[clin]

[clin]

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : dc00
Primary Dns Suffix . . . . . . . : domain.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domain.local

Ethernet adapter domain.local:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Marvell Yukon 88E8001/8003/8010 PCI Gigab
it Ethernet Controller
Physical Address. . . . . . . . . : 00-0E-2E-41-09-8F
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.183.2(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.183.10
DNS Servers . . . . . . . . . . . : 192.168.183.2
192.168.183.1
127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{25463427-86CE-45B5-8EBE-E31DCA043513}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes


dcdiag

Directory Server Diagnosis

Performing initial setup:
Trying to find home server...
Home Server = dc00
* Identified AD Forest.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\DC00
Starting test: Connectivity
......................... DC00 passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\DC00
Starting test: Advertising
......................... DC00 passed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... DC00 passed test FrsEvent
Starting test: DFSREvent
......................... DC00 passed test DFSREvent
Starting test: SysVolCheck
......................... DC00 passed test SysVolCheck
Starting test: KccEvent
......................... DC00 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... DC00 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... DC00 passed test MachineAccount
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=domain,DC=local
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=domain,DC=local
......................... DC00 failed test NCSecDesc
Starting test: NetLogons
[DC00] User credentials does not have permission to perform this
operation.
The account used for this test must have network logon privileges
for this machine's domain.
......................... DC00 failed test NetLogons
Starting test: ObjectsReplicated
......................... DC00 passed test ObjectsReplicated
Starting test: Replications
[Replications Check,DC00] DsReplicaGetInfo(PENDING_OPS, NULL) failed,
error 0x2105 "Replication access was denied."
......................... DC00 failed test Replications
Starting test: RidManager
......................... DC00 passed test RidManager
Starting test: Services
Could not open NTDS Service on DC00, error 0x5 "Access is denied."
......................... DC00 failed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x8000001D
Time Generated: 04/15/2010 19:44:12
Event String:
The Key Distribution Center (KDC) cannot find a suitable certificate
to use for smart card logons, or the KDC certificate could not be verified. Sma
rt card logon may not function correctly if this problem is not resolved. To cor
rect this problem, either verify the existing KDC certificate using certutil.exe
or enroll for a new KDC certificate.
A warning event occurred. EventID: 0x0000000C
Time Generated: 04/15/2010 19:45:28
Event String:
Time Provider NtpClient: This machine is configured to use the domai
n hierarchy to determine its time source, but it is the AD PDC emulator for the
domain at the root of the forest, so there is no machine above it in the domain
hierarchy to use as a time source. It is recommended that you either configure a
reliable time service in the root domain, or manually configure the AD PDC to s
ynchronize with an external time source. Otherwise, this machine will function a
s the authoritative time source in the domain hierarchy. If an external time sou
rce is not configured or used for this computer, you may choose to disable the N
tpClient.
A warning event occurred. EventID: 0x000003F6
Time Generated: 04/15/2010 19:48:01
Event String:
Name resolution for the name crl.microsoft.com timed out after none
of the configured DNS servers responded.
......................... DC00 passed test SystemLog
Starting test: VerifyReferences
......................... DC00 passed test VerifyReferences


Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation

Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation

Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation

Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation

Running partition tests on : domain
Starting test: CheckSDRefDom
......................... domain passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... domain passed test CrossRefValidation

Running enterprise tests on : domain.local
Starting test: LocatorCheck
......................... domain.local passed test LocatorCheck
Starting test: Intersite
......................... domain.local passed test Intersite


netdiag /v
'netdiag' is not recognized as an internal or external command,
operable program or batch file.

[clin]

Все ошибки решил кроме 29 (KDC). Можно развернуть AD CA?
Если да, то можно ли его настроить под управлением 2008р2 стандарт?

[clin]

Избавился от всех ошибок. Но!

Поднял CA, начали появляться ошибки 91 и 40960 при каждой перезагрузке.

The Security System detected an authentication error for the server LDAP/DC00. The failure code from authentication protocol Kerberos was "An attempt was made to logon, but the netlogon service was not started.
(0xc0000192)".

Could not connect to the Active Directory. Active Directory Certificate Services will retry when processing requires Active Directory access.

Дал разрешения как указано здесь - http://technet.microsoft.com/en-us/l...03(WS.10).aspx. Не помогло.

В какую сторону хоть смотреть, как справиться?

По 40960 есть куча способов на евентид, но ничего толкового не увидел там...

Параметр DependOnService имеет два значение:
LanmanWorkstation
LanmanServer
Так и надо? Или оставить один?