目录
如果您喜欢此文章,请收藏、点赞、评论,谢谢,祝您快乐每一天。
一、系统性诊断框架:四层排查模型
AD域故障诊断框架脚本
function AD-Domain-Diagnosis-Framework {
Write-Host "=== AD域四层诊断框架 ==="
Layer 1: 网络基础层
Test-NetworkFoundation
Layer 2: DNS解析层
Test-DNSResolution
Layer 3: 域服务层
Test-DomainServices
Layer 4: 策略应用层
Test-GPOApplication
Write-Host "诊断完成,生成报告..."
Generate-Diagnosis-Report
}
生成可视化诊断报告
function Generate-Diagnosis-Report {
$report = @{
"Timestamp" = Get-Date
"Computer" = $env:COMPUTERNAME
"Domain" = (Get-WmiObject Win32_ComputerSystem).Domain
"DiagnosisResults" = @{}
}
收集各层测试结果
$report.DiagnosisResults.Network = Test-NetworkFoundation
$report.DiagnosisResults.DNS = Test-DNSResolution
$report.DiagnosisResults.Services = Test-DomainServices
$report.DiagnosisResults.GPO = Test-GPOApplication
导出为JSON
$report | ConvertTo-Json -Depth 5 | Out-File "AD_Diagnosis_Report.json"
生成HTML可视化报告
Generate-HTML-Report $report
}
二、DNS解析层深度诊断
DNS解析全方位测试
function Test-DNSResolution {
Write-Host "=== DNS解析层诊断 ==="
$domain = (Get-WmiObject Win32_ComputerSystem).Domain
dcName = domain.Split('.')[0]
1. 基础DNS连通性
Write-Host "1. 测试DNS服务器连通性..."
$dnsServers = (Get-DnsClientServerAddress -AddressFamily IPv4).ServerAddresses
foreach (server in dnsServers) {
Test-DnsServer $server
}
2. 域控制器定位测试
Write-Host "2. 域控制器DNS记录测试..."
SRV记录查询(关键!)
$srvTests = @(
"_ldap._tcp.$domain",
"_kerberos._tcp.$domain",
"_gc._tcp.$domain",
"_kerberos._tcp.dc._msdcs.$domain",
"_ldap._tcp.dc._msdcs.$domain",
"_kerberos._tcp.Default-First-Site-Name._sites.$domain"
)
foreach (srv in srvTests) {
Test-SRV-Record $srv
}
3. 动态DNS注册检查
Write-Host "3. 动态DNS注册状态..."
检查本机是否成功注册
$dnsRegistration = Get-DnsClientRegistration
if (-not $dnsRegistration.Enabled) {
Write-Host "⚠️ 动态DNS注册已禁用"
}
检查具体记录
Test-MachineDNSRegistration
4. DNS缓存污染检测
Write-Host "4. DNS缓存分析..."
查看DNS缓存中的域记录
Get-DnsClientCache | Where-Object {_.Name -like "\*domain*"} | Format-Table
清除并重新测试
Clear-DnsClientCache
Test-DomainDNSAfterCacheClear
5. DNS后缀搜索列表
Write-Host "5. DNS后缀配置..."
$suffixList = (Get-DnsClientGlobalSetting).SuffixSearchList
if (domain -notin suffixList) {
Write-Host "⚠️ 域后缀不在搜索列表中"
修复建议
Set-DnsClientGlobalSetting -SuffixSearchList @(domain, suffixList)
}
}
SRV记录测试函数
function Test-SRV-Record($srvName) {
Write-Host "测试SRV记录: $srvName"
try {
result = Resolve-DnsName srvName -Type SRV
if ($result) {
Write-Host "✅ $srvName 记录存在"
测试每个返回的DC
foreach (dc in result.NameTarget) {
Write-Host " - DC: $dc"
测试DC的连通性
Test-DC-Connectivity $dc
测试DC的LDAP服务
Test-LDAP-Service $dc
}
} else {
Write-Host "❌ $srvName 记录缺失"
尝试手动定位
Find-DomainControllers-Manually
}
} catch {
Write-Host "❌ SRV查询失败: $_"
}
}
DC连通性测试
function Test-DC-Connectivity($dcName) {
ICMP测试
pingResult = Test-Connection dcName -Count 2 -Quiet
端口测试(关键AD端口)
$ports = @(389, 636, 88, 445, 135)
foreach (port in ports) {
portTest = Test-NetConnection -ComputerName dcName -Port $port
if ($portTest.TcpTestSucceeded) {
Write-Host " ✅ 端口 $port 开放"
} else {
Write-Host " ❌ 端口 $port 关闭"
}
}
}
三、NetLogon服务诊断矩阵
NetLogon服务全方位诊断
function Test-NetLogonService {
Write-Host "=== NetLogon服务诊断 ==="
1. 服务状态检查
Write-Host "1. NetLogon服务状态..."
$service = Get-Service NetLogon
if ($service.Status -ne "Running") {
Write-Host "❌ NetLogon服务未运行"
尝试启动
Start-Service NetLogon
检查依赖服务
Check-NetLogonDependencies
} else {
Write-Host "✅ NetLogon服务正常运行"
}
2. 安全通道测试
Write-Host "2. 安全通道状态..."
使用nltest工具
secureChannel = nltest /sc_verify:domain
if ($secureChannel -like "*NOT VERIFIED*") {
Write-Host "❌ 安全通道验证失败"
重置安全通道
nltest /sc_reset:$domain
重新验证
nltest /sc_verify:$domain
} else {
Write-Host "✅ 安全通道正常"
}
3. 域信任关系验证
Write-Host "3. 域信任关系..."
$trustStatus = nltest /domain_trusts
解析信任状态
Parse-DomainTrustStatus $trustStatus
4. NetLogon日志分析
Write-Host "4. NetLogon日志深度分析..."
启用详细日志
Set-NetLogonDebugLogging
分析事件日志
Get-NetLogonEvents
5. 注册表配置检查
Write-Host "5. NetLogon注册表配置..."
$regPath = "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters"
$criticalSettings = @{
"MaximumPasswordAge" = 30
"SiteName" = "Default-First-Site-Name"
"DynamicSiteName" = 1
"ScavengeInterval" = 900
}
foreach (setting in criticalSettings.Keys) {
value = Get-ItemProperty -Path regPath -Name $setting
if (value -ne criticalSettings[$setting]) {
Write-Host "⚠️ setting 配置异常: value"
修复建议
Set-NetLogonRegistrySetting setting criticalSettings[$setting]
}
}
}
NetLogon事件日志分析
function Get-NetLogonEvents {
查询最近24小时的NetLogon事件
$events = Get-WinEvent -LogName "System" -FilterXPath "*[System[Provider[@Name='NetLogon']]]" -MaxEvents 100
$eventAnalysis = @{}
foreach (event in events) {
id = event.Id
switch ($id) {
5719 { # 计算机成功加入域
Write-Host "✅ 事件5719: 域加入成功"
}
5722 { # 安全通道建立
Write-Host "✅ 事件5722: 安全通道建立"
}
5723 { # 安全通道失败
Write-Host "❌ 事件5723: 安全通道失败"
Analyze-SecureChannelFailure $event
}
5805 { # NetLogon服务启动
Write-Host "✅ 事件5805: NetLogon启动"
}
5807 { # DC定位失败
Write-Host "❌ 事件5807: DC定位失败"
Analyze-DCLocationFailure $event
}
default {
Write-Host "事件id: ($event.Message)"
}
}
}
}
四、GPO应用时序诊断系统
GPO应用时序诊断
function Test-GPOApplicationTiming {
Write-Host "=== GPO应用时序诊断 ==="
$domain = (Get-WmiObject Win32_ComputerSystem).Domain
1. GPO发现测试
Write-Host "1. GPO发现能力..."
使用gpresult检查
$gpResult = gpresult /r
解析GPO列表
gpoList = Parse-GPResult gpResult
if ($gpoList.Count -eq 0) {
Write-Host "❌ 未发现任何GPO"
测试组策略服务
Test-GroupPolicyService
} else {
Write-Host "✅ 发现GPO数量: (gpoList.Count)"
}
2. GPO应用顺序分析
Write-Host "2. GPO应用顺序..."
获取GPO应用顺序(LSDOU规则)
$gpoOrder = Get-GPOApplicationOrder
Write-Host "GPO应用顺序:"
foreach (gpo in gpoOrder) {
Write-Host " - (gpo.Name) [(gpo.Order)]"
}
3. 同步/异步应用检测
Write-Host "3. 同步/异步应用模式..."
检查注册表设置
$syncMode = Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name "SyncWaitTime"
if ($syncMode) {
Write-Host "同步模式等待时间: (syncMode.SyncWaitTime)秒"
} else {
Write-Host "异步模式应用"
}
4. GPO处理时间线
Write-Host "4. GPO处理时间线分析..."
创建详细的时间线记录
$gpoTimeline = Trace-GPOProcessingTimeline
分析瓶颈
Analyze-GPOProcessingBottleneck $gpoTimeline
5. 策略冲突诊断
Write-Host "5. GPO策略冲突..."
$conflicts = Detect-GPOConflicts
foreach (conflict in conflicts) {
Write-Host "⚠️ 策略冲突: (conflict.Setting)"
Write-Host " GPO1: (conflict.GPO1) -> (conflict.Value1)"
Write-Host " GPO2: (conflict.GPO2) -> (conflict.Value2)"
冲突解决建议
Suggest-GPOConflictResolution $conflict
}
}
GPO处理时间线追踪
function Trace-GPOProcessingTimeline {
$timeline = @{}
启用组策略详细日志
Set-GroupPolicyDebugLogging
模拟GPO处理过程
Write-Host "开始GPO处理追踪..."
阶段1: DC定位
$timeline.Phase1 = Measure-DCLocationTime
阶段2: GPO列表获取
$timeline.Phase2 = Measure-GPOListRetrievalTime
阶段3: GPO下载
$timeline.Phase3 = Measure-GPODownloadTime
阶段4: GPO应用
$timeline.Phase4 = Measure-GPOApplicationTime
阶段5: 脚本执行
$timeline.Phase5 = Measure-ScriptExecutionTime
生成时间线图
Generate-GPOProcessingChart $timeline
return $timeline
}
GPO冲突检测
function Detect-GPOConflicts {
$conflicts = @()
获取所有应用的GPO
$allGPOs = Get-AppliedGPOs
按设置类型分组
settingsGroups = Group-GPOSettings allGPOs
foreach (group in settingsGroups) {
settingName = group.Name
检查同一设置的不同值
values = group.Group | Select-Object -Unique Value
if ($values.Count > 1) {
发现冲突
$conflict = @{
Setting = $settingName
GPO1 = $group.Group[0].GPO
Value1 = $group.Group[0].Value
GPO2 = $group.Group[1].GPO
Value2 = $group.Group[1].Value
Priority = Compare-GPOPriority group.Group\[0\].GPO group.Group[1].GPO
}
conflicts += conflict
}
}
return $conflicts
}
五、网络位置异常专项诊断
网络位置异常诊断
function Diagnose-NetworkLocationIssue {
Write-Host "=== 网络位置异常专项诊断 ==="
1. 网络位置服务状态
Write-Host "1. 网络位置服务..."
$nlasvc = Get-Service NlaSvc
if ($nlasvc.Status -ne "Running") {
Write-Host "❌ 网络位置服务未运行"
分析依赖关系
Check-NLASvcDependencies
}
2. 网络位置识别
Write-Host "2. 当前网络位置..."
$location = Get-NetworkLocation
switch ($location) {
"Domain" {
Write-Host "✅ 识别为域网络"
验证域识别准确性
Validate-DomainNetworkIdentification
}
"Public" {
Write-Host "⚠️ 识别为公共网络"
分析误识别原因
Analyze-PublicNetworkMisidentification
}
"Private" {
Write-Host "⚠️ 识别为专用网络"
Analyze-PrivateNetworkMisidentification
}
default {
Write-Host "❌ 无法识别网络位置"
}
}
3. 网络位置缓存
Write-Host "3. 网络位置缓存..."
检查NLA缓存
$nlaCache = Get-NLACache
if (nlaCache.Contains(domain)) {
Write-Host "✅ 域网络位置已缓存"
} else {
Write-Host "❌ 域网络位置未缓存"
手动添加缓存
Add-DomainToNLACache
}
4. 防火墙策略影响
Write-Host "4. 防火墙策略分析..."
检查防火墙规则是否阻止域通信
$firewallRules = Get-NetFirewallRule | Where-Object {
_.DisplayName -like "\*Domain\*" -or _.DisplayName -like "*Active Directory*"
}
foreach (rule in firewallRules) {
if ($rule.Action -eq "Block") {
Write-Host "⚠️ 防火墙规则可能阻止域通信: (rule.DisplayName)"
临时启用测试
Test-WithFirewallRuleDisabled $rule
}
}
5. 网络适配器配置
Write-Host "5. 网络适配器配置..."
$adapters = Get-NetAdapter
foreach (adapter in adapters) {
Write-Host "适配器: (adapter.Name)"
检查DNS配置
dnsConfig = Get-DnsClientServerAddress -InterfaceIndex adapter.InterfaceIndex
检查域后缀
domainSuffix = Get-DnsClientGlobalSetting -InterfaceIndex adapter.InterfaceIndex
检查NLA设置
nlaSetting = Get-NetAdapterNetworkLocationSetting -InterfaceIndex adapter.InterfaceIndex
综合评估
Evaluate-AdapterDomainConfiguration adapter dnsConfig domainSuffix nlaSetting
}
}
六、自动化修复脚本库
AD域网络位置自动化修复
function AutoFix-ADDomainIssues {
Write-Host "=== 自动化修复系统 ==="
基于诊断结果的智能修复
$diagnosis = Import-DiagnosisReport
修复优先级排序
$fixPriority = @(
"DNSResolution",
"NetLogonService",
"NetworkLocation",
"GPOApplication"
)
foreach (issueType in fixPriority) {
if (diagnosis.DiagnosisResults.issueType.HasIssues) {
Write-Host "修复 $issueType 问题..."
switch ($issueType) {
"DNSResolution" {
Fix-DNSIssues $diagnosis.DiagnosisResults.DNS
}
"NetLogonService" {
Fix-NetLogonIssues $diagnosis.DiagnosisResults.Services
}
"NetworkLocation" {
Fix-NetworkLocationIssues $diagnosis.DiagnosisResults.NetworkLocation
}
"GPOApplication" {
Fix-GPOIssues $diagnosis.DiagnosisResults.GPO
}
}
}
}
修复后验证
PostFix-Verification
生成修复报告
Generate-FixReport
}
DNS问题修复
function Fix-DNSIssues($dnsResults) {
Write-Host "执行DNS修复..."
1. 修复SRV记录缺失
if ($dnsResults.MissingSRVRecords) {
Write-Host "修复SRV记录..."
手动添加SRV记录(临时方案)
Add-TemporarySRVRecords
联系DNS管理员修复
Contact-DNSAdministrator
}
2. 修复动态DNS注册
if (-not $dnsResults.DynamicRegistration) {
Write-Host "启用动态DNS注册..."
启用注册
Set-DnsClientRegistration -Enabled $true
强制注册
Register-DnsClient
验证注册
Verify-DnsRegistration
}
3. 修复DNS后缀
if (-not $dnsResults.DomainInSuffixList) {
Write-Host "添加域后缀到搜索列表..."
$currentList = (Get-DnsClientGlobalSetting).SuffixSearchList
newList = @(domain) + $currentList
Set-DnsClientGlobalSetting -SuffixSearchList $newList
}
}
七、监控与预防系统
AD域健康监控系统
function Setup-ADDomainMonitoring {
Write-Host "=== 部署AD域监控系统 ==="
1. 实时监控配置
Write-Host "1. 配置实时监控..."
DNS监控
Setup-DNSMonitoring
NetLogon监控
Setup-NetLogonMonitoring
GPO监控
Setup-GPOMonitoring
网络位置监控
Setup-NetworkLocationMonitoring
2. 预警阈值设置
Write-Host "2. 设置预警阈值..."
$thresholds = @{
"DNSResolutionTime" = 5000 # 5秒
"NetLogonServiceRestarts" = 3 # 24小时内
"GPOApplicationTime" = 30000 # 30秒
"NetworkLocationChanges" = 10 # 1小时内
}
Set-MonitoringThresholds $thresholds
3. 自动化响应规则
Write-Host "3. 配置自动化响应..."
$responseRules = @{
"DNS_SRV_Missing" = "AutoFix-DNS-SRV"
"NetLogon_Channel_Broken" = "AutoReset-SecureChannel"
"GPO_Not_Applied" = "AutoRefresh-GPO"
"NetworkLocation_Wrong" = "AutoCorrect-NetworkLocation"
}
Set-AutomationResponseRules $responseRules
4. 报告与通知
Write-Host "4. 配置报告系统..."
每日健康报告
Setup-DailyHealthReport
异常即时通知
Setup-RealTimeAlerting
历史趋势分析
Setup-HistoryTrendAnalysis
}
如果您喜欢此文章,请收藏、点赞、评论,谢谢,祝您快乐每一天。