6005/6006 Code: The winlogon notification subscriber <GPClient> took 62 second(s) to handle the notification event (CreateSession). решения в сети не нашёл вовсе.. ip v 6 отключён. 1014 Code: Name resolution for the name domain.local timed out after none of the configured DNS servers responded. оба днс доступны, в чём проблема - без понятия. 29 Code: The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate. Выполняю шаги отсюда - _ttp://technet.microsoft.com/en-us/library/cc734096%28WS.10%29.aspx Во-первых в Certificates/Personal/ - нет ничего, чтобы удалить недействительный. C:\Windows\system32>certutil -dcinfo verify 0: DC01 1: DC00 *** Testing DC[0]: DC01 ** Enterprise Root Certificates for DC DC01 No certs in Ent Root store! Enterprise Root store: Cannot find object or property. 0x80092004 (-2146885628) ** KDC Certificates for DC DC01 0 KDC certs for DC01 No KDC Certificate in MY store KDC certificates: Cannot find object or property. 0x80092004 (-2146885628) *** Testing DC[1]: DC00 ** Enterprise Root Certificates for DC DC00 No certs in Ent Root store! Enterprise Root store: Cannot find object or property. 0x80092004 (-2146885628) ** KDC Certificates for DC DC00 0 KDC certs for DC00 No KDC Certificate in MY store KDC certificates: Cannot find object or property. 0x80092004 (-2146885628) CertUtil: -DCInfo command FAILED: 0x80092004 (-2146885628) CertUtil: Cannot find object or property. во-вторых, при создании нового требует указать URI.. Какой указывать? если указываю LDAP:, то недоступна кнопка ADD...
Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. Code: ipconfig /all Code: Windows IP Configuration Host Name . . . . . . . . . . . . : dc00 Primary Dns Suffix . . . . . . . : domain.local Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : domain.local Ethernet adapter domain.local: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Marvell Yukon 88E8001/8003/8010 PCI Gigab it Ethernet Controller Physical Address. . . . . . . . . : 00-0E-2E-41-09-8F DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 192.168.183.2(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.183.10 DNS Servers . . . . . . . . . . . : 192.168.183.2 192.168.183.1 127.0.0.1 NetBIOS over Tcpip. . . . . . . . : Enabled Tunnel adapter isatap.{25463427-86CE-45B5-8EBE-E31DCA043513}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Microsoft ISATAP Adapter Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Tunnel adapter Local Area Connection* 9: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Code: dcdiag Code: Directory Server Diagnosis Performing initial setup: Trying to find home server... Home Server = dc00 * Identified AD Forest. Done gathering initial info. Doing initial required tests Testing server: Default-First-Site-Name\DC00 Starting test: Connectivity ......................... DC00 passed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\DC00 Starting test: Advertising ......................... DC00 passed test Advertising Starting test: FrsEvent There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems. ......................... DC00 passed test FrsEvent Starting test: DFSREvent ......................... DC00 passed test DFSREvent Starting test: SysVolCheck ......................... DC00 passed test SysVolCheck Starting test: KccEvent ......................... DC00 passed test KccEvent Starting test: KnowsOfRoleHolders ......................... DC00 passed test KnowsOfRoleHolders Starting test: MachineAccount ......................... DC00 passed test MachineAccount Starting test: NCSecDesc Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set access rights for the naming context: DC=DomainDnsZones,DC=domain,DC=local Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set access rights for the naming context: DC=ForestDnsZones,DC=domain,DC=local ......................... DC00 failed test NCSecDesc Starting test: NetLogons [DC00] User credentials does not have permission to perform this operation. The account used for this test must have network logon privileges for this machine's domain. ......................... DC00 failed test NetLogons Starting test: ObjectsReplicated ......................... DC00 passed test ObjectsReplicated Starting test: Replications [Replications Check,DC00] DsReplicaGetInfo(PENDING_OPS, NULL) failed, error 0x2105 "Replication access was denied." ......................... DC00 failed test Replications Starting test: RidManager ......................... DC00 passed test RidManager Starting test: Services Could not open NTDS Service on DC00, error 0x5 "Access is denied." ......................... DC00 failed test Services Starting test: SystemLog A warning event occurred. EventID: 0x8000001D Time Generated: 04/15/2010 19:44:12 Event String: The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Sma rt card logon may not function correctly if this problem is not resolved. To cor rect this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate. A warning event occurred. EventID: 0x0000000C Time Generated: 04/15/2010 19:45:28 Event String: Time Provider NtpClient: This machine is configured to use the domai n hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to s ynchronize with an external time source. Otherwise, this machine will function a s the authoritative time source in the domain hierarchy. If an external time sou rce is not configured or used for this computer, you may choose to disable the N tpClient. A warning event occurred. EventID: 0x000003F6 Time Generated: 04/15/2010 19:48:01 Event String: Name resolution for the name crl.microsoft.com timed out after none of the configured DNS servers responded. ......................... DC00 passed test SystemLog Starting test: VerifyReferences ......................... DC00 passed test VerifyReferences Running partition tests on : DomainDnsZones Starting test: CheckSDRefDom ......................... DomainDnsZones passed test CheckSDRefDom Starting test: CrossRefValidation ......................... DomainDnsZones passed test CrossRefValidation Running partition tests on : ForestDnsZones Starting test: CheckSDRefDom ......................... ForestDnsZones passed test CheckSDRefDom Starting test: CrossRefValidation ......................... ForestDnsZones passed test CrossRefValidation Running partition tests on : Schema Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation Running partition tests on : Configuration Starting test: CheckSDRefDom ......................... Configuration passed test CheckSDRefDom Starting test: CrossRefValidation ......................... Configuration passed test CrossRefValidation Running partition tests on : domain Starting test: CheckSDRefDom ......................... domain passed test CheckSDRefDom Starting test: CrossRefValidation ......................... domain passed test CrossRefValidation Running enterprise tests on : domain.local Starting test: LocatorCheck ......................... domain.local passed test LocatorCheck Starting test: Intersite ......................... domain.local passed test Intersite Code: netdiag /v Code: 'netdiag' is not recognized as an internal or external command, operable program or batch file.
Все ошибки решил кроме 29 (KDC). Можно развернуть AD CA? Если да, то можно ли его настроить под управлением 2008р2 стандарт?
Избавился от всех ошибок. Но! Поднял CA, начали появляться ошибки 91 и 40960 при каждой перезагрузке. The Security System detected an authentication error for the server LDAP/DC00. The failure code from authentication protocol Kerberos was "An attempt was made to logon, but the netlogon service was not started. (0xc0000192)". Could not connect to the Active Directory. Active Directory Certificate Services will retry when processing requires Active Directory access. Дал разрешения как указано здесь - http://technet.microsoft.com/en-us/library/dd299803(WS.10).aspx. Не помогло. В какую сторону хоть смотреть, как справиться? По 40960 есть куча способов на евентид, но ничего толкового не увидел там...
Параметр DependOnService имеет два значение: LanmanWorkstation LanmanServer Так и надо? Или оставить один?