How to restore the network path to the domain controller?

C

CyberCraft2019-06-08 18:22:33

Domain Name System

CyberCraft, 2019-06-08 18:22:33

Good day, dear forum users. What is happening with the domain controller, otherwise you can’t call it mysticism. I should note that the configuration was set up more than 5 years ago, all this time it worked intermittently and somehow, with admins, everything is in the classics.

Configuration

Физически имеется два сервера HP с установленными ESXi 5.0, на которых развернуты виртуальные машины - различные сервера и службы (inet server squid, dc, fs, exchange, kas, wsus, 1C). Datastore HP3000 связаны с серверами, насколько я могу судить, посредством fibrechannel.
Имеется внешний домен avers1.ru и статический публичный адрес: 195.211.65.130, настроенный на интернет шлюзе Dlink DFL800 (если кто подскажет мануал на русском, буду благодарен). Где-то в сети вертится корпоративный сайт.
Локальную сеть предприятия обслуживают три cisco SG300-28, используются для маршрутизации лс по отделам. Локальный адрес сети 192.168.0, все находится в одной подсети. Все серверы подняты на виртуальных машинах, за исключением KAS (kasperksy security centre administration server) и vShphere client сервера на отдельной машине. Разумеется, поднята Active Directory, DHCP, DNS, файловые службы и служба сертификации - из ролей это все.
Контроллер домена ELZ-server3 (192.168.0.5). Внутренний домен имеет то же имя avers1.ru, на контроллере домена поднят DNS, который обслуживает зону avers1.ru (настроить форвардинг с DNS провайдера я так и не смог, но обо всем по порядку).

All these household goods were inherited by me, but by a gift horse... Well, you know...
Inside the network, access to the corporate website first fell off, instead of it, the IIS start page was opened (where else hello in all languages), while the global site remained available. Shortly after that, users began to complain about the lack of mailing from a partner (our mail server blocked the mailing, due security reason, as he himself stated). There is nothing in the logs...
The outlook client began to work only within the network, it could not be configured from the home computer, it swore at the lack of access to the mail server. Telnet to port 25 passes both from the inside and outside, I can exchange helo. In general, I began to dig DNS and AD .
Now in the avers1.ru forest there is one domain controller ELZ-server3, which owns all the fsmo roles. There was another, long dead ELZ-server12 (192.168.0.6) backup controller. I realized that he was dead after two hellish days of studying dcdiag errors, I still didn’t defeat replication errors, in the end I manually deleted everything about elz-server12 (ad links, service records from dns) and safely turned it off.
On client machines, access to the public namespace began to fall off, SMB all the time occurs according to some magical algorithms (for example, it is forbidden by ip, but it connects by fqdn, then fqdn disappears, it works only by ip, etc.), Reconfigured some policies , but not all client machines were able to replicate it.
It turned out that getting rid of dcdiag errors and following the recommendations of checking the status of roles did not solve anything, but on the contrary, the clients lost contact with the domain controller. Registered users log in without problems. However, it does not work to bring anyone into the domain - it is impossible to connect to the domain controller, the network path was not found .
Corporate mail stopped leaving the global: letters went inside the domain, came from outside, but did not leave. To be quite precise, they were sent, but did not reach.
I connect to the elz-server3 controller remotely via TeamViewer or via vSphere client from a local computer, addresses are pinged in both directions, name resolution works. However, clients do not see the controller in the network environment; when trying to connect via SMB, the network path was also not found.

ipconfig /all from server

ipconfig /all
Настройка протокола IP для Windows
Имя компьютера . . . . . . . . . : ELZ-SERVER3
Основной DNS-суффикс . . . . . . : avers1.ru
Тип узла. . . . . . . . . . . . . : Гибридный
IP-маршрутизация включена . . . . : Нет
WINS-прокси включен . . . . . . . : Нет
Порядок просмотра суффиксов DNS . : avers1.ru
Ethernet adapter Подключение по локальной сети:
DNS-суффикс подключения . . . . . :
Описание. . . . . . . . . . . . . : Сетевое подключение Intel(R) PRO/1000 MT
Физический адрес. . . . . . . . . : 00-0C-29-CD-84-B8
DHCP включен. . . . . . . . . . . : Нет
Автонастройка включена. . . . . . : Да
IPv4-адрес. . . . . . . . . . . . : 192.168.0.5(Основной)
Маска подсети . . . . . . . . . . : 255.255.255.0
Основной шлюз. . . . . . . . . : 192.168.0.1
DNS-серверы. . . . . . . . . . . : 192.168.0.5
Основной WINS-сервер. . . . . . . : 192.168.0.5
NetBios через TCP/IP. . . . . . . . : Включен
Туннельный адаптер isatap.{147E2079-5BFD-41E3-B56E-413A717FE9BD}:
Состояние среды. . . . . . . . : Среда передачи недоступна.
DNS-суффикс подключения . . . . . :
Описание. . . . . . . . . . . . . : Адаптер Microsoft ISATAP
Физический адрес. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP включен. . . . . . . . . . . : Нет
Автонастройка включена. . . . . . : Да
Туннельный адаптер Teredo Tunneling Pseudo-Interface:
Состояние среды. . . . . . . . : Среда передачи недоступна.
DNS-суффикс подключения . . . . . :
Описание. . . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Физический адрес. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP включен. . . . . . . . . . . : Нет
Автонастройка включена. . . . . . : Да

nslookup from server

nslookup avers1.ru
╤хЁтхЁ: elz-server3.avers1.ru
Address: 192.168.0.5
╚ь : avers1.ru
Address: 192.168.0.5

dcdiag from server

Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: OFFICE\ELZ-SERVER3
Starting test: Connectivity
......................... ELZ-SERVER3 passed test Connectivity
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: OFFICE\ELZ-SERVER3
Starting test: Connectivity
......................... ELZ-SERVER3 passed test Connectivity
Doing primary tests
Testing server: OFFICE\ELZ-SERVER3
Starting test: Replications
......................... ELZ-SERVER3 passed test Replications
Starting test: NCSecDesc
......................... ELZ-SERVER3 passed test NCSecDesc
Starting test: NetLogons
......................... ELZ-SERVER3 passed test NetLogons
Starting test: Advertising
......................... ELZ-SERVER3 passed test Advertising
Starting test: KnowsOfRoleHolders
......................... ELZ-SERVER3 passed test KnowsOfRoleHolders
Starting test: RidManager
......................... ELZ-SERVER3 passed test RidManager
Starting test: MachineAccount
......................... ELZ-SERVER3 passed test MachineAccount
Starting test: Services
......................... ELZ-SERVER3 passed test Services
Starting test: ObjectsReplicated
......................... ELZ-SERVER3 passed test ObjectsReplicated
Starting test: frssysvol
......................... ELZ-SERVER3 passed test frssysvol
Starting test: frsevent
......................... ELZ-SERVER3 passed test frsevent
Starting test: kccevent
......................... ELZ-SERVER3 passed test kccevent
Starting test: systemlog
......................... ELZ-SERVER3 passed test systemlog
Starting test: VerifyReferences
......................... ELZ-SERVER3 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : avers1
Starting test: CrossRefValidation
......................... avers1 passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... avers1 passed test CheckSDRefDom
Running enterprise tests on : avers1.ru
Starting test: Intersite
......................... avers1.ru passed test Intersite
Starting test: FsmoCheck
......................... avers1.ru passed test FsmoCheck

ping to client

Обмен пакетами с servbackup.avers1.ru [192.168.0.33] с 32 байтами данных:
Ответ от 192.168.0.33: число байт=32 время=1мс TTL=128
Ответ от 192.168.0.33: число байт=32 время<1мс TTL=128
Ответ от 192.168.0.33: число байт=32 время=1мс TTL=128
Ответ от 192.168.0.33: число байт=32 время<1мс TTL=128
Статистика Ping для 192.168.0.33:
Пакетов: отправлено = 4, получено = 4, потеряно = 0
(0% потерь)

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

M

maddimas, 2019-06-08
@maddimas

I'm afraid you won't be helped. Too much trash. You have to go and find out on the spot.

R

Ruslan Fedoseev, 2019-06-09
@martin74ua

get an admin. Freelance, or look for offices that deal with administration. You need to design the network correctly first, then configure it. I'm afraid from scratch