: dcssh1.hx.com. IP:10.7.1.1 [Valid]
TEST: Dynamic update (Dyn)
Test record dcdiag-test-record added successfully in zone hx.com
Test record dcdiag-test-record deleted successfully in zone hx.com
TEST: Records registration (RReg)
Network Adapter [00000002] Broadcom NetXtreme Gigabit Ethernet:
Matching CNAME record found at DNS server 10.8.1.1:
d58a98f7-9c72-44c8-8f37-f51f6e181428._msdcs.hx.com
Matching A record found at DNS server 10.8.1.1:
DCSCC2.hx.com
Matching SRV record found at DNS server 10.8.1.1:
_ldap._tcp.hx.com
Matching SRV record found at DNS server 10.8.1.1:
_ldap._tcp.e826a4f8-d401-4838-a512-09a93e68a2e1.domains._msdcs.hx.com
Matching SRV record found at DNS server 10.8.1.1:
_kerberos._tcp.dc._msdcs.hx.com
Matching SRV record found at DNS server 10.8.1.1:
_ldap._tcp.dc._msdcs.hx.com
Matching SRV record found at DNS server 10.8.1.1:
_kerberos._tcp.hx.com
Matching SRV record found at DNS server 10.8.1.1:
_kerberos._udp.hx.com
Matching SRV record found at DNS server 10.8.1.1:
_kpasswd._tcp.hx.com
Matching SRV record found at DNS server 10.8.1.1:
_ldap._tcp.HX-CC._sites.hx.com
Matching SRV record found at DNS server 10.8.1.1:
_kerberos._tcp.HX-CC._sites.dc._msdcs.hx.com
Matching SRV record found at DNS server 10.8.1.1:
_ldap._tcp.HX-CC._sites.dc._msdcs.hx.com
Matching SRV record found at DNS server 10.8.1.1:
_kerberos._tcp.HX-CC._sites.hx.com
Matching SRV record found at DNS server 10.8.1.1:
_ldap._tcp.gc._msdcs.hx.com
Matching A record found at DNS server 10.8.1.1:
gc._msdcs.hx.com
Matching SRV record found at DNS server 10.8.1.1:
_gc._tcp.HX-CC._sites.hx.com
Matching SRV record found at DNS server 10.8.1.1:
_ldap._tcp.HX-CC._sites.gc._msdcs.hx.com
Matching CNAME record found at DNS server 10.8.1.2:
d58a98f7-9c72-44c8-8f37-f51f6e181428._msdcs.hx.com
Matching A record found at DNS server 10.8.1.2:
DCSCC2.hx.com
Matching SRV record found at DNS server 10.8.1.2:
_ldap._tcp.hx.com
Matching SRV record found at DNS server 10.8.1.2:
_ldap._tcp.e826a4f8-d401-4838-a512-09a93e68a2e1.domains._msdcs.hx.com
Matching SRV record found at DNS server 10.8.1.2:
_kerberos._tcp.dc._msdcs.hx.com
Matching SRV record found at DNS server 10.8.1.2:
_ldap._tcp.dc._msdcs.hx.com
Matching SRV record found at DNS server 10.8.1.2:
_kerberos._tcp.hx.com
Matching SRV record found at DNS server 10.8.1.2:
_kerberos._udp.hx.com
Matching SRV record found at DNS server 10.8.1.2:
_kpasswd._tcp.hx.com
Matching SRV record found at DNS server 10.8.1.2:
_ldap._tcp.HX-CC._sites.hx.com
Matching SRV record found at DNS server 10.8.1.2:
_kerberos._tcp.HX-CC._sites.dc._msdcs.hx.com
Matching SRV record found at DNS server 10.8.1.2:
_ldap._tcp.HX-CC._sites.dc._msdcs.hx.com
Matching SRV record found at DNS server 10.8.1.2:
_kerberos._tcp.HX-CC._sites.hx.com
Matching SRV record found at DNS server 10.8.1.2:
_ldap._tcp.gc._msdcs.hx.com
Matching A record found at DNS server 10.8.1.2:
gc._msdcs.hx.com
Matching SRV record found at DNS server 10.8.1.2:
_gc._tcp.HX-CC._sites.hx.com
Matching SRV record found at DNS server 10.8.1.2:
_ldap._tcp.HX-CC._sites.gc._msdcs.hx.com
Matching CNAME record found at DNS server 10.8.1.2:
d58a98f7-9c72-44c8-8f37-f51f6e181428._msdcs.hx.com
Matching A record found at DNS server 10.8.1.2:
DCSCC2.hx.com
Matching SRV record found at DNS server 10.8.1.2:
_ldap._tcp.hx.com
Matching SRV record found at DNS server 10.8.1.2:
_ldap._tcp.e826a4f8-d401-4838-a512-09a93e68a2e1.domains._msdcs.hx.com
Matching SRV record found at DNS server 10.8.1.2:
_kerberos._tcp.dc._msdcs.hx.com
Matching SRV record found at DNS server 10.8.1.2:
_ldap._tcp.dc._msdcs.hx.com
Matching SRV record found at DNS server 10.8.1.2:
_kerberos._tcp.hx.com
Matching SRV record found at DNS server 10.8.1.2:
_kerberos._udp.hx.com
Matching SRV record found at DNS server 10.8.1.2:
_kpasswd._tcp.hx.com
Matching SRV record found at DNS server 10.8.1.2:
_ldap._tcp.HX-CC._sites.hx.com
Matching SRV record found at DNS server 10.8.1.2:
_kerberos._tcp.HX-CC._sites.dc._msdcs.hx.com
Matching SRV record found at DNS server 10.8.1.2:
_ldap._tcp.HX-CC._sites.dc._msdcs.hx.com
Matching SRV record found at DNS server 10.8.1.2:
_kerberos._tcp.HX-CC._sites.hx.com
Matching SRV record found at DNS server 10.8.1.2:
_ldap._tcp.gc._msdcs.hx.com
Matching A record found at DNS server 10.8.1.2:
gc._msdcs.hx.com
Matching SRV record found at DNS server 10.8.1.2:
_gc._tcp.HX-CC._sites.hx.com
Matching SRV record found at DNS server 10.8.1.2:
_ldap._tcp.HX-CC._sites.gc._msdcs.hx.com
-
看到上面的错误主要集中在下面这块,该如何处理呢?
Starting test: KnowsOfRoleHolders
[DCSSH1] DsBindWithSpnEx() failed with error 1722,
The RPC server is unavailable..
Warning: DCSSH1 is the Schema Owner, but is not responding to DS RPC Bind.
Warning: DCSSH1 is the Domain Owner, but is not responding to DS RPC Bind.
Warning: DCSSH1 is the PDC Owner, but is not responding to DS RPC Bind.
Warning: DCSSH1 is the Rid Owner, but is not responding to DS RPC Bind.
Warning: DCSSH1 is the Infrastructure Update Owner, but is not responding to DS RPC Bind. -
你好,
建议查看一下防火墙有没有Block掉一些域环境的必要端口。
关于关口的详细情况可以参考下面链接里的内容:
How to configure a firewall for Active Directory domains and trusts
https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/config-firewall-for-ad-domains-and-trusts
Fan
Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com
-
从无法加域等症状来看,应该是445等端口被占用,这种现象很像是服务器中了挖矿病毒的表现。个人建议参考以下方法做进一步判断:
1. 以管理员身份执行powershell,检查 IPSec 策略是否通过使用以下命令阻止 TCP 端口 445;
netsh ipsec static show policy all
netsh ipsec static show filterlist all level=verbose如果执行完出现带有关键字为“netbc ” 的安全策略
或运行gpedit 直接访问安全策略,查看详细信息
如果确认服务器有此项,则建议通过以下命令或者直接访问删除策略:
netsh ipsec static delete policy name=netbc
然后创建一个GPO,执行以下脚本,应用至所有服务器、计算机OU(每5分钟运行一次)
powershell.exe -command "Get-WMIObject -Query \"select * from CommandLineEventConsumer where name='Windows Events Consumer' \" -Namespace 'root/subscription' | remove-wmiobject"powershell.exe -command "Get-WMIObject -Query \"select * from __EventFilter where name='Windows Events Filter' \" -Namespace 'root/subscription' | remove-wmiobject"powershell.exe -command "Remove-WmiObject -Class System_Anti_Virus_Core -Namespace root\DEFAULT "schtasks /Delete /TN "WindowsLogTasks" /Fschtasks /Delete /TN "System Log Security Check" /Fnetsh ipsec static delete policy netbcpowershell.exe -command "(Get-WmiObject win32_process -filter \"Name='powershell.exe' AND CommandLine LIKE '%%W Hidden -E JABwAGkAbgAgAD0A%%'\")| ForEach-Object {$_.terminate()}" powershell.exe -command "(Get-WmiObject win32_process -filter \"Name='powershell.exe' AND CommandLine LIKE '%%System_Anti_Virus_Core%%'\")| ForEach-Object {$_.terminate()}" powershell.exe -command "(Get-WmiObject win32_process -filter \"Name='cmd.exe' AND CommandLine LIKE '%%W Hidden -E JABwAGkAbgAgAD0A%%'\")| ForEach-Object {$_.terminate()}" powershell.exe -command "(Get-WmiObject win32_process -filter \"Name='cmd.exe' AND CommandLine LIKE '%%System_Anti_Virus_Core%%'\")| ForEach-Object {$_.terminate()}"
后期建议修改2-3次域管理员密码以及部署LAPS客户端,并确保所有的机器安装了最新的安全补丁,特别是MS17-010, 这一类恶意软件的传播方式会利用SMBV1的漏洞,此漏洞已经在MS17-010中修复.
- 已建议为答案 Huang, Jason 2021年7月21日 9:20
- 已标记为答案 Michael.ZZZ 2021年8月9日 8:44
