김찬종 / 과장 Field Engineering Services Microsoft Active Directory Troubleshooting &...

김찬종 / 과장Field Engineering ServicesMicrosoft

Active Directory Troubleshooting & Performance

강사 소개

• 김찬종 / 마이크로소프트 • Windows DDK Developer• Sr. Platform Support Engineer • Sr. Infrastructure Field Engineer (RRE)• 2004 TechED Speaker • MCSE• [email protected]

대상 기술범위

• Windows 2000, Windows 2003 Active Directory• DNS• Group Policy• FRS ( 파일 복제 서비스 )• AD Replication• FSMO• AD 재난 복구• AD 성능 측정• 도메인 마이그레이션

목차

• Active Directory 와 DNS 의 관계• Group Policy 이해 및 문제해결 방법• Replication 이해 및 문제해결 방법• FSMO• Backup 과 Restore ( 재난복구 )• 도메인 업그레이드• Performance 측정 도구

Active Directory 와 DNS 의 관계

• Name Resolution Service• Domain Controller Registration • Domain Controller Location

– DsGetDCName (Clients query for SRV Records to locate domain controllers)

– Return 받은 DC List 로 , LDAP UDP packet 을 보냄– Return 이 제일 빠른 DC 를 Preferred DC 로 사용

……• Active Directory 대부분의 문제 는 DNS 문제에서

시작

DNS 복제• Primary Zone 과 Secondary Zone • Active Directory 통합모드 (AD Integrated)

– Zone stored in AD– Replication by AD– Secure update

Domain Controller Registration

• Services– NETLOGON– DHCP Client

• Registers service resource records (SRV)– The SRV record: RFC 2782– Locating LDAP servers using SRV:– Format

• <service>.<protocol>.<domain> IN SRV• <priority> <weight> <port> <host>

Preferred DNS 와 Alternate DNS• TCP/IP 등록정보

공통된 실수• External DNS Resolution

– Root (“.”) Zone 의 사용– Forwarders and Root Hints Configured Incorrectly

• Active Directory DNS Resolution– Pointing at ISP– DHCP Client Disabled (Host A record)– No Dynamic Updates Allowed

DNS 관련 도구• Ipconfig /all• Ipconfig /registerdns• Ipconfig /flushdns• Nslookup• Dcdiag • Netdiag /fix

DNS 관련 도구의 사용법

데모데모

Group Policy 이해 및 문제해결 방법

Group Policy

• Group Policy Object (GPO)• Multiple smaller GPOs• Policy applied based on location of User/Computer

Account in Active Directory namespace• Can Control

– Software deployment– File– Registry – Security– Scripts

Group Policy 와 AD 의 관계• Group Policy Objects 와 Active Directory Object

Hierarchy• GPO Storage in Active Directory• Group Policy Replication Dependencies• Application of Group Policy based on the account’s

Active Directory location and ACLs

Site

Domain

OU

Group Policy 구성 및 저장• Group Policy Container (GPC) • Group Policy Template (GPT)• GPC and GPT are stored in separate locations

GPO

“Default Domain Policy”

GPC

GPT

in Domain > System > Policies

in \\<DNSDOMAIN>\SYSVOL\<DNSDOMAIN>\Policies

Group Policy Container (GPC)

• AD Object stored in Domain > System > Policies container Dn: CN={<GUID>},CN=Policies,CN=System,DC=contoso,DC=com

• Named by GUID rather than friendly name• Attributes contain “metadata” relative to the GPO:

– Key properties of the policy object• Display Name

• Object GUID

• File System path to GPT

• Client-side extensions called

• Version Number, Flags, etc.

• Replicated to other domain controllers via Active Directory Replication

Group Policy Template (GPT)• Stored in GUID-named folder under SYSVOL/Policies• Folder name GUID matches GPC “name” GUID• Location stored as “gPCFileSysPath” attribute of GPC object

gPCFileSysPath: \\contoso.com\sysvol\contoso.com\Policies\ {31B2F340-016D-11D2-945F-00C04FB984F9}

• Relies on FRS Replication• Contains:

– .ADM files - Display available registry settings in Group Policy Editor

– .POL files - Store selected registry settings– CSE-specific data - Different data formats per CSE

Group Policy Inheritance

• LSDOU• Blocking 과 Enforce ( No override)

Blocking 과 Enforcing

contoso.com Domain

SWUsers OU

Global GPO

No Contr

ol Panel!

SouthWest OU

Southwest OU: Group Policy Tab

= Block Inheritance

Accounts in SWUsers OU not

affected by Global GPO

Contoso.com Domain

SWUsers OU

Global GPO

No Contro

l Panel!

SouthWest OU

Southwest OU: Group

Policy Tab = Block

Inheritence

Accounts in SWUsers OU

are still affected by Global GPO

No override

Default GPO 권한 설정• Authenticated Users

– Read– Apply Group Policy

• System, Domain Admins, Enterprise Admins– Full Control except: Apply Group Policy

Group Policy History

• Registry – HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\History– HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\History

• Information about each GPO that is read and applied– Stored in Registry– Sub Keys

• Display Name• DSPath• FileSysPath• GPOLink• GPOName• Iparam• Options• Version

Group Policy 관련 도구

• GPOTool• RSoP (Resultant Set of Policies)• GPresult• GPMC• GPUPDATE, Secedit (W2K)• DCGPOFIX (W2K3 DC 만 지원 )

Group Policy 관련 도구의 사용법

데모데모

Group Policy 관련 문서• http://www.microsoft.com/grouppolicy• http://www.microsoft.com/windows2000/docs/gptshoot.doc• http://www.microsoft.com/windows2000/community/centers/

management/gp_faq.asp

• Description of the Windows XP Professional Fast Logon Optimization.– http://support.microsoft.com/?id=305293

• Synchronous and Asynchronous Logon Script Processing.– http://support.microsoft.com/?id=822706

Replication Troubleshooting

• FRS• AD Replication

FRS 의 소개Server1

C2:\

Templates

Word

Excel

Server2

C2:\

Templates

Word

Excel

Replica SetReplica Set

FRS 와 Active Directory

• SYSVOL– Contains

• System policies.

• Group Policy settings for domain members

• User logon and logoff scripts.

– FRS objects created by DCPROMO– Uses KCC or Manual connection objects, topology and schedule – Two way replication required

• DFS– Domain DFS only– Exclusions– FRS objects created by DFS Admin Tool

FRS Basic Operation

Computer AComputer A 1. File Closed

2. Entry written to Change JournalNTFS

ChangeJournal

3. FRS monitors Journal and compares file to exclusion filter

4. File Placed in Aging Cache5. Change order created and Inbound Log UpdatedFRS

Database 6. File Copied to Staging Area on A

7. Outbound Log Updated

Computer BComputer B

8. ChangeNotificationSent to B

FRSDatabase

9. Inbound Log Updated + Ack sent to A

10. File Copied to Staging Area on B

11. File Constructed and Moved to Final destination Area

File

File

File

File

Sysvol & Netlogon 공유

• FRS event log 13508 & 13509

C:\Documents and Settings\Administrator.WS3>net shareShare name Resource Remark-------------------------------------------------------------------------------C$ C:\ Default shareADMIN$ C:\WINDOWS Remote AdminIPC$ Remote IPCNetlogon C:\WINDOWS\SYSVOL\sysvol\ws3dom.cj\SCRIPTS Logon server shareSysvol C:\WINDOWS\SYSVOL\sysvol Logon server shareThe command completed successfully.

• "Troubleshooting Missing SYSVOL and NETLOGON Shares on Windows 2000".– http://support.microsoft.com/?id=257338

관련 도구• Ntfrsutil• Sornar• Topchk• Connstat• Health_chk• Repadmin /showconn• Repadmin /showreps• FRSDIAG• Ultrasound

– http://www.microsoft.com/downloads/details.aspx?FamilyID=61acb9b9-c354-4f98-a823-24cc0da73b50&DisplayLang=en

• FSUTIL

관련 도구의 사용법

데모데모

Active Directory Partition

Domain

Configuration

Schema

Global Catalog Replication

Domain C

Domain A

Domain B

Configuration

Schema

Global catalog for Domain BGlobal catalog for Domain B

Global catalog for Domain CGlobal catalog for Domain C

Domain A

Domain B

Domain C

Configuration

Schema

Domain controller for Domain A

Domain controller for Domain A

Domain A

Configuration

Schema

AD Update

• Originating Updates• Tracking Changes

– Update Sequence Numbers (USNs)

Replication Fundamentals

• Originating Updates– Add– Modify– Move (rename)– Delete

• Tombstone

• Viewing the tombstone

• Garbage collection

• Tombstone Lifetime and Active Directory Backup and Restore

• Reanimating the tombstone

Object Creation

USN: 4710USN: 4710 USN:USN: 47114711

Add new userAdd new user

Object: Object: uSNCreated : 47114711

P1:P1: 47114711

Version#Version#

TS DC1TS DC1ValueValue 11

Org. DC GUIDOrg. DC GUID

47114711DDCC1 GUID1 GUID

PropertyProperty ValueValue USNUSN Timest.Timest. Org USNOrg USN

P2:P2: 47114711 TS DC1TS DC1ValueValue 11 47114711DDCC1 GUID1 GUID



Object: Object: uSNChanged : 47114711

DC1DC1

Object Replicated

USN: 4711USN: 4711

User replicatedUser replicated

USN: 1745USN: 1745 USN:USN: 17461746

P1:P1: 17461746

Version#Version#








Object: Object: uSNCreated : : 17461746 Object: Object: uSNChanged : : 17461746

DC1DC1 DC2DC2

Object Modification

USN: 2001USN: 2001

P1:P1: 17461746

Version#Version#








Object: Object: uSNCreated : : 1746 1746 Object: Object: uSNChanged : : 20022002

DC2DC2

Change Replicated

USN: 5039USN: 5039 USN:USN: 50405040 USN: 2002USN: 2002

P1:P1: 47114711

Version#Version#








Object: Object: uSNCreated : : 4711 4711 Object: Object: uSNChanged : : 50405040

DC2DC2

DC1DC1

Modified phone number replicatedModified phone number replicated

Up-To-Dateness VectorHigh Watermark

User added to DC2No changes for DC4

DC GUID Highest Org. USN

Timestamp

DC1 4711 1

DC2 2052 1

DC4 - Up-to-dateness vectorDC4 - Up-to-dateness vector

DC4 - High watermarkDC4 - High watermark

USN USN 12171217

USN USN 20522052

USN USN 47114711

USN USN 33883388

DC2DC2

DC1DC1

DC4DC4

DC3DC3

20532053

DC GUID Highest Known USN

DC1 4711

DC3 1217

2


User replicated to DC1No changes for DC4Note: Write was originated on DC2!

USN USN 12171217

USN USN 20520533

USN USN 33883388

DC2DC2

DC1DC1

DC4DC4

DC3DC3

47124712USN 4711USN 4711


Timestamp

DC1 4711 1

DC2 2052 1




DC1 4711

DC3 1217

3


USN 3388 USN 3388 33893389

Data, 4712, vectorData, 4712, vector

USN USN 12171217

USN USN 20520533

DC2DC2

DC1DC1

DC4DC4

DC3DC3

USNUSN47147122


Timestamp

DC1 4711 5

DC2 2053 3




DC1 4712

DC3 1217

5

관련 도구• DSASTAT• Repmon• Repadmin• DCDiag• Event Level 설정• NTDSUTIL


데모데모

Per Domain

FSMO Role

Per ForestSchema MasterDomain Naming Master

PDC EmulatorRID MasterInfrastructure Master

Schema Master

New Attribute

Schema Master

Replication

Replication

Domain Naming Master

contoso.com

Domain Naming Master

Dev.corp.com

Add/Remove Domain

PDC Emulator

Corp.com

DownlevelDomain

PDC Emulator

PasswordChanges

Replication

BrowserInformation

RID Master

RID Master

contoso.comDomainSID

RID PoolRID2

DC User Object

SID: DomainSID+RID1

RID5

RID3RID4

Default Roles

1. Check the directory for FSMO Role

2. Wait for one successful inbound replication cycle

3. Verify that FSMO data is correct

4. Assume Role

Am I a FSMO?

Changing the Role Holder

• Role Transfer• Role Seizure• Demotion

FSMO Administration

• NTDSUTIL.EXE– Console application for FSMO administration

• Managed from MMC tools– Role Management

• Users & Computers Manager• Schema Manager• Domains & Trusts

– ADSI Edit• Set access permissions

관련 도구• Netdom query fsmo• NTDSUTIL


데모데모

Backup / Restore ( 재난복구 )

AD Backup 의 종류• System State (ntbackup)• Third-party Backup Tools

AD Restore 의 종류• 재설치 후 Dcpromo ( 다른 DC 로 부터 복제 )• Backup Media 를 이용한 Dcpromo (W2K3)• 이기종 H/W 를 이용한 복구• Restoring Active Directory (From Backup Media)

Non-Authoritative restore ( 비신뢰 복원 )

• Inbound 복제 파트너로부터 Sysvol 데이터를 복제 복원

• 조건 : 정상적인 Sysvol 데이터를 가지고 있는 DC가 적어도 한대는 존재하여야

• 절차 : “ 고급 복원 옵션”에서 " 연결 지점과 데이터 " 사용– http://support.microsoft.com/?id=240363

Authoritative restore ( 신뢰 복원 )

• Outbound 복제 파트너 DC 로 Sysvol 데이터를 복제 복원

• 조건 : 다른 DC 가 정상적으로 동작하지 않거나 , 로컬에 다른 DC 가 없다면 이 복원 방법을 사용하지 말 것

• 절차 : – 비신뢰 복원 수행 후 아래 문서 수행– http://support.microsoft.com/?id=241594

Primary restore

• 복제 받거나 복제할 다른 DC 가 없을 때 , 복원된 Local 의 Sysvol 데이터를 이용하여 새로운 새로운 Ntfrs 데이터베이스 구성

• 조건 : 로컬에 다른 DC 가 존재하지 않아야 하며 , 이 DC 가 최초의 DC 로 복원

• 절차 : 복원 “고급 복원 옵션”에서 “이동식 저장소 데이터 베이스 복원”을 선택

Domain Migration

W2K Domain 마이그레이션• http://support.microsoft.com/default.aspx?

scid=kb;ko;325379

– Domain health check– repadmin /options +DISABLE_OUTBOUND_REPL– adprep /forestprep – repadmin /options -DISABLE_OUTBOUND_REPL– adprep /domainprep – Install W2K3 OS

NT4 Domain 마이그레이션• Open a registry editor on the domain controller and

navigate to: – HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\

Services\Netlogon\Parameters– Add the REG_DWORD entry NT4Emulator with the value

0x1.

• How to Prevent Overloading on the First Domain Controller During Domain – http://support.microsoft.com/?id=298713

Performance Measure

• ADTEST.EXE– Simulates logons and searches

• http://www.microsoft.com/downloads/details.aspx?FamilyID=4814fe3f-92ce-4871-b8a4-99f98b3f4338&DisplayLang=en

• Server Performance Advisor• http://download.microsoft.com/download/6/2/c/62c587bf-0d42-

4ca2-9b04-5e6771dd209a/spa.msi

• Event log (Field Engineering Reg Key)

Settings for Active Directory Event Logging

1. Knowledge Consistency Checker Service

2. Security Events3. ExDS Interface Events4. MAPI Interface Events5. Replication Events6. Garbage Collection7. Internal Configuration8. Directory Access9. Internal Processing10.Performance Counters11.Initialization/Termination12.Service Control

13. Name Resolution14. Backup15. Field Engineering16. LDAP Interface Events17. Setup18. Global Catalog19. Intersite Messaging20. Group Caching21. Link Value Replication22. DS RPC Client23. DS RPC Server24. DS Schema

여러분의 여러분의 Microsoft Microsoft 기술 능력 평가기술 능력 평가

Microsoft Skills Assessment 무엇인가 ?• 현재 제품 및 기술 솔루션에 대한 능력 평가• Windows Server 2003, Exchange Server 2003, Windows

Storage Server 2003, Visual Studio .NET, Office 2003• 무료 , 온라인 , 누구나 사용 가능• 평가결과를 기초로 Microsoft 교육 프로그램을

제안합니다 .• 평가항목과 최고점수 표시

• 방문하세요 ! www.microsoft.com/assessment

http://www.microsoft.com/assessment

Microsoft Certified Systems Administrator(MCSA) 가 되자 !

• MCSA 무엇인가 ?– Microsoft Windows Server 기반의 시스템 , 네트워크

유지보수와 관리를 하는 IT 전문가를 위한 인증제도

• 어떻게 MCSA(Windows Server 2003) 합격 ?– 3 개 코어 시험 통과– 1 개 선택 과목

• 자세한 정보는 아래 URL 를 참고하세요 ?

www.microsoft.com/mcsa

Microsoft Certified Systems Engineer (MCSE) 가 되자 !

• MCSE 무엇인가 ?– Microsoft Windows Server System 기반의 비즈니스

솔루션 , 인프라스트럭처의 설계 , 도입계획 , 도입방법 , IT 운영자의 요구분석 능력을 인증하는 제도

• 어떻게 MCSE(Microsoft Windows 2003) 합격 ?– 6 개 코어 시험 통과 – 1 새 선택 시험 통과


www.microsoft.com/mcse

http://www.microsoft.com/mcse


Microsoft Certified Desktop Support Technician(MCDST) • What is the MCDST certification?

– Microsoft Windows 오퍼레이팅 시스템에서 실행되는 데스크톱 환경의 문제해결 및 전문가의 기술지원 능력을 인증하는 제도

• 어떻게 MCDST(Microsoft Windows XP) 합격 ?– 2 개 코어 시험 통과

• 오퍼레이팅 시스템• 데스크톱 애플리케이션 지원


www.microsoft.com/mcse



Specialization 인증을 도전하세요 .• MCSA/MCSE specializations?

– IT 전문가를 위한 메시징 , 보안 전문분야의 인증제도

• 현재 인증 가능한 전문 ?– MCSA: Security – MCSA: Messaging– MCSE: Security – MCSE: Messaging


www.microsoft.com/mcsa or www.microsoft.com/mcse

http://www.microsoft.com/mcsa

http://www.microsoft.com/mcsa

www.microsoft.com/technet/subscriptions

TechNet 에 가입하세요 .최신 기술 뉴스를 받고 싶으세요 ?

평가기간 없는 소프트웨어 !: Technet Plus 가입자는 평가 목적으로 Microsoft 정품제품을 다양하게 시험을 할 수 있다 .

무료 기술지원 : 가입자는 2 개의 무료 기술지원을 받을 수 있으며 , 중요한 문제해결을 위해 시간을 절약할 수 있다 .

최신 TechNet 정보를 오프라인에서 사용 : TechNet 사이트의 Microsoft 평가 , 설치 , 솔루션의 정보를 CD 또는 DVD 로 받을 수 있다 .

어디서 정보를 얻을 수 있나요 ?• 웹 캐스트 또는 온라인 채팅

www.microsoft.com/technet/community/chatswww.microsoft.com/technet/community/webcasts

• 뉴스그룹 목록www.microsoft.com/technet/community/newsgroups

• Microsoft 커뮤니티 사이트www.microsoft.com/technet/community

• 커뮤니티 이벤트www.microsoft.com/technet/community/events

• 커뮤니티 컬럼www.microsoft.com/technet/community/columns

김찬종 / 과장 Field Engineering Services Microsoft Active Directory Troubleshooting &...

Documents

Transcript of 김찬종 / 과장 Field Engineering Services Microsoft Active Directory Troubleshooting &...