所有域用户的outlook邮箱都连接不到exchange服务器(同时也是备份域服务器),重启exchange服务器之后能坚持一会,之后又会到原样,打开主域服务器的事件查看器的目录服务里出现如下错误:
Active Directory 复制发现下列分区中存在的对象已经从 本地域控制器(DC) Active Directory 数据库中删除。 在逻辑删除生存时间过期之前,部分直接或可传递的复制 伙伴没有复制该删除。已经从 Active Directory 分区 删除并垃圾收集的对象,如果仍然存在于同一域中其他 DC 的可写入分区中或林中其他域中的全局编录服务器的 只读分区中,被称作“延迟对象”。
此事件被记录到日志,因为源 DC 包含的延迟对象不存在于 本地 Active Directory 数据库上。此复制被阻止。
解决此问题的最佳方案是标记并删除林中的所有延迟对象,
源 DC (传输特定的网络地址):
be240ab2-9df4-4075-8342-066a8bf2158f._msdcs.chinahikari.com
对象:
CN=杨善根\0ADEL:2ba287eb-d6de-4563-998a-cedf6d16c305,CN=Deleted Objects,DC=chinahikari,DC=com
对象 GUID:
2ba287eb-d6de-4563-998a-cedf6d16c305
用户操作:
删除延迟对象:
该操作将从此错误(可以在 http://support.microsoft.com/?id=314282 找到)恢复。
如果源和目标 DC 都是 Windows Server 2003 DC,那么请安装 包含在安装 CD 上的支持工具。要查看实际上不执行删除的 要删除的对象,请运行 "repadmin /removelingeringobjects <Source DC> <Destination DC DSA GUID> <NC> /ADVISORY_MODE"。 源 DC 上的事件日志将枚举所有延迟对象。要从源域控制器删除 延迟对象,请运行 "repadmin /removelingeringobjects <Source DC> <Destination DC DSA GUID> <NC>"。
如果源或域控制器之一是 Windows 2000 Server DC,那么可以 在 http://support.microsoft.com/?id=314282 找到更多有关如何删除 源 DC 上的延迟对象的信息,或从您的 Microsoft 支持专家获得这些信息。
如果需要 Active Directory 复制立即工作(不计成本)并且没有 时间删除延迟对象,请通过取消下列注册表项设置,启用松散复制 一致性:
Registry Key:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Strict Replication Consistency
共享公共分区的 DC 之间的复制错误可能导致 DC 之间的用户 和计算机帐户、信任关系、他们的密码、安全组、安全组成员 关系和其他 Active Directory 配置数据不同,这将影响登录、 查找相关对象和执行其他重要操作。一旦解决了复制错误, 这些不一致将解决。未能在逻辑删除生存时间内入站复制删除的 对象的 DC 将保持不一致,除非管理员手动从每一个本地 DC 删除延迟对象。
延迟对象可能被阻止,从而确保林中所有域控制器运行 Active Directory,经由生成树连接拓扑连接, 而且在逻辑 删除生存时间过期之前执行入站复制。
有关更多信息,请参阅在 http://go.microsoft.com/fwlink/events.asp 的帮助和支持中心。
同时在DC服务器上dcdiag测试结果如下:
C:\Documents and Settings\Administrator>dcdiag
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\ADSERVER
Starting test: Connectivity
......................... ADSERVER passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\ADSERVER
Starting test: Replications
[HYSH03] DsBindWithSpnEx() failed with error 1753,
终结点映射器中没有更多的终结点可用。.
[Replications Check,ADSERVER] A recent replication attempt failed:
From HYSH03 to ADSERVER
Naming Context: DC=chinahikari,DC=com
The replication generated an error (8606):
没有给定足够的属性以创建对象。这个对象可能不存在因为它可能已经删除域
垃圾收集。
The failure occurred at 2012-06-03 18:59:47.
The last success occurred at 2012-06-02 17:17:57.
306 failures have occurred since the last success.
REPLICATION-RECEIVED LATENCY WARNING
ADSERVER: Current time is 2012-06-03 19:17:31.
DC=chinahikari,DC=com
Last replication recieved from HYSH03 at 2012-06-02 17:17:57.
......................... ADSERVER passed test Replications
Starting test: NCSecDesc
......................... ADSERVER passed test NCSecDesc
Starting test: NetLogons
......................... ADSERVER passed test NetLogons
Starting test: Advertising
......................... ADSERVER passed test Advertising
Starting test: KnowsOfRoleHolders
......................... ADSERVER passed test KnowsOfRoleHolders
Starting test: RidManager
......................... ADSERVER passed test RidManager
Starting test: MachineAccount
......................... ADSERVER passed test MachineAccount
Starting test: Services
Dnscache Service is stopped on [ADSERVER]
......................... ADSERVER failed test Services
Starting test: ObjectsReplicated
......................... ADSERVER passed test ObjectsReplicated
Starting test: frssysvol
......................... ADSERVER passed test frssysvol
Starting test: frsevent
......................... ADSERVER passed test frsevent
Starting test: kccevent
......................... ADSERVER passed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0x40000005
Time Generated: 06/03/2012 19:07:37
(Event String could not be retrieved)
......................... ADSERVER failed test systemlog
Starting test: VerifyReferences
......................... ADSERVER passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : chinahikari
Starting test: CrossRefValidation
......................... chinahikari passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... chinahikari passed test CheckSDRefDom
Running enterprise tests on : chinahikari.com
Starting test: Intersite
......................... chinahikari.com passed test Intersite
Starting test: FsmoCheck
......................... chinahikari.com passed test FsmoCheck
以上在我的域控制器报的错误,同时截图如下:
PDC与BDC无法同步复制
根据以上大篇幅的提示中蓝色加粗的部分的说明让我感觉兴奋,立即在PDC(ADServer)上打开注册表按照其提示找到 Strict Replication Consistency 并把其值改为0(原值为1),以为问题得到解决,再次dcdiag(这次是在BDC[hysh03]上运行)却让人既高兴又失望,高兴的是不再提示“没有给定足够的属性以创建对象。这个对象可能不存在因为它可能已经删除域垃圾收集。”,失望的是新的错误又产生“Active Directory 不能与此服务器复制,因为距上一次与此服务器复制的时间已经超过了tombstone 生存时间。”dcdiag的结果如下:
C:\Documents and Settings\administrator.CHINAHIKARI>dcdiag
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\HYSH03
Starting test: Connectivity
......................... HYSH03 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\HYSH03
Starting test: Replications
[Replications Check,HYSH03] A recent replication attempt failed:
From ADSERVER to HYSH03
Naming Context: CN=Schema,CN=Configuration,DC=chinahikari,DC=com
The replication generated an error (8614):
Active Directory 不能与此服务器复制,因为距上一次与此服务器复制的时
间已经超过了 tombstone 生存时间。
The failure occurred at 2012-06-04 14:55:56.
The last success occurred at 2012-06-01 08:49:32.
79 failures have occurred since the last success.
[ADSERVER] DsBindWithSpnEx() failed with error -2146893022,
目标主要名称不正确。.
[Replications Check,HYSH03] A recent replication attempt failed:
From ADSERVER to HYSH03
Naming Context: CN=Configuration,DC=chinahikari,DC=com
The replication generated an error (8614):
Active Directory 不能与此服务器复制,因为距上一次与此服务器复制的时
间已经超过了 tombstone 生存时间。
The failure occurred at 2012-06-04 15:20:02.
The last success occurred at 2012-06-01 08:49:32.
208 failures have occurred since the last success.
[Replications Check,HYSH03] A recent replication attempt failed:
From ADSERVER to HYSH03
Naming Context: DC=chinahikari,DC=com
The replication generated an error (8614):
Active Directory 不能与此服务器复制,因为距上一次与此服务器复制的时
间已经超过了 tombstone 生存时间。
The failure occurred at 2012-06-04 15:22:59.
The last success occurred at 2012-06-01 08:39:00.
13710 failures have occurred since the last success.
REPLICATION-RECEIVED LATENCY WARNING
HYSH03: Current time is 2012-06-04 15:23:06.
CN=Schema,CN=Configuration,DC=chinahikari,DC=com
Last replication recieved from ADSERVER at 2011-06-01 08:49:32.
WARNING: This latency is over the Tombstone Lifetime of 180 days
!
CN=Configuration,DC=chinahikari,DC=com
Last replication recieved from ADSERVER at 2011-06-01 08:49:32.
WARNING: This latency is over the Tombstone Lifetime of 180 days
!
DC=chinahikari,DC=com
Last replication recieved from ADSERVER at 2011-06-01 08:39:00.
WARNING: This latency is over the Tombstone Lifetime of 180 days
!
......................... HYSH03 passed test Replications
Starting test: NCSecDesc
......................... HYSH03 passed test NCSecDesc
Starting test: NetLogons
......................... HYSH03 passed test NetLogons
Starting test: Advertising
......................... HYSH03 passed test Advertising
Starting test: KnowsOfRoleHolders
Warning: ADSERVER is the Schema Owner, but is not responding to DS RPC
Bind.
[ADSERVER] LDAP bind failed with error 8341,
出现了一个目录服务错误。.
Warning: ADSERVER is the Schema Owner, but is not responding to LDAP Bi
nd.
Warning: ADSERVER is the Domain Owner, but is not responding to DS RPC
Bind.
Warning: ADSERVER is the Domain Owner, but is not responding to LDAP Bi
nd.
Warning: ADSERVER is the PDC Owner, but is not responding to DS RPC Bin
d.
Warning: ADSERVER is the PDC Owner, but is not responding to LDAP Bind.
Warning: ADSERVER is the Rid Owner, but is not responding to DS RPC Bin
d.
Warning: ADSERVER is the Rid Owner, but is not responding to LDAP Bind.
Warning: ADSERVER is the Infrastructure Update Owner, but is not respon
ding to DS RPC Bind.
Warning: ADSERVER is the Infrastructure Update Owner, but is not respon
ding to LDAP Bind.
......................... HYSH03 failed test KnowsOfRoleHolders
Starting test: RidManager
......................... HYSH03 failed test RidManager
Starting test: MachineAccount
......................... HYSH03 passed test MachineAccount
Starting test: Services
......................... HYSH03 passed test Services
Starting test: ObjectsReplicated
......................... HYSH03 passed test ObjectsReplicated
Starting test: frssysvol
......................... HYSH03 passed test frssysvol
Starting test: frsevent
......................... HYSH03 passed test frsevent
Starting test: kccevent
An Error Event occured. EventID: 0xC00007FA
Time Generated: 06/04/2012 15:10:29
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC00007FA
Time Generated: 06/04/2012 15:12:00
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC00007FA
Time Generated: 06/04/2012 15:12:14
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC00007FA
Time Generated: 06/04/2012 15:20:02
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC00007FA
Time Generated: 06/04/2012 15:20:14
(Event String could not be retrieved)
......................... HYSH03 failed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0x40000004
Time Generated: 06/04/2012 14:24:20
(Event String could not be retrieved)
An Error Event occured. EventID: 0x40000004
Time Generated: 06/04/2012 14:29:28
(Event String could not be retrieved)
An Error Event occured. EventID: 0x40000004
Time Generated: 06/04/2012 14:30:51
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0002719
Time Generated: 06/04/2012 14:30:51
(Event String could not be retrieved)
An Error Event occured. EventID: 0x40000004
Time Generated: 06/04/2012 14:34:36
(Event String could not be retrieved)
An Error Event occured. EventID: 0x40000004
Time Generated: 06/04/2012 14:36:14
(Event String could not be retrieved)
An Error Event occured. EventID: 0x40000004
Time Generated: 06/04/2012 14:55:56
(Event String could not be retrieved)
An Error Event occured. EventID: 0x40000004
Time Generated: 06/04/2012 14:56:14
(Event String could not be retrieved)
An Error Event occured. EventID: 0x0000168E
Time Generated: 06/04/2012 14:56:20
Event String: The dynamic registration of the DNS record
An Error Event occured. EventID: 0xC0001B6F
Time Generated: 06/04/2012 14:56:59
(Event String could not be retrieved)
An Error Event occured. EventID: 0x40000004
Time Generated: 06/04/2012 14:57:30
(Event String could not be retrieved)
An Error Event occured. EventID: 0x0000165B
Time Generated: 06/04/2012 14:57:47
Event String: The session setup from computer 'JSB_06' failed
An Error Event occured. EventID: 0x000016AD
Time Generated: 06/04/2012 15:00:04
Event String: The session setup from the computer JSB_06 failed
An Error Event occured. EventID: 0x40000004
Time Generated: 06/04/2012 15:13:40
(Event String could not be retrieved)
An Error Event occured. EventID: 0x40000004
Time Generated: 06/04/2012 15:16:25
(Event String could not be retrieved)
An Error Event occured. EventID: 0x40000004
Time Generated: 06/04/2012 15:18:14
(Event String could not be retrieved)
An Error Event occured. EventID: 0x40000004
Time Generated: 06/04/2012 15:19:51
(Event String could not be retrieved)
An Error Event occured. EventID: 0x40000004
Time Generated: 06/04/2012 15:22:56
(Event String could not be retrieved)
An Error Event occured. EventID: 0x40000004
Time Generated: 06/04/2012 15:22:57
(Event String could not be retrieved)
An Error Event occured. EventID: 0x40000004
Time Generated: 06/04/2012 15:23:06
(Event String could not be retrieved)
An Error Event occured. EventID: 0x40000004
Time Generated: 06/04/2012 15:23:06
(Event String could not be retrieved)
......................... HYSH03 failed test systemlog
Starting test: VerifyReferences
......................... HYSH03 passed test VerifyReferences
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : chinahikari
Starting test: CrossRefValidation
......................... chinahikari passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... chinahikari passed test CheckSDRefDom
Running enterprise tests on : chinahikari.com
Starting test: Intersite
......................... chinahikari.com passed test Intersite
Starting test: FsmoCheck
......................... chinahikari.com passed test FsmoCheck
经过多番摸索和查找,最后终于找到一个解决办法:
在运行中用Regedit命令打开注册表,分别作如下修改(以下操作本人是在BDC上完成的,按理论来说在PDC做也是可以的):
Value Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Value Name: Allow Replication With Divergent and Corrupt Partner(如没有此键值可以直接增加)
Value Type: REG_DWORD
Value Data: 1
Value Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Value Name: Strict Replication Consistency
Value Type: REG_DWORD
Value Data: 0
然后利用dssite.msc管理控制台强制AD立即复制,操作如下:
PDC与BDC无法同步复制
点击“立即复制副本”后会迅速提示复制完成。复制成功后,请在注册表中做如下调整:
删除:
Value Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Value Name: Allow Replication With Divergent and Corrupt Partner
Value Type: REG_DWORD
Value Data: 1
将以下注册表设定值恢复成1:
Value Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Value Name: Strict Replication Consistency
Value Type: REG_DWORD
Value Data: 1
然后重启服务器,再dcdiag或者replmon发现均正常。
