Windows 活動目錄與網絡之“古代十大名劍”
Windows 的活動目錄與網絡問題就像江湖中的惡魔,燒殺搶掠,無惡不作,搶我工作奪我錢財,赤手空拳實難對付,現在送給各位“古代十大名劍”替天行道,斬妖除魔。再加上組策略最佳實踐之“降龍十八掌”[url]http://technet.blog.51cto.com/21712/33368[/url],相信大家應該可以持劍闖江湖,替天行道。
PS:這篇文章謹祝賀走在左邊的女朋友--XYMM,於今天晚上11點順利通過了美國某一公司財務總監及CEO的第四次面試,明天就可以正式辦理上班手續,以此文章表示祝賀。
(希望大家轉載,讓更多的人跟我一起祝賀,不過希望大家保持文章的完整性,所有的文字都不要進行刪剪,謝謝!)
轉載請註明出自:[url]http://technet.blog.51cto.com/[/url]不註明出處,必究。
第十把劍:承影之“DCDiag”
承影是一把精緻優雅之劍
劍氣激射指數:7
《列子。湯問》之中被列子激賞的鑄於商朝後來被春秋時衛國人孔周所藏的名劍:承影,承影是一把精緻優雅之劍。
劍氣激射指數:7
1、Domain Controller Diagnostic
2、必備的活動目錄壯態檢測工具
3、通過安裝Windows Support Tools獲得(產品光盤的support\tools目錄中)
用法
C:>dcdiag /v >c:dcdiag.txt(一般用到“/v”這個參數)
打開dcdiag.txt,他會檢查很多域控制器的設定。
Domain Controller Diagnosis
Performing initial setup:
* Verifying that the local machine DC1, is a DC.
* Connecting to directory service on server DC1.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 1 of them.
(說明這個環境中有多少臺域控制器,這個環境是兩臺,就可以知道這個環境有多大,另一種做用就是原來有5臺域控制器,卸載了一臺,但沒有卸載乾淨,這裏也會顯示有5臺,不會顯示4臺。)
Done gathering initial info.
(進行初始化的檢測,如果這臺計算機不是域控制器的話這步檢測完,下面的將不會再被執行)
Doing initial required tests
Testing server: Default-First-Site-Name\DC1
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... DC1 passed test Connectivity
(測試是否能夠連接)
Doing primary tests
Testing server: Default-First-Site-Name\DC1
Starting test: Replications
* Replications Check
[Replications Check,DC1] A recent replication attempt failed:
From DC2 to DC1
Naming Context: CN=Schema,CN=Configuration,DC=zxy,DC=xy
The replication generated an error (8524):
由於 DNS 查找故障,DSA 操作無法進行。
The failure occurred at 2007-07-15 16:15:10.
The last success occurred at 2007-07-05 16:59:05.
21 failures have occurred since the last success.
The guid-based DNS name cd9c 55ad-ecad-41c 3-bd58-994128d2f 6e8._msdcs.zxy.xy
is not registered on one or more DNS servers.
* Replication Latency Check
REPLICATION-RECEIVED LATENCY WARNING
DC1: Current time is 2007-07-15 16:20:33.
CN=Schema,CN=Configuration,DC=zxy,DC=xy
Last replication recieved from DC2 at 2007-07-05 16:59:05.
* Replication Site Latency Check
REPLICATION-RECEIVED LATENCY WARNING
Source site:
CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=zxy,DC=xy
Current time: 2007-07-15 16:20:33
Last update time: 2007-07-11 22:58:23
Check if source site has an elected ISTG running.
Check replication from source site to this server.
......................... DC1 passed test Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC DC1.
* Security Permissions Check for
DC=ForestDnsZones ,DC =zxy,DC=xy
(NDNC,Version 2)
* Security Permissions Check for
DC=DomainDnsZones ,DC =zxy,DC=xy
(NDNC,Version 2)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=zxy,DC=xy
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=zxy,DC=xy
(Configuration,Version 2)
* Security Permissions Check for
DC=zxy,DC=xy
(Domain,Version 2)
......................... DC1 passed test NCSecDesc
(檢測活動目錄裏主要一些分區的權限是否設定正確,如域分區是否正確,Schema是否正確等等)
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\DC1\netlogon
Verified share \\DC1\sysvol
......................... DC1 passed test NetLogons
Starting test: Advertising
The DC DC1 is advertising itself as a DC and having a DS.
The DC DC1 is advertising as an LDAP server
The DC DC1 is advertising as having a writeable directory
The DC DC1 is advertising as a Key Distribution Center
(如果不是Key那麼他將不會給客戶端身份驗證)
The DC DC1 is advertising as a time server
(是否是time server)
The DS DC1 is advertising as a GC.
(是否是GC,如果把一臺普通的DC改成GC,一般需要20分鐘到半個小時,因爲他需要讓其他的DC知道,然後改註冊表一個鍵值如果還不成功,那就需要重啓一下。)
......................... DC1 passed test Advertising
(AD上有很多重要的服務和重要的功能,如果關掉的話,這個地方會報錯,)
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=zxy,DC=xy
Role Domain Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=zxy,DC=xy
Role PDC Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=zxy,DC=xy
Role Rid Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=zxy,DC=xy
Role Infrastructure Update Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=zxy,DC=xy
......................... DC1 passed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 2103 to 1073741823
* DC1.zxy.xy is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 1103 to 1602
* rIDPreviousAllocationPool is 1103 to 1602
* rIDNextRID: 1130
......................... DC1 passed test RidManager
(DC中每新建一個用戶都會給他一個唯一標識符,Rid就是這個唯一標識符的尾數,在整個域裏統一分配,保證所有用戶的尾數都不一樣,這是一個大的地址池,如果號用完了就不能創建新的用戶了,這是一個比較常見的問題)
Starting test: MachineAccount
Checking machine account for DC DC1 on DC DC1.
* SPN found :LDAP/DC1.zxy.xy/zxy.xy
* SPN found :LDAP/DC1.zxy.xy
* SPN found :LDAP/DC1
* SPN found :LDAP/DC1.zxy.xy/ZXY
* SPN found :LDAP/bdd96d1e-2b03-49d4-8998-b04018442b2e._msdcs.zxy.xy
* SPN found :E3514235-4B06-11D1-AB04-00C 04FC2DCD2/bdd96d1e-2b03-49d4-8998-b04018442b2e/zxy.xy
* SPN found :HOST/DC1.zxy.xy/zxy.xy
* SPN found :HOST/DC1.zxy.xy
* SPN found :HOST/DC1
* SPN found :HOST/DC1.zxy.xy/ZXY
* SPN found :GC/DC1.zxy.xy/zxy.xy
......................... DC1 passed test MachineAccount
(計算機帳號的檢測)
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
* Checking Service: NETLOGON
......................... DC1 passed test Services
Test omitted by user request: OutboundSecureChannels
Starting test: ObjectsReplicated
DC1 is in domain DC=zxy,DC=xy
Checking for CN=DC1,OU=Domain Controllers,DC=zxy,DC=xy in domain DC=zxy,DC=xy on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=zxy,DC=xy in domain CN=Configuration,DC=zxy,DC=xy on 1 servers
Object is up-to-date on all servers.
......................... DC1 passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... DC1 passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
......................... DC1 passed test frsevent
Starting test: kccevent
* The KCC Event log test
An Error Event occured. EventID: 0xC0250827
Time Generated: 07/15/2007 16:14:04
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x8000051C
Time Generated: 07/15/2007 16:17:27
(Event String could not be retrieved)
......................... DC1 failed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x00000423
Time Generated: 07/15/2007 16:14:01
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000416
Time Generated: 07/15/2007 16:14:01
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000423
Time Generated: 07/15/2007 16:14:30
(Event String could not be retrieved)
......................... DC1 failed test systemlog
Test omitted by user request: VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)
CN=DC1,OU=Domain Controllers,DC=zxy,DC=xy and backlink on
CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=zxy,DC=xy
are correct.
The system object reference (frsComputerReferenceBL)
CN=DC1,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=zxy,DC=xy
and backlink on CN=DC1,OU=Domain Controllers,DC=zxy,DC=xy are correct.
The system object reference (serverReferenceBL)
CN=DC1,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=zxy,DC=xy
and backlink on
CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=zxy,DC=xy
are correct.
......................... DC1 passed test VerifyReferences
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: CheckSecurityError
Running partition tests on : ForestDnsZones
Starting test: Cro***efValidation
......................... ForestDnsZones passed test Cro***efValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: Cro***efValidation
......................... DomainDnsZones passed test Cro***efValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: Cro***efValidation
......................... Schema passed test Cro***efValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: Cro***efValidation
......................... Configuration passed test Cro***efValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : zxy
Starting test: Cro***efValidation
......................... zxy passed test Cro***efValidation
Starting test: CheckSDRefDom
......................... zxy passed test CheckSDRefDom
Running enterprise tests on : zxy.xy
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope
provided by the command line arguments provided.
......................... zxy.xy passed test Intersite
Starting test: FsmoCheck
GC Name: \\DC1.zxy.xy
Locator Flags: 0xe00003fd
PDC Name: \\DC1.zxy.xy
Locator Flags: 0xe00003fd
Time Server Name: \\DC1.zxy.xy
Locator Flags: 0xe00003fd
Preferred Time Server Name: \\DC1.zxy.xy
Locator Flags: 0xe00003fd
KDC Name: \\DC1.zxy.xy
Locator Flags: 0xe00003fd
......................... zxy.xy passed test FsmoCheck
Test omitted by user request: DNS
Test omitted by user request: DNS
例:如有出錯的信息
在第一行會給出一個錯誤信息的號,如:1753
可以在命令提示符下用net helpmsg 1753,就會出給幫助提示:終結點映射器中沒有更多的終結點可用(一般是路由端口被封掉了)
有的出錯信息會幫例出來,有的不會例出來,沒有例出來的可以去查微軟的文檔庫。
第九把劍:純鈞之“Err”
純均是一把尊貴無雙之劍
劍氣激射指數:7.5
1、錯誤代碼(Error)查看工具
2、必備的排錯工具
3、下載:
[url]http://www.microsoft.com/downloads/details.aspx?familyid=be596899-7bb8-4208-b7fc-09e[/url]02a 13696c &displaylang=en
把E rr.exe解壓到c:>tool\err目錄下,例:c:>tool\err>err 1753就會顯示出詳細的出錯信息。
第八把劍:魚腸 之“KB”
魚腸劍是一把勇絕之劍
劍氣激射指數:8
1、Knowledge Base(知識庫)
2、微軟最重要的知識共享系統,解決實際技術問題的電子字典
[url]http://support.microsoft.com/search/?adv=1[/url]
第七把劍:干將之“ Rcontrolad”
干將、莫邪是一把摯情之劍
劍氣激射指數:8.5
1、Directory Remote Control Add-On
2、使AD管理員更方便的進行遠程管理
3、windows 2003 Resource Kit工具
下載:
[url]http://www.microsoft.com/downloads/details.aspx?FamilyID=[/url]0A 91D2E7-7594-4ABB-8239-7A 7ECA6A 6CB1&displaylang=en
用法:把Rcontrolad下載後,解壓到一個文件夾,然後點用rcontrol_setup.exe進行安裝,最後,把解壓文件中的rcontrol.exe複製到 windows目錄中去。如果你想遠程管理那臺計算機,可以打開AD用戶和計算機,在裏面找到想要管理的計算機點右鍵,裏面就會多出一個Remote Control菜單,點上就可以進行遠程控制了,相同於遠程桌面。實際意義,如果就三、四需要遠程管理那可以用遠程桌面,如果上千臺的話,不可能全部記住IP地址或計算機名,用Rcontrolad就可以方便的進行管理。所有域裏只需要安裝一次。
第六把劍:莫邪之“G etSID”
干將、莫邪是一把摯情之劍
劍氣激射指數:8.5
1、Get User Security ldemtifier
2、將用戶解析成SID
3、通過安裝Windows Support Tools獲得
PSGetSID
知道SID解析成帳號
[url]http://www.microsoft.com/technet/sysinternals/utilities/psgetsid.mspx[/url](下載pstools工具包裏面包含了PSGetSID)
Windows 操作系統中的常見安全標識符
Well-known security identifiers in windows operating systems(243330)
一些常見的內建用戶他們的SID都是有規律的,記住會有很大的幫助的。
第五把劍:七星龍淵之“Whoami”
七星龍淵是一把誠信高潔之劍
劍氣激射指數:8.8
1、獲取當前登錄用戶的完全信息
2、權限問題排錯的重要工具
用法:whoami /all >c:whoami.txt
可以查看當前登錄的用戶,所屬的組、權限等等。有些時候不要太相信圖形界面所顯示的東西,用whoami可以看得更清楚。
第四把劍:泰阿之“SecEdit”
泰阿劍是一把威道之劍
劍氣激射指數:9.3
1、Security Editor
2、安全策略編輯分析的命令行工具,常用於分析最終有效權限
3、windows 2000/xp/2003操作系統自帶
用法:
Secedit /export /mergedpolicy /cfg c:\secedit.txt /verbose(最常用的選項)
可以在域上設很多的安全策略,那麼到最終的用戶權力是什麼呢?設的時候可以用圖形界面去做,當你去做排錯,去做維護的時候最好用命令行工具
第三把劍:赤霄之“AccessEnum”
赤霄劍是一把帝道之劍
劍氣激射指數:9.7.
1、Access Enumerate
2、非常強大的權限分析工具
(1)文件目錄、註冊表
(2)可進行比較
(3)對於權限修改管理有幫助
下載:
[url]http://www.microsoft.com/china/technet/sysinternals/utilities/AccessEnum.mspx[/url]
主要是看能做什麼,whoami看的是我是誰。幾乎是個全能型的工具,是個圖形界面的。還可以把分析結果保存以便在以後分析做一個對比。還可以看註冊表。
第二把劍:湛瀘之“AutoRuns”
湛瀘劍是一把仁道之劍
劍氣激射指數:10
1、檢查自動加載項
2、通常中來解決登錄慢或惡意程序刪除
下載:
[url]http://www.microsoft.com/technet/sysinternals/utilities/Autoruns.mspx[/url]
有兩個版本autoruns(圖形方式)和autorunsc(是命令行方式的)如果用msconfig的話,例出的不全。
第一把劍:軒轅夏禹劍之“UPHClean”
軒轅夏禹劍是一把聖道之劍
劍氣激射指數:無窮大。
1、User Profile Hive Clean
2、強大的用戶Profile“Handle Leak”解決工具
3、技術背景
(1)何謂Hive?何謂Handle Leak?
Hive:跟用戶相關的註冊表,註銷的話這個用戶的註冊表項會被卸載,登錄會被加載。登錄時將會加載到註冊表HKEY_USERS下面
(2)常見的Handle Leak問題與影響
一種情況,例一些硬盤掃描的工具,最常見見的一種就是殺毒軟件,殺毒軟件正在寫註冊表的時候,你要註銷,如果這個殺毒軟件設計的不好,你註銷的時候要把他的Handle給關掉,你會關不掉,由於設計的原因或集成了一個很高的權限,當前的用戶沒有那麼高的權限關不掉,這時你註銷的時候就會有個很長很長的時間,就會看到“windows正在保存你的個人信息”保存很久就是關不掉,這時就在關Handle和一些其它的事情,最後會強制的把Handle給斷掉,這就會把用戶的信息給丟了,下次登錄時就會發現有些設置沒了。99%是因爲代碼沒有按規範去寫。2003就會很快。2003會強制關掉。2000就會很慢。
(3)以前使用DbgView等複雜的工具進行高度,非常耗時
下載:
[url]http://www.microsoft.com/downloads/details.aspx?familyid=1B286E6D-8912-4E18-B570-42470E[/url]2F 3582&displaylang=en
用處:在註銷和關機的時候你發現非常非常慢的時候,另外一種就是你公司有終端服務器,這個工具會幫助你。
Hive:跟用戶相關的註冊表,註銷的話這個用戶的註冊表項會被卸載,登錄會被加載。
UPHClean安裝完後,會啓動一個服務User Profile Hive Cleanup,安裝後,就會自動的去幹掉那個不能釋放的Handle註冊表語柄,然後去看事件日誌,裏面有幾個關於UPHClean的日誌,其中有一個就會告訴你是那個程序不能釋放的Handle註冊表語柄。在企業裏裝的應用多不知道那個影響了Handle Leak,這個就會告訴你。
優點:
1、是以服務來安裝的,機器啓動他就啓動了
2、安裝和卸載都不用重啓,我們一個很大的麻煩在一個大的環境裏面機器是不讓重啓的。
3、能夠直接檢測
4、簡單