作爲域管理員,免不了跟Netsetup.log SAY HELLO。 但是網上卻搜不到關於Netsetup.log的說明文檔。我們只能用經驗填補理論。
在我的域環境裏有60多個站點,每個站點擁有自己的幾個網段,這些網段之間有着思科防火牆以及近乎苛刻的端口限制。在給客戶端加域的時候,需要給客戶端指定所在相同網段的DC;新建域控的時候,需要指定網絡連通的公司本部DC;在加域失敗的時候,就不得不從Netsetup.log中尋找答案。
先來一個例子:
11/26 16:01:07 NetpDoDomainJoin **開始加域程序
11/26 16:01:07 NetpMachineValidToJoin: 'A-DC' **獲取機器名
11/26 16:01:07 NetpGetLsaPrimaryDomain: status: 0x0 **本地安全授權機構,'The local primary domain information LSA policy is set to refer to the new domain. This includes the domain name and the domain SID’
11/26 16:01:07 NetpMachineValidToJoin: status: 0x0 **狀態OK
11/26 16:01:07 NetpJoinDomain **獲取本地系統信息
11/26 16:01:07 Machine: A-DC
11/26 16:01:07 Domain: GS.com.cn
11/26 16:01:07 MachineAccountOU: (NULL)
11/26 16:01:07 Account: GS\runadmin **加域使用的賬號
11/26 16:01:07 Options: 0x25 **?
11/26 16:01:07 OS Version: 5.2
11/26 16:01:07 Build number: 3790
11/26 16:01:07 ServicePack: Service Pack 1
11/26 16:01:07 NetpValidateName: checking to see if 'GS.com.cn' is valid as type 3 name **這裏應該是使用DNS查詢填入的域名是否存在
11/26 16:01:07 NetpCheckDomainNameIsValid [ Exists ] for 'GS.com.cn' returned 0x0 ** 0x0 就是OK
11/26 16:01:07 NetpValidateName: name 'GS.com.cn' is valid for type 3 **What‘s 'type 3' mean? I guess it's FQDN name
11/26 16:01:07 NetpDsGetDcName: trying to find DC in domain 'GS.com.cn', flags: 0x1020 **開始在OK的域中查找DC了,如未特指,就是找尋最近的(網絡上)
11/26 16:01:28 NetpDsGetDcName: failed to find a DC having account 'A-DC$': 0x525 ** 0x525-訪問被拒絕?'The join process usually tries to find a domain controller that already has a computer account for the computer that is currently being joined to the domain. If such a domain controller is not found, it tries to find another domain controller’
11/26 16:01:28 NetpDsGetDcName: found DC '\\HBDC01.GS.COM.CN' in the specified domain **找到了一臺'HBDC01.GS.COM.CN'
11/26 16:01:29 NetUseAdd to \\HBDC01.GS.COM.CN\IPC$ returned 51 **使用IPC$來訪問這個DC,NET HELPMSG: Windows 無法找到網絡路徑。
請確認網絡路徑正確並且目標計算機不忙或已關閉.如果 Windows 仍然無法找到網絡路徑,請與網絡管理員聯繫。
11/26 16:01:29 NetpJoinDomain: status of connecting to dc '\\HBDC01.GS.COM.CN': 0x33 **0x33 Windows 無法找到網絡路徑
11/26 16:01:29 NetpDoDomainJoin: status: 0x33
11/26 16:01:29 -----------------------------------------------------------------
11/26 16:01:29 NetpDoDomainJoin **再來一輪加域
11/26 16:01:29 NetpMachineValidToJoin: 'A-DC' **獲取機器名
11/26 16:01:29 NetpGetLsaPrimaryDomain: status: 0x0 **本地安全授權機構驗證OK
11/26 16:01:29 NetpMachineValidToJoin: status: 0x0 **本機狀態OK
11/26 16:01:29 NetpJoinDomain **獲取本地系統信息
11/26 16:01:29 Machine: A-DC
11/26 16:01:29 Domain: GS.com.cn
11/26 16:01:29 MachineAccountOU: (NULL)
11/26 16:01:29 Account: GS\runadmin
11/26 16:01:29 Options: 0x27 **默認會自動嘗試兩次,第二次的options是0x27
11/26 16:01:29 OS Version: 5.2
11/26 16:01:29 Build number: 3790
11/26 16:01:29 ServicePack: Service Pack 1
11/26 16:01:29 NetpValidateName: checking to see if 'GS.com.cn' is valid as type 3 name **查詢域名是否存在
11/26 16:01:32 NetpCheckDomainNameIsValid [ Exists ] for 'GS.com.cn' returned 0x0 **查詢結果OK
11/26 16:01:32 NetpValidateName: name 'GS.com.cn' is valid for type 3
11/26 16:01:32 NetpDsGetDcName: trying to find DC in domain 'GS.com.cn', flags: 0x1020 **找DC
11/26 16:01:52 NetpDsGetDcName: failed to find a DC having account 'A-DC$': 0x525 ** 0x525 指定的賬戶不存在
11/26 16:01:52 NetpDsGetDcName: found DC '\\chdc01.GS.COM.CN' in the specified domain **找到了DC chdc01
11/26 16:01:54 NetUseAdd to \\chdc01.GS.COM.CN\IPC$ returned 1214 **IPC$同樣返回了1214 : 指定的網絡名格式無效。
11/26 16:01:54 NetpJoinDomain: status of connecting to dc '\\chdc01.GS.COM.CN': 0x4be **0x4be=1214
11/26 16:01:54 NetpDoDomainJoin: status: 0x4be
11/26 16:03:41 -----------------------------------------------------------------
11/26 16:03:41 NetpValidateName: checking to see if 'GS' is valid as type 3 name **檢查fqdn=GS?
11/26 16:03:44 NetpCheckDomainNameIsValid for GS returned 0x54b **指定的域不存在,或無法聯繫。
11/26 16:03:44 NetpCheckDomainNameIsValid [ Exists ] for 'GS' returned 0x54b
11/26 16:03:48 -----------------------------------------------------------------
11/26 16:03:48 NetpValidateName: checking to see if 'GS.com.cn' is valid as type 3 name **fqdn=GS.com.cn
11/26 16:03:49 NetpCheckDomainNameIsValid [ Exists ] for 'GS.com.cn' returned 0x0
11/26 16:03:49 NetpValidateName: name 'GS.com.cn' is valid for type 3
11/26 16:03:56 -----------------------------------------------------------------
11/26 16:03:56 NetpDoDomainJoin **同上 不贅述
11/26 16:03:56 NetpMachineValidToJoin: 'A-DC'
11/26 16:03:56 NetpGetLsaPrimaryDomain: status: 0x0
11/26 16:03:56 NetpMachineValidToJoin: status: 0x0
11/26 16:03:56 NetpJoinDomain
11/26 16:03:56 Machine: A-DC
11/26 16:03:56 Domain: GS.com.cn
11/26 16:03:56 MachineAccountOU: (NULL)
11/26 16:03:56 Account: GS\runadmin
11/26 16:03:56 Options: 0x25
11/26 16:03:56 OS Version: 5.2
11/26 16:03:56 Build number: 3790
11/26 16:03:56 ServicePack: Service Pack 1
11/26 16:03:56 NetpValidateName: checking to see if 'GS.com.cn' is valid as type 3 name
11/26 16:03:56 NetpCheckDomainNameIsValid [ Exists ] for 'GS.com.cn' returned 0x0
11/26 16:03:56 NetpValidateName: name 'GS.com.cn' is valid for type 3
11/26 16:03:56 NetpDsGetDcName: trying to find DC in domain 'GS.com.cn', flags: 0x1020
11/26 16:04:18 NetpDsGetDcName: failed to find a DC having account 'A-DC$': 0x525
11/26 16:04:18 NetpDsGetDcName: found DC '\\GSDC3.GS.COM.CN' in the specified domain **找到一DC:\\GSDC3.GS.COM.CN
11/26 16:04:20 NetpJoinDomain: status of connecting to dc '\\GSDC3.GS.COM.CN': 0x0 **終於連接成功
11/26 16:04:21 NetpGetLsaPrimaryDomain: status: 0x0
11/26 16:04:21 NetpGetDnsHostName: Read NV Hostname: A-DC
11/26 16:04:21 NetpGetDnsHostName: PrimaryDnsSuffix defaulted to DNS domain name: GS.COM.CN
11/26 16:04:21 NetpLsaOpenSecret: status: 0xc0000034 **Lsa建立安全通道
11/26 16:04:21 NetpGetLsaPrimaryDomain: status: 0x0
11/26 16:04:21 NetpLsaOpenSecret: status: 0xc0000034
11/26 16:04:23 NetpJoinDomain: status of setting machine password: 0x0 **設置計算機密碼
11/26 16:04:23 NetpGetComputerObjectDn: Cracking DNS domain name GS.COM.CN/ into Netbios on \\GSDC3.GS.COM.CN
11/26 16:04:23 NetpGetComputerObjectDn: Crack results: name = GS\
11/26 16:04:23 NetpGetComputerObjectDn: Cracking account name GS\A-DC$ on \\GSDC3.GS.COM.CN
11/26 16:04:23 NetpGetComputerObjectDn: Crack results: (Account already exists) DN = CN=A-DC,CN=Computers,DC=GS,DC=COM,DC=CN
11/26 16:04:23 NetpModifyComputerObjectInDs: Initial attribute values:
11/26 16:04:23 DnsHostName = A-DC.GS.COM.CN
11/26 16:04:23 ServicePrincipalName = HOST/A-DC.GS.COM.CN HOST/A-DC
11/26 16:04:24 NetpModifyComputerObjectInDs: Computer Object already exists in OU:
11/26 16:04:24 DnsHostName =
11/26 16:04:24 ServicePrincipalName =
11/26 16:04:24 NetpModifyComputerObjectInDs: Attribute values to set:
11/26 16:04:24 DnsHostName = A-DC.GS.COM.CN
11/26 16:04:24 ServicePrincipalName = HOST/A-DC.GS.COM.CN HOST/A-DC
11/26 16:04:24 ldap_unbind status: 0x0
11/26 16:04:24 NetpJoinDomain: status of setting DnsHostName and SPN: 0x0
11/26 16:04:24 NetpGetLsaPrimaryDomain: status: 0x0
11/26 16:04:24 NetpSetLsaPrimaryDomain: for 'GS' status: 0x0
11/26 16:04:24 NetpJoinDomain: status of setting LSA pri. domain: 0x0
11/26 16:04:24 NetpJoinDomain: status of managing local groups: 0x0
11/26 16:04:24 NetpJoinDomain: status of setting netlogon cache: 0x0
11/26 16:04:24 NetpJoinDomain: status of setting ComputerNamePhysicalDnsDomain to 'GS.COM.CN': 0x0
11/26 16:04:24 NetpUpdateW32timeConfig: 0x0
11/26 16:04:24 NetpJoinDomain: status of disconnecting from '\\GSDC3.GS.COM.CN': 0x0
11/26 16:04:24 NetpDoDomainJoin: status: 0x0 **加域成功
以上日誌充分說明,這裏加域都耽誤在找能連接的域控了,由於DNS返回很多域控,需要加域的機器便隨機找一個IP段臨近的,但是各廠之間存在防火牆,IP臨近的並不一定能連通,直到尋找到可連通的GSDC3。。。
在這個日誌中每行末尾返回的代碼,十六進制的可以轉換成十進制的,然後使用“net helpmsg”查其代表的意義。
經常遇到的錯誤:
錯誤代碼 1326年和錯誤代碼 0x52e 兩者都映射到 ERROR_LOGON_FAILURE 錯誤 登錄失敗: 未知的用戶名或密碼錯誤。
NetpDoDomainJoin: status: 0x534 No mapping between account names and security IDs was done
參考 由於客戶端與服務器加密算法不同而導致加域失敗< http://blog.chinaunix.net/u1/37091/showart_1832583.html>
參考<http://technet.microsoft.com/en-us/library/cc961817.aspx>
參考<http://www.pinvoke.net/default.aspx/Enums/NET_API_STATUS.html>