Remove From My Forums

windows server 2003 RID出现问题

问题
0

登录进行投票

各位技术大佬好：

我们公司一台域控制器（windows server 2003）的RID出现问题，而且没有备份，现在不能向域中添加主机，请帮忙。

2013年9月23日 10:07

回复

|

引用

全部回复

0

登录进行投票
你可以將 RID 角色通過

ntdsutil roles seize rid master

對此可參考, 如下 Microsoft 支持

使用Ntdsutil.exe 捕获FSMO 角色或将其转移到域控制器
http://support.microsoft.com/kb/255504/zh-cn

強制遷移到另一台 DC 上. 這時如果 DC 依然沒有成功重置 RID Pool(可通過 dcdiag 驗證),

那麼你可以嘗試通過如下方式手動設置 RID Pool.

dsquery * -filter "objectsid=*" -limit 0 -attr objectsid

查看最大的那個 RID, 然後加 5000(也可以自行設置), 這樣是盡量避免通過墓碑對象持有的 SID 衝突.

然後編寫如下文本文件

以下關於重置 RID 的方法完全錯誤, 是無效的.

dn:
changetype: modify
replace: schemaUpgradeInProgress
schemaUpgradeInProgress: 1
-

dn: CN=Rid Set,CN=RID_MASTER,OU=Domain Controllers,Domain DN
changetype: modify
replace: rIDPreviousAllocationPool
rIDPreviousAllocationPool: 17626545786389
-

dn: CN=Rid Set,CN=RID_MASTER,OU=Domain Controllers,Domain DN
changetype: modify
replace: rIDNextRID
rIDNextRID:NEXTRID
-

dn:
changetype: modify
replace: schemaUpgradeInProgress
schemaUpgradeInProgress: 0
-

dn:
changetype: modify
replace: schemaUpdateNow
schemaUpdateNow: 1
-

其中需要自行將 Domain DN 替換為實際的域 DN, RID_MASTER 替換為實際的持有 RID 角色的主機名, NEXTRID 為之前查出來的最大 RID + 5000.

最後通過

ldifde -i -f ldf.txt

執行.

以上關於重置 RID 的方法完全錯誤, 是無效的.

上述方法僅供參考, 強烈建議現在測試環境進行驗證後再進行.

Folding@Home
- 已建议为答案 Yan Li_Moderator 2013年9月24日 3:23
- 已编辑 repl 2013年9月28日 2:53
2013年9月23日 11:00

回复

|

引用
0

登录进行投票

您好，下面是dcdiag的log信息，请帮忙查看。另上述需要编写文本的内容该怎么使用？

Microsoft Windows [版本 5.2.3790]
(C) 版权所有 1985-2003 Microsoft Corp.

D:\>cd SUPPORT

D:\SUPPORT>cd TOOLS

D:\SUPPORT\TOOLS>dir
驱动器 D 中的卷是 Slave
卷的序列号是 B871-E2ED

D:\SUPPORT\TOOLS 的目录

2013-09-24 14:33    <DIR>          .
2013-09-24 14:33    <DIR>          ..
2007-03-07 20:00           492,032 DCDIAG.EXE
2007-03-07 20:00         1,859,365 DEPLOY.CAB
2007-03-07 20:00            26,624 GBUNICNV.EXE
2007-03-07 20:00         3,675,648 MSRDPCLI.EXE
2007-03-07 20:00           327,168 NETSETUP.EXE
2007-03-07 20:00           244,736 REPADMIN.EXE
2007-03-07 20:00         3,615,002 SUPPORT.CAB
2007-03-07 20:00           237,568 SUPTOOLS.MSI
2007-03-07 20:00           797,620 SUP_PRO.CAB
2007-03-07 20:00           961,239 SUP_SRV.CAB
              10 个文件     12,237,002 字节
               2 个目录 17,698,893,824 可用字节

D:\SUPPORT\TOOLS>DCDIAG.EXE

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\DC01
      Starting test: Connectivity
         ......................... DC01 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\DC01
      Starting test: Replications
         [Replications Check,DC01] A recent replication attempt failed:
            From DPM-SERVER to DC01
            Naming Context: DC=ForestDnsZones,DC=corp,DC=com
            The replication generated an error (1256):
            远程系统不可用。有关网络疑难解答，请参阅 Windows 帮助。
            The failure occurred at 2013-09-24 13:55:51.
            The last success occurred at 2008-06-27 19:49:30.
            45928 failures have occurred since the last success.
         [DPM-SERVER] DsBindWithSpnEx() failed with error 1753,
         终结点映射器中没有更多的终结点可用。.
         [Replications Check,DC01] A recent replication attempt failed:
            From DPM-SERVER to DC01
            Naming Context: DC=DomainDnsZones,DC=corp,DC=com
            The replication generated an error (1256):
            远程系统不可用。有关网络疑难解答，请参阅 Windows 帮助。
            The failure occurred at 2013-09-24 13:55:51.
            The last success occurred at 2008-06-27 19:49:30.
            45929 failures have occurred since the last success.
         [Replications Check,DC01] A recent replication attempt failed:
            From DPM-SERVER to DC01
            Naming Context: CN=Schema,CN=Configuration,DC=corp,DC=com
            The replication generated an error (1753):
            终结点映射器中没有更多的终结点可用。
            The failure occurred at 2013-09-24 13:55:51.
            The last success occurred at 2008-06-27 19:49:30.
            45930 failures have occurred since the last success.
            The directory on DPM-SERVER is in the process.
            of starting up or shutting down, and is not available.
            Verify machine is not hung during boot.
         [Replications Check,DC01] A recent replication attempt failed:
            From DPM-SERVER to DC01
            Naming Context: CN=Configuration,DC=corp,DC=com
            The replication generated an error (1753):
            终结点映射器中没有更多的终结点可用。
            The failure occurred at 2013-09-24 13:55:51.
            The last success occurred at 2008-06-27 20:48:07.
            45930 failures have occurred since the last success.
            The directory on DPM-SERVER is in the process.
            of starting up or shutting down, and is not available.
            Verify machine is not hung during boot.
         [Replications Check,DC01] A recent replication attempt failed:
            From DPM-SERVER to DC01
            Naming Context: DC=corp,DC=com
            The replication generated an error (1753):
            终结点映射器中没有更多的终结点可用。
            The failure occurred at 2013-09-24 13:55:51.
            The last success occurred at 2008-06-27 21:00:58.
            45929 failures have occurred since the last success.
            The directory on DPM-SERVER is in the process.
            of starting up or shutting down, and is not available.
            Verify machine is not hung during boot.
         REPLICATION-RECEIVED LATENCY WARNING
         DC01: Current time is 2013-09-24 14:34:52.
            DC=ForestDnsZones,DC=corp,DC=com
               Last replication recieved from DPM-SERVER at 2008-06-27 20:56:34.

               WARNING: This latency is over the Tombstone Lifetime of 60 days!

            DC=DomainDnsZones,DC=corp,DC=com
               Last replication recieved from DPM-SERVER at 2008-06-27 20:56:34.

               WARNING: This latency is over the Tombstone Lifetime of 60 days!

            CN=Schema,CN=Configuration,DC=corp,DC=com
               Last replication recieved from DPM-SERVER at 2008-06-27 20:56:34.

               WARNING: This latency is over the Tombstone Lifetime of 60 days!

            CN=Configuration,DC=corp,DC=com
               Last replication recieved from DPM-SERVER at 2008-06-27 20:56:33.

               WARNING: This latency is over the Tombstone Lifetime of 60 days!

            DC=corp,DC=com
               Last replication recieved from DPM-SERVER at 2008-06-27 21:00:58.

               WARNING: This latency is over the Tombstone Lifetime of 60 days!

         ......................... DC01 passed test Replications
      Starting test: NCSecDesc
         ......................... DC01 passed test NCSecDesc
      Starting test: NetLogons
         ......................... DC01 passed test NetLogons
      Starting test: Advertising
         ......................... DC01 passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... DC01 passed test KnowsOfRoleHolders
      Starting test: RidManager
         The DS has corrupt data: rIDPreviousAllocationPool value is not valid
         No rids allocated -- please check eventlog.
         ......................... DC01 failed test RidManager
      Starting test: MachineAccount
         ......................... DC01 passed test MachineAccount
      Starting test: Services
         ......................... DC01 passed test Services
      Starting test: ObjectsReplicated
         ......................... DC01 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... DC01 passed test frssysvol
      Starting test: frsevent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared. Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... DC01 failed test frsevent
      Starting test: kccevent
         ......................... DC01 passed test kccevent
      Starting test: systemlog
         ......................... DC01 passed test systemlog
      Starting test: VerifyReferences
         ......................... DC01 passed test VerifyReferences

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : corp
      Starting test: CrossRefValidation
         ......................... corp passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... corp passed test CheckSDRefDom

   Running enterprise tests on : corp.com
      Starting test: Intersite
         ......................... corp.com passed test Intersite
      Starting test: FsmoCheck
         ......................... corp.com passed test FsmoCheck

系统的目录服务日志报的错误都是1864和2092错误。

期待您的答复。

2013年9月24日 7:01

回复

|

引用
0

登录进行投票

從你的回复看, 目前應該對 Active Directory 還沒有比較完整的認識. 在這種情況下排錯, 可能不夠理想, 也存在問題複雜化的可能.

對於目前的問題, 可以先委託其他同事協助處理. 另外如果貴司有購買維保服務的話, 也可先由他們將目前的問題處理好. 而後自己在虛擬機中搭建 Active Directory 環境, 並結合相關書籍進行系統學習.
Folding@Home

2013年9月24日 11:27

回复

|

引用
0

登录进行投票
因為上一次自己重置 RID 是在去年4月底, 這之後就再沒進行過該操作, 所以當看到你的問題, 想當然的將 RID 作為一個遞增值進行處理, 而忘記了必須考慮其有效範圍設置.

之前在再次測試環境進行 RID 設置, 才發現此方法無效, 也才想起了需要考慮其有效範圍.

下面提供正確的方法:

首先獲得當前系統的 RidAllocationPool

dsquery * "CN=Rid Set,CN=RID MASTER,OU=Domain Controllers,DC=DOMAIN DN" -attr rIDAllocationPool

記為 $RidAllocationPool 值.

然後將該值代入到如下 PowerShell 命令中

$RID_AllocationPool = $RidAllocationPooll [int32]$RID_high1 = $RID_AllocationPool / [math]::pow(2,32) [int64]$RIDtemp1 = $RID_high1 * [math]::pow(2,32) [int64]$RID_low1 = $RID_AllocationPool - $RIDtemp1 write-host $RID_low1 $RID_high1

這樣就獲得了 RID 的起始和結束範圍.

這時執行命令

dsquery * -filter "objectsid=*" -limit 0 -attr objectsid -l

檢查返回的最大 RID 是否在該範圍之內. 記為 $MAX_RID

執行如下 PowerShell 命令

# Begin $root = [adsisearcher]'LDAP://RootDSE' $root.filter = '(&(isDeleted=TRUE)(Objectsid=*))' $root.tombstone = $true $objects = $root.findall() $list = new-object system.collections.arraylist foreach ($obj in $objects) { $arr = $obj.properties.objectsid.item(0) $s = new-object system.security.principal.securityidentifier($arr, 0) $sid = $s.tostring() $rid = [int32]$sid.substring($sid.lastindexof('-') + 1) [void]$list.add($rid) } $list | sort -desc | select -first 1 # End

來獲取 Delete Object 對象中最大的 RID. 如果其大於 $MAX_RID, 則將其賦值給 $MAX_RID.

如果 $MAX_RID 不在起始和結束範圍, 或者 $RID_low1 >= $RID_high1, 則該 RidAllocationPool 起始和結束無效, 需要手動重新建立.

設置新的起始和結束範圍

$RIG_LOW = $MAX_SID + 1 + 499 + 1 + 499 $RID_HIGH = $RIG_LOW + 499

如果 $MAX_RID 在有效範圍之內, 那麼則

設置新的起始和結束範圍

$RIG_LOW = $RID_high1 + 1 $RID_HIGH = $RIG_LOW + 499

需要注意, 必須使得 $RID_HIGH < RidAvailablePool, 確定當前 RidAvailablePool

dsquery * "CN=Rid Manager$,CN=System,DC=DOMAIN DN" -attr rIDAvailablePool

然後代入到 PowerShell 命令

[int32]$RID_high1 = $RID_HIGH [int64]$RID_low1 = $RIG_LOW [int64]$RID_temp1 = $RID_high1 * [math]::pow(2,32) $RID_AllocationPool = $RID_low1 + $RID_temp1 write-host $RID_AllocationPool

這就獲得了新的 $RID_AllocationPool 值.

當然對於計算起始和結束範圍的 PowerShell 命令也可以手動計算.

最後重新編輯 ldf.txt 文件

dn: changetype: modify replace: schemaUpgradeInProgress schemaUpgradeInProgress: 1 - dn: CN=Rid Set,CN=RID_MASTER,OU=Domain Controllers,Domain DN changetype: modify replace: rIDAllocationPool rIDAllocationPool: $RID_AllocationPool - dn: CN=Rid Set,CN=RID_MASTER,OU=Domain Controllers,Domain DN changetype: modify replace: rIDPreviousAllocationPool rIDPreviousAllocationPool: $RID_AllocationPool - dn: CN=Rid Set,CN=RID_MASTER,OU=Domain Controllers,Domain DN changetype: modify replace: rIDNextRID rIDNextRID: $RID_low1 - dn: changetype: modify replace: schemaUpgradeInProgress schemaUpgradeInProgress: 0 - dn: changetype: modify replace: schemaUpdateNow schemaUpdateNow: 1 -

此處假設文件名為 ldf.txt

需要將斜體字替換為實際值.

然後執行命令

ldifde -i -f ldf.txt

完成更新. 是否重建成功, 可以通過執行命令

dcdiag -test:ridmanager -v | more

-或-

dcdiag -test:ridmanager -q

確認. 對於第二條命令僅在有錯誤時返回錯誤信息.

關於該 PowerShell 命令, 引用至

List all RID Pools from DCs in AD Forest
http://gallery.technet.microsoft.com/scriptcenter/List-all-RID-Pools-from-5ab0f574

關於 RID 的描述, 可以參見如下 Microsoft 支持

Description of RID Attributes in Active Directory
http://support.microsoft.com/kb/305475

對於在 PowerShell 中將 objectsid 屬性轉換為字符串, 參考至:

Converting objectSid to string
http://blogs.msdn.com/b/nikhilsi/archive/2010/05/05/converting-objectsid-to-string.aspx

Folding@Home
- 已编辑 repl 2013年11月7日 12:41 去掉部分命令中多餘的 -filter 參數
2013年9月28日 6:32

回复

|

引用
0

登录进行投票

再補充一個相關 TechNet 博文

Managing RID Pool Depletion
http://blogs.technet.com/b/askds/archive/2011/09/12/managing-rid-pool-depletion.aspx
Folding@Home

2013年9月28日 7:35

回复

|

引用

询问者

windows server 2003 RID出现问题

问题

全部回复