作为域管理员,免不了跟Netsetup.log SAY HELLO。 但是网上却搜不到关于Netsetup.log的说明文档。我们只能用经验填补理论。
在我的域环境里有60多个站点,每个站点拥有自己的几个网段,这些网段之间有着思科防火墙以及近乎苛刻的端口限制。在给客户端加域的时候,需要给客户端指定所在相同网段的DC;新建域控的时候,需要指定网络连通的公司本部DC;在加域失败的时候,就不得不从Netsetup.log中寻找答案。
先来一个例子:
11/26 16:01:07 NetpDoDomainJoin **开始加域程序
11/26 16:01:07 NetpMachineValidToJoin: 'A-DC' **获取机器名
11/26 16:01:07 NetpGetLsaPrimaryDomain: status: 0x0 **本地安全授权机构,'The local primary domain information LSA policy is set to refer to the new domain. This includes the domain name and the domain SID’
11/26 16:01:07 NetpMachineValidToJoin: status: 0x0 **状态OK
11/26 16:01:07 NetpJoinDomain **获取本地系统信息
11/26 16:01:07 Machine: A-DC
11/26 16:01:07 Domain: GS.com.cn
11/26 16:01:07 MachineAccountOU: (NULL)
11/26 16:01:07 Account: GS\runadmin **加域使用的账号
11/26 16:01:07 Options: 0x25 **?
11/26 16:01:07 OS Version: 5.2
11/26 16:01:07 Build number: 3790
11/26 16:01:07 ServicePack: Service Pack 1
11/26 16:01:07 NetpValidateName: checking to see if 'GS.com.cn' is valid as type 3 name **这里应该是使用DNS查询填入的域名是否存在
11/26 16:01:07 NetpCheckDomainNameIsValid [ Exists ] for 'GS.com.cn' returned 0x0 ** 0x0 就是OK
11/26 16:01:07 NetpValidateName: name 'GS.com.cn' is valid for type 3 **What‘s 'type 3' mean? I guess it's FQDN name
11/26 16:01:07 NetpDsGetDcName: trying to find DC in domain 'GS.com.cn', flags: 0x1020 **开始在OK的域中查找DC了,如未特指,就是找寻最近的(网络上)
11/26 16:01:28 NetpDsGetDcName: failed to find a DC having account 'A-DC$': 0x525 ** 0x525-访问被拒绝?'The join process usually tries to find a domain controller that already has a computer account for the computer that is currently being joined to the domain. If such a domain controller is not found, it tries to find another domain controller’
11/26 16:01:28 NetpDsGetDcName: found DC '\\HBDC01.GS.COM.CN' in the specified domain **找到了一台'HBDC01.GS.COM.CN'
11/26 16:01:29 NetUseAdd to \\HBDC01.GS.COM.CN\IPC$ returned 51 **使用IPC$来访问这个DC,NET HELPMSG: Windows 无法找到网络路径。
请确认网络路径正确并且目标计算机不忙或已关闭.如果 Windows 仍然无法找到网络路径,请与网络管理员联系。
11/26 16:01:29 NetpJoinDomain: status of connecting to dc '\\HBDC01.GS.COM.CN': 0x33 **0x33 Windows 无法找到网络路径
11/26 16:01:29 NetpDoDomainJoin: status: 0x33
11/26 16:01:29 -----------------------------------------------------------------
11/26 16:01:29 NetpDoDomainJoin **再来一轮加域
11/26 16:01:29 NetpMachineValidToJoin: 'A-DC' **获取机器名
11/26 16:01:29 NetpGetLsaPrimaryDomain: status: 0x0 **本地安全授权机构验证OK
11/26 16:01:29 NetpMachineValidToJoin: status: 0x0 **本机状态OK
11/26 16:01:29 NetpJoinDomain **获取本地系统信息
11/26 16:01:29 Machine: A-DC
11/26 16:01:29 Domain: GS.com.cn
11/26 16:01:29 MachineAccountOU: (NULL)
11/26 16:01:29 Account: GS\runadmin
11/26 16:01:29 Options: 0x27 **默认会自动尝试两次,第二次的options是0x27
11/26 16:01:29 OS Version: 5.2
11/26 16:01:29 Build number: 3790
11/26 16:01:29 ServicePack: Service Pack 1
11/26 16:01:29 NetpValidateName: checking to see if 'GS.com.cn' is valid as type 3 name **查询域名是否存在
11/26 16:01:32 NetpCheckDomainNameIsValid [ Exists ] for 'GS.com.cn' returned 0x0 **查询结果OK
11/26 16:01:32 NetpValidateName: name 'GS.com.cn' is valid for type 3
11/26 16:01:32 NetpDsGetDcName: trying to find DC in domain 'GS.com.cn', flags: 0x1020 **找DC
11/26 16:01:52 NetpDsGetDcName: failed to find a DC having account 'A-DC$': 0x525 ** 0x525 指定的账户不存在
11/26 16:01:52 NetpDsGetDcName: found DC '\\chdc01.GS.COM.CN' in the specified domain **找到了DC chdc01
11/26 16:01:54 NetUseAdd to \\chdc01.GS.COM.CN\IPC$ returned 1214 **IPC$同样返回了1214 : 指定的网络名格式无效。
11/26 16:01:54 NetpJoinDomain: status of connecting to dc '\\chdc01.GS.COM.CN': 0x4be **0x4be=1214
11/26 16:01:54 NetpDoDomainJoin: status: 0x4be
11/26 16:03:41 -----------------------------------------------------------------
11/26 16:03:41 NetpValidateName: checking to see if 'GS' is valid as type 3 name **检查fqdn=GS?
11/26 16:03:44 NetpCheckDomainNameIsValid for GS returned 0x54b **指定的域不存在,或无法联系。
11/26 16:03:44 NetpCheckDomainNameIsValid [ Exists ] for 'GS' returned 0x54b
11/26 16:03:48 -----------------------------------------------------------------
11/26 16:03:48 NetpValidateName: checking to see if 'GS.com.cn' is valid as type 3 name **fqdn=GS.com.cn
11/26 16:03:49 NetpCheckDomainNameIsValid [ Exists ] for 'GS.com.cn' returned 0x0
11/26 16:03:49 NetpValidateName: name 'GS.com.cn' is valid for type 3
11/26 16:03:56 -----------------------------------------------------------------
11/26 16:03:56 NetpDoDomainJoin **同上 不赘述
11/26 16:03:56 NetpMachineValidToJoin: 'A-DC'
11/26 16:03:56 NetpGetLsaPrimaryDomain: status: 0x0
11/26 16:03:56 NetpMachineValidToJoin: status: 0x0
11/26 16:03:56 NetpJoinDomain
11/26 16:03:56 Machine: A-DC
11/26 16:03:56 Domain: GS.com.cn
11/26 16:03:56 MachineAccountOU: (NULL)
11/26 16:03:56 Account: GS\runadmin
11/26 16:03:56 Options: 0x25
11/26 16:03:56 OS Version: 5.2
11/26 16:03:56 Build number: 3790
11/26 16:03:56 ServicePack: Service Pack 1
11/26 16:03:56 NetpValidateName: checking to see if 'GS.com.cn' is valid as type 3 name
11/26 16:03:56 NetpCheckDomainNameIsValid [ Exists ] for 'GS.com.cn' returned 0x0
11/26 16:03:56 NetpValidateName: name 'GS.com.cn' is valid for type 3
11/26 16:03:56 NetpDsGetDcName: trying to find DC in domain 'GS.com.cn', flags: 0x1020
11/26 16:04:18 NetpDsGetDcName: failed to find a DC having account 'A-DC$': 0x525
11/26 16:04:18 NetpDsGetDcName: found DC '\\GSDC3.GS.COM.CN' in the specified domain **找到一DC:\\GSDC3.GS.COM.CN
11/26 16:04:20 NetpJoinDomain: status of connecting to dc '\\GSDC3.GS.COM.CN': 0x0 **终于连接成功
11/26 16:04:21 NetpGetLsaPrimaryDomain: status: 0x0
11/26 16:04:21 NetpGetDnsHostName: Read NV Hostname: A-DC
11/26 16:04:21 NetpGetDnsHostName: PrimaryDnsSuffix defaulted to DNS domain name: GS.COM.CN
11/26 16:04:21 NetpLsaOpenSecret: status: 0xc0000034 **Lsa建立安全通道
11/26 16:04:21 NetpGetLsaPrimaryDomain: status: 0x0
11/26 16:04:21 NetpLsaOpenSecret: status: 0xc0000034
11/26 16:04:23 NetpJoinDomain: status of setting machine password: 0x0 **设置计算机密码
11/26 16:04:23 NetpGetComputerObjectDn: Cracking DNS domain name GS.COM.CN/ into Netbios on \\GSDC3.GS.COM.CN
11/26 16:04:23 NetpGetComputerObjectDn: Crack results: name = GS\
11/26 16:04:23 NetpGetComputerObjectDn: Cracking account name GS\A-DC$ on \\GSDC3.GS.COM.CN
11/26 16:04:23 NetpGetComputerObjectDn: Crack results: (Account already exists) DN = CN=A-DC,CN=Computers,DC=GS,DC=COM,DC=CN
11/26 16:04:23 NetpModifyComputerObjectInDs: Initial attribute values:
11/26 16:04:23 DnsHostName = A-DC.GS.COM.CN
11/26 16:04:23 ServicePrincipalName = HOST/A-DC.GS.COM.CN HOST/A-DC
11/26 16:04:24 NetpModifyComputerObjectInDs: Computer Object already exists in OU:
11/26 16:04:24 DnsHostName =
11/26 16:04:24 ServicePrincipalName =
11/26 16:04:24 NetpModifyComputerObjectInDs: Attribute values to set:
11/26 16:04:24 DnsHostName = A-DC.GS.COM.CN
11/26 16:04:24 ServicePrincipalName = HOST/A-DC.GS.COM.CN HOST/A-DC
11/26 16:04:24 ldap_unbind status: 0x0
11/26 16:04:24 NetpJoinDomain: status of setting DnsHostName and SPN: 0x0
11/26 16:04:24 NetpGetLsaPrimaryDomain: status: 0x0
11/26 16:04:24 NetpSetLsaPrimaryDomain: for 'GS' status: 0x0
11/26 16:04:24 NetpJoinDomain: status of setting LSA pri. domain: 0x0
11/26 16:04:24 NetpJoinDomain: status of managing local groups: 0x0
11/26 16:04:24 NetpJoinDomain: status of setting netlogon cache: 0x0
11/26 16:04:24 NetpJoinDomain: status of setting ComputerNamePhysicalDnsDomain to 'GS.COM.CN': 0x0
11/26 16:04:24 NetpUpdateW32timeConfig: 0x0
11/26 16:04:24 NetpJoinDomain: status of disconnecting from '\\GSDC3.GS.COM.CN': 0x0
11/26 16:04:24 NetpDoDomainJoin: status: 0x0 **加域成功
以上日志充分说明,这里加域都耽误在找能连接的域控了,由于DNS返回很多域控,需要加域的机器便随机找一个IP段临近的,但是各厂之间存在防火墙,IP临近的并不一定能连通,直到寻找到可连通的GSDC3。。。
在这个日志中每行末尾返回的代码,十六进制的可以转换成十进制的,然后使用“net helpmsg”查其代表的意义。
经常遇到的错误:
错误代码 1326年和错误代码 0x52e 两者都映射到 ERROR_LOGON_FAILURE 错误 登录失败: 未知的用户名或密码错误。
NetpDoDomainJoin: status: 0x534 No mapping between account names and security IDs was done
参考 由于客户端与服务器加密算法不同而导致加域失败< http://blog.chinaunix.net/u1/37091/showart_1832583.html>
参考<http://searchwindowsserver.techtarget.com/tip/Using-the-NETSETUPlog-to-debug-domain-join-problems-in-Active-Directory?ShortReg=1&mboxConv=searchWindowsServer_RegActivate_Submit&>
参考<http://technet.microsoft.com/en-us/library/cc961817.aspx>
参考<http://www.pinvoke.net/default.aspx/Enums/NET_API_STATUS.html>