Erro ao sincronizar controladores de domínio:Domain Controllers doesn't have Replicating Directory Changes All access rights for the naming context

Por algum motivo um dos controladores de domínio de um dos clientes que atendo parou de replicar ( Nada contra estagiários mas creio que foi um rs.) E após pesquisa cheguei a solução do por quê meu domain controler não replicava, as permissões dentro do AD não estavam corretas, para corrigir o problema fiz o seguinte: 

1. Iniciei o Active Directory Users and Computers.

2. Habilitei o Advanced Features.


3. Propriedades.


4. Na aba de Segurança, cliquei em Enterprise Domain Controllers, e alterei as permissões para que seja permitido: 

- Manage Replication Topology.
- Replicating Directory Changes.
- Replication Synchronization


Seguem erros que apresentavam no Event Viewer e no DCDiag

dcdiag /test:dns
Domain Controller Diagnosis
Performing initial setup:
   Done gathering initial info.
Doing initial required tests
   Testing server: Default-First-Site-Name\DC2
      Starting test: Connectivity
         ......................... DC2 passed test Connectivity
Doing primary tests
   Testing server: Default-First-Site-Name\DC2
DNS Tests are running and not hung. Please wait a few minutes...
   Running partition tests on : ForestDnsZones
   Running partition tests on : DomainDnsZones
   Running partition tests on : Schema
   Running partition tests on : Configuration
   Running partition tests on : MYDOMAIN
   Running enterprise tests on : MYDOMAIN.COM
      Starting test: DNS
         Test results for domain controllers:
            DC: DC2.MYDOMAIN.COM
            Domain: MYDOMAIN.COM
               TEST: Delegations (Del)
                  Warning: DNS server: DC1.server.MYDOMAIN. IP: <Unava
ilable> Failure:Missing glue A record
         Summary of DNS test results:
                                            Auth Basc Forw Del  Dyn  RReg Ext
               ________________________________________________________________
            Domain: MYDOMAIN.COM
               DC2                      PASS PASS PASS FAIL PASS PASS n/a
         ......................... MYDOMAIN.COM failed test DNS
---------------------------------------------------------------------------------------------------------
repadmin /showreps
Default-First-Site-Name\DC2
DC Options: IS_GC
Site Options: (none)
DC object GUID: b8f0dc98-c7b6-4be6-80d9-09c2adc6162f
DC invocationID: db7d8879-39f4-46bc-a7b5-abde1460e419
==== INBOUND NEIGHBORS ======================================
DC=MYDOMAIN,DC=COM
    Default-First-Site-Name\DC1 via RPC
        DC object GUID: de66c2d3-eda2-4ab2-a393-fdea108ad439
        Last attempt @ 2010-02-08 13:10:04 failed, result 8453 (0x2105):
            Replication access was denied.
        449 consecutive failure(s).
        Last success @ 2010-02-07 18:15:32.
CN=Configuration,DC=MYDOMAIN,DC=COM
    Default-First-Site-Name\DC1 via RPC
        DC object GUID: de66c2d3-eda2-4ab2-a393-fdea108ad439
        Last attempt @ 2010-02-08 12:48:32 was successful.
CN=Schema,CN=Configuration,DC=MYDOMAIN,DC=COM
    Default-First-Site-Name\DC1 via RPC
        DC object GUID: de66c2d3-eda2-4ab2-a393-fdea108ad439
        Last attempt @ 2010-02-08 12:47:12 was successful.
DC=DomainDnsZones,DC=MYDOMAIN,DC=COM
    Default-First-Site-Name\DC1 via RPC
        DC object GUID: de66c2d3-eda2-4ab2-a393-fdea108ad439
        Last attempt @ 2010-02-08 13:11:47 was successful.
DC=ForestDnsZones,DC=MYDOMAIN,DC=COM
    Default-First-Site-Name\DC1 via RPC
        DC object GUID: de66c2d3-eda2-4ab2-a393-fdea108ad439
        Last attempt @ 2010-02-08 12:47:12 was successful.
Source: Default-First-Site-Name\DC1
******* 447 CONSECUTIVE FAILURES since 2010-02-07 18:15:32
Last error: 8453 (0x2105):
            Replication access was denied.
---------------------------------------------------------------------------------------------------------
nslookup
Default Server:  dc1.mydomain.com
Address:  192.168.150.201
---------------------------------------------------------------------------------------------------------
EVENT LOG ERRORS:  (DNS)
---------------------------------------------------------------------------------------------------------
Event ID: 800                     Computer: DC2
Description:
The zone 150.168.192.in-addr.arpa is configured to accept updates but the A record for the primary server in the zone's SOA record is not available on this DNS server. This may indicate a configuration problem. If the address of the primary server for the zone cannot  be resolved DNS clients will be unable to locate a server to accept updates for this zone. This will cause DNS clients to be unable to perform DNS updates.
---------------------------------------------------------------------------------------------------------
Event ID: 708                     Computer: DC2
Description:
The DNS server did not detect any zones of either primary or secondary type during initialization. It will not be authoritative for any zones, and it will run as a caching-only server until a zone is loaded manually or by Active Directory replication.
---------------------------------------------------------------------------------------------------------
dcdiag /test:CheckSecurityError /ReplSource:DC1
Domain Controller Diagnosis
Performing initial setup:
   Done gathering initial info.
Doing initial required tests
   Testing server: Default-First-Site-Name\DC2
      Starting test: Connectivity
         ......................... DC2 passed test Connectivity
Doing primary tests
   Testing server: Default-First-Site-Name\DC2
      Starting test: CheckSecurityError
         * Missing SPN :LDAP/DC2.MYDOMAIN.COM/MYDOMAIN.COM
         * Missing SPN :LDAP/DC2.MYDOMAIN.COM
         * Missing SPN :LDAP/DC2
         * Missing SPN :LDAP/DC2.MYDOMAIN.COM/MYDOMAIN
         * Missing SPN :LDAP/b8f0dc98-c7b6-4be6-80d9-09c2adc6162f._msdcs.MYDOMAIN.COM
         * Missing SPN :HOST/DC2.MYDOMAIN.COM/MYDOMAIN.COM
         * Missing SPN :HOST/DC2.MYDOMAIN.COM/MYDOMAIN
         * Missing SPN :GC/DC2.MYDOMAIN.COM/MYDOMAIN.COM
         Unable to verify the machine account (CN=DC2,OU=Domain Controllers,
DC=MYDOMAIN,DC=COM) for DC2 on DC1.
         Source DC DC1 has possible security error (8453).  Diagnosing.
..
               Error MYDOMAIN\Domain Controllers doesn't have
                  Replicating Directory Changes All
               access rights for the naming context:
               DC=MYDOMAIN,DC=COM
            Authoritative attribute nTSecurityDescriptor on DC2 (writeable)
               usnLocalChange = 12290
               LastOriginatingDsa = DC2
               usnOriginatingChange = 12290
               timeLastOriginatingChange = 2010-02-07 18:17:57
               VersionLastOriginatingChange = 2
            Out-of-date attribute nTSecurityDescriptor on DC1 (writeable)
               usnLocalChange = 1351793
               LastOriginatingDsa = DC1
               usnOriginatingChange = 1351793
               timeLastOriginatingChange = 2010-02-07 17:54:32
               VersionLastOriginatingChange = 1
            Authoritative attribute servicePrincipalName on DC2 (writeable)
               usnLocalChange = 12597
               LastOriginatingDsa = DC2
               usnOriginatingChange = 12597
               timeLastOriginatingChange = 2010-02-07 18:47:01
               VersionLastOriginatingChange = 7
            Out-of-date attribute servicePrincipalName on DC1 (writeable)
               usnLocalChange = 1351843
               LastOriginatingDsa = DC1
               usnOriginatingChange = 1351843
               timeLastOriginatingChange = 2010-02-07 18:14:57
               VersionLastOriginatingChange = 3
         Unable to verify the convergence of this machine account (CN=DC2,OU
=Domain Controllers,DC=MYDOMAIN,DC=COM) on this domain (DC=MYDOMAIN,DC=COM).  Does the machine account password need reseting?
         ......................... DC2 failed test CheckSecurityError
   Running partition tests on : ForestDnsZones
   Running partition tests on : DomainDnsZones
   Running partition tests on : Schema
   Running partition tests on : Configuration
   Running partition tests on : MYDOMAIN
   Running enterprise tests on : MYDOMAIN.COM

Logo se você está passando por este problema basta executar o procedimento passado.
Até a próxima :)
Wellington Agápto é Sócio Diretor da Edefense Segurança Digital, empresa com foco em Teste de Invasão e Análise de vulnerabilidades, Engenheiro Microsoft especializado em Unified Communications, Active Directory e Microsoft Lync Server, Certificado Cisco, ITIL, MCSO, Security+, ISO 27002, Cobit, MCSE Security, Autor de artigos em sites especializados sobre tecnologia Microsoft, e segurança da informação.

CONVERSATION

0 comentários:

Postar um comentário

Inscreva-se