사용자 지정 Active Directory 특성 만들기

기존 특성을 사용할 수 없는 사용자 지정 Active Directory 특성을 만드는 방법에 대해 설명합니다. 예를 들어 사용자의 "메디케어 카드 번호"를 보유할 속성을 만듭니다.

 

사용자 지정 특성을 추가하려면 스키마 관리자 및 엔터프라이즈 관리자 그룹의 구성원이어야 하는 AD 스키마의 수정이 포함됩니다. 기본적으로 관리자 계정은 스키마 관리자 그룹의 구성원입니다.

또는 스키마를 확장하는 대신 스키마를 확장하지 않고 사용자 지정 데이터를 저장하는 데 사용할 수 있는 ExtensionAttribute1부터 ExtensionAttribute15까지의 기존 특성이 있습니다.

사용자 속성의 속성 편집기 탭을 통해 사용자 개체 속성을 볼 수 있습니다.

스키마에 속성을 추가하기 전에 기본적으로 Active Directory 스키마는 관리 콘솔에서 사용할 수 없으므로 스키마 스냅인을 등록해야합니다.

• 시작 > 실행 >mmc로 이동합니다.

• 파일 열기 > 스냅인 추가/제거를 엽니다.

 

• "활성 디렉토리 스키마"가 없음을 알 수 있습니다.

• 스키마 스냅인을 등록하려면 실행 텍스트 상자에 RegSvr32 SchmMgmt.dll를 입력하고 확인을 누릅니다.

• SchmMgmt.dll 등록에 성공하면 Windows에 정보 메시지 상자가 표시됩니다.

 

• 스키마 스냅인을 엽니다. 시작 > 실행 > mmc.exe > 파일 >스냅인 추가/제거 >Active Directory 스키마 > 추가

• Active Directory 스키마를 확장하고 특성을 마우스 오른쪽 단추로 클릭한 다음 "특성 만들기.."를 클릭합니다.

• 계속을 클릭하면 스키마 개체 생성 경고 메시지가 표시됩니다.

다음 단계를 진행하려면 고유 X500 개체 ID 필드에 대한 OID(개체 식별자)를 생성해야 합니다.
PowerShell 또는 VBScript를 사용하여 OID를 생성할 수 있습니다.

PowerShell을 사용하여 OID 생성(Microsoft Link):

Windows PowerShell > Windows PowerShell
> 모든 프로그램 > 액세서리 >시작 시작으로 이동하여 PowerShell 창에 다음 문을 복사하여 붙여넣습니다.

#---
$Prefix="1.2.840.113556.1.8000.2554"
$GUID=[System.Guid]::NewGuid(). ToString() $Parts=@()

$Parts+=[UInt64]::P arse($guid. SubString(0,4),"AllowHexSpecifier")
$Parts+=[UInt64]::P arse($guid. SubString(4,4),"AllowHexSpecifier")
$Parts+=[UInt64]::P arse($guid. SubString(9,4),"AllowHexSpecifier")
$Parts+=[UInt64]::P arse($guid. SubString(14,4),"AllowHexSpecifier")
$Parts+=[UInt64]::P arse($guid. SubString(19,4),"AllowHexSpecifier")
$Parts+=[UInt64]::P arse($guid. SubString(24,6),"AllowHexSpecifier")
$Parts+=[UInt64]::P arse($guid. SubString(30,6),"AllowHexSpecifier")
$OID=[String]::Format("{0}.{ 1}. {2}. {3}. {4}. {5}. {6}. {7}",$prefix,$Parts[0],$Parts[1],$Parts[2],$Parts[3],$Parts[4],$Parts[5],$Parts[6])
$oid
#---

OID 문자열(점으로 구분된 숫자 문자열)을 복사하여 고유한 X500 개체 ID 필드에 붙여넣습니다.

VBScript (마이크로 소프트 링크)를 사용하여 OID 생성 :
웹 브라우저에서 다음 링크를 열고 VB 스크립트 코드를 복사하여 메모장에 붙여 넣습니다.

 

http://gallery.technet.microsoft.com/scriptcenter/56b78004-40d0-41cf-b95e-6e795b2e8a06

C: 드라이브에

"OIDGen.vbs"(큰따옴표로 묶음, 그렇지 않으면 접미사 .txt .vbs 뒤에 접미사) 이름으로 메모장 파일 저장 명령 프롬프트를 열고이 스크립트를 실행하십시오. 시작 > cmd.exe >> CScript.exe C:\OIDGen.vbs
OID 문자열(점으로 구분된 숫자 문자열)을 복사하여 고유한 X500 개체 ID 필드에 붙여넣습니다.

• 새 속성 만들기 대화 상자에 일반 이름(이 경우 메디케어 번호)을 입력합니다.
• LDAP 표시 이름 필드는 일반 이름(공백 없음)에서 자동으로 채워집니다.
• 이전 단계에서 생성한 OID 문자열을 고유 X500 개체 ID 필드에 붙여넣습니다.
• 텍스트 상자에 설명을 씁니다.
• 드롭다운 목록에서 적절한 구문을 선택하여 속성 유형(이 경우 Medicare 번호는 숫자 값)을 선택합니다. 이것은 다른 유형일 수 있으며 각 특성의 사용법에 따라 다릅니다)
• 확인을 클릭합니다.

사용자 지정 속성 medicareNumber가 생성됩니다.

• 이제 이 새 특성을 User 클래스에 추가/연결합니다. 클래스 리프로 이동하여 사용자 클래스를 선택합니다.
• 사용자를 마우스 오른쪽 버튼으로 클릭하고 속성을 클릭합니다.

• 속성 탭으로 이동합니다. 추가를 클릭합니다.

• 메디케어넘버 속성을 찾아 확인을 클릭한 후 다시 확인을 클릭합니다.

• 특성이 User와 연결되었는지 확인하려면 User, 속성을 마우스 오른쪽 단추로 클릭하고 속성 탭으로 이동합니다. medicareNumber 속성은 선택적 속성 목록에 있어야 합니다.

이것으로 사용자 지정 특성 만들기가 완료됩니다.

사용자 및 컴퓨터 스냅인을 열고 사용자 지정 특성에 대한 사용자 속성을 확인합니다.


이 속성의 값은 편집 버튼을 클릭하고 적절한 값을 입력하여 설정할 수 있습니다.


메디케어 카드 번호가 설정된 모든 사용자를 보려면 다음 명령줄 문을 실행할 수 있습니다.

DSQuery * -Filter (medicareNumber=*) -Attr Name, medicareNumber

끝.

So you’ve got some DNS Zones on your Domain Controllers and you’re building a test lab or another domain that you want to copy these to. Easy right – not so easy if they are AD integrated zones. This means the files for these zones are not stored in C:\Windows\System32\dns an normal, they are actually stored and replicated to all DCs inside AD.

I had a requirement to move an integrated forward lookup zone from one domain to another so I’m sharing what I did below.

Logon to your DC with the integrated zone and fireup our friend Powershell.

Get-DNSServerZone

You’ll see your zones listed out.

You’ll see here which zones are integrated and which are not.

The ZoneName column is key for the next bit, make a note of the ZoneName you want to export.

Export-DNSServerZone -Name <ZoneName from the above> -Filename <Yourzone.dns>

There’s no confirmation for this command, but this will export the zone to a file that can be resuable.

Open up C:\Windows\System32\dns in explorer.

You’ll see here you DNS zone file. Take a copy of this and place it somewhere.

Log in to your new DNS server where the zone will be imported.

Open up C:\Windows\System32\dns in explorer and copy the file you just exported into this folder.

Now open the DNZ Management Console.

Right click “Forward Lookup Zones” and select “New Zone”, Select “Next” to get started.

Select the zone type and remember to untick the “Store the zone in Active Directory” option.

I know, I know, we want it to be in AD; don’t worry. It will still be once we are done.

Select “Next”.

Populate the Zone Name and select “Next”.

Select “Use the existing file” and enter the name of the file you copied into “C:\Windows\System32\dns”, select “Next”.

Select “Next” on the dynamic update options. Note: The secure option will be available once we convert this zone to an AD integrated zone.

The zone should now appear fully populated in the DNS console. Now time to convert this zone back to an AD integrated zone.

Right click the zone and select “Properties”.

Select “Change” on the right of “Type”.

You might recognise this screen, Select “Store the zone in Active Directory” and click “OK”. Confirm you want to move the zone to AD.

You now have the option to change the dynamic updates to this zone, select as per your preference.

This wraps up the zone import, the whole process could be easily scripted with Powershell. Happy to take a crack at it if anyone is interested.

Create A Send Connector

The fresh exchange server installation will not have a connector send email to an internet email address. We need to create one to do so. Here are the how-to steps to create a send connector using the Exchange admin center. Login to Exchange Admin Center and goto MailflowàSend Connector. Click Add or + sign on top of the icons.

The New Send Connector wizard will open. Type a descriptive name and select Internet as type.

As we are going to send emails to internet users straight from the exchange server, we are going to select an MX record associated with the recipient domain and click Next.

Add address space, click + sign on the address space commands.

Type * in the FQDN column and click save.

Once the address space has been saved, click next.

On the Source Server, click + sign to add the only server we just installed.

Add the Exchange Server and click OK

We have completed Creating Send connector, click Finish to close the wizard.

Configure Virtual Directories

Exchange Server 2019 Installation and Configuration

We are going to configure virtual directories such as OWA, ActiveSync, and so on with the internal and external URLs using Exchange Management Shel. You can navigate to StartàMicrosoft Exchange Server from the Menu and right-click the Exchange Management shell and choose to run as Administrator to open elevated Shell to configure Virtual Directories.

The following script will set the virtual directories of each feature. We need to specify the Server_Name and FQDN variables relevant to our Exchange Server name and external domain name.

 $Server_name = "ex"
 $FQDN = "mail.mrigotechno.club"
 Get-OWAVirtualDirectory -Server $Server_name | Set-OWAVirtualDirectory -InternalURL "https://$($FQDN)/owa" -ExternalURL "https://$($FQDN)/owa"
 Get-ECPVirtualDirectory -Server $Server_name | Set-ECPVirtualDirectory -InternalURL "https://$($FQDN)/ecp" -ExternalURL   "https://$($FQDN)/ecp"
 Get-OABVirtualDirectory -Server $Server_name | Set-OABVirtualDirectory -InternalURL "https://$($FQDN)/oab" -ExternalURL   "https://$($FQDN)/oab"
 Get-ActiveSyncVirtualDirectory -Server $Server_name | Set-ActiveSyncVirtualDirectory -InternalURL "https://$($FQDN)/Microsoft-Server-ActiveSync" -ExternalURL "https://$($FQDN)/Microsoft-Server-ActiveSync"
 Get-WebServicesVirtualDirectory -Server $Server_name | Set-WebServicesVirtualDirectory -InternalURL "https://$($FQDN)/EWS/Exchange.asmx" -ExternalURL "https://$($FQDN)/EWS/Exchange.asmx"
 Get-MapiVirtualDirectory -Server $Server_name | Set-MapiVirtualDirectory -InternalURL "https://$($FQDN)/mapi" -ExternalURL https://$($FQDN)/mapi 

You would see the Exchange Management Shell as shown in the below out after you copy and paste the script to the EMS.

Configure Outlook Anywhere

To Outlook Clients access from internal and external networks, we need to configure Outlook anywhere from the Servers/Outlook Anywhere settings with the exchange hostname(FQDN) such as mail.comain.com. You can navigate to Outlook Anywhere settings, as shown in the steps on the image.

Click OK to the Warning to Negotiate client authentication.

Set Service Connection Point

Exchange Server 2019 Installation and Configuration

The next step is to set the Autodiscover internal URI for internal outlook clients to get the Autodiscover details from the active directory. The Autodiscover internal URI will set the Service Connection Point(SCP) on the Active Directory.

Set-ClientAccessService -Identity ex -AutodiscoverServiceInternalURI  https://mail.mrigotechno.club/Autodiscover/Autodiscover.xml

Rename default database and move database path

Move mailbox database path to separate disk for database and transactional log files to recover the database quickly in case of disk failure. I have mentioned C: drive where you can substitute with a relevant drive letter with the command below.

Get-MailboxDatabase -Server ex | Set-MailboxDatabase -Name MBX-DB-2019
Move-DatabasePath -Identity MBX-DB-2019 -EdbFilePath C:\ExchangeDatabases\MBX-DB-2019\MBX-DB-2019.EDB -LogFolderPath C:\ExchangeDatabases\MBX-DB-2019_Log

Install Certificate

We are going to create a Certificate Signing Request(CSR) on the Exchange Admin Center and install the certificate for the services like IIS, SMTP, and so on. Login to Exchange Admin Center and go to ServersàCertificate to create certificate signing request (CSR) file to generate a certificate from third-party Certification Authority (CA) like Verisign or GoDaddy.

The Certificate Signing certificate must be created by clicking the + sign on the Certificate tab.  Select “Create a request for a certificate from a Certification Authority” and click Next.

Type a friendly name of the certificate and click Next.

We are going to request a Subject Alternative Name (SAN) certificate, so leave the default and click Next.

The request has to be saved on the Exchange server, click browse and select the only exchange server and click ok.

The exchange server has been selected click Next.

We skip this page, and we are going to create a request with some names where we can specify names on the list. Click Next.

Select only the FQDN that we used on the virtual directories and Outlook Anywhere. As you know, we provided the name mail.mrigotechno.club, alongside we need to add the name for Autodiscover, the subject name will be Autodiscover.mrigotechno.club, remove other local hostnames.

The local hostnames are removed and added only FQDN And autodiscover hostnames, click Next.

Type information about your organization and click Next.

Save the request in a file, type the UNC path, and click Next.

The Certificate Request has been created and using the CSR file, and we need to generate a Certificate from a third-party certification authority. Once certificates are received, come back to the Certificate tab on the Exchange Admin Center and select the request entry and click Complete to apply the Certificate.

Type the UNC path of the certificate received from the CA and click ok.

The next step is to assign services to the certificate, open the certificate entry on the EAC, and check the hostnames.

Go to Services on the same window select the services you want this certificate to use IIS and SMTP are selected generally, but if you wish to use IMAP and POP to use the certificate or these services are enabled, select them and click Save.

Click Yes to the confirmation message, and you would see valid in the Certificate Status.

Conclusion

In this article, we have discussed how to Install Exchange Server 2019 using Graphical User Interface and configured the server using the Exchange Admin Center and Exchange Management Shell. In my other three-part article, I have demonstrated how to migrate Exchange Server 2013 to Exchange Server 2019. I have added the link to those articles below. If you are interested in knowing how to install Exchange Server using the Command line, that article covers the installation process. You may have some questions or feedback to share with me, please click the comments below and share your thoughts. I’m so happy to answer your questions.

Preface

In this article, we are going to immerse the installation of Exchange Server 2019 and configure some of the exchange components such as Virtual Directories, Outlook anywhere, etc. This article will cover how to Install and Configure Exchange Server 2019 using  GUI.

I have already created a three-part article for the Migrating Exchange server 2013 to Exchange Server 2019 Installation and Configuration covered in that. It was installed using the command line interface, and most of the admins prefer the Graphical User Interface method to Install and Configure Exchange Server. Having that in mind, I have created this new article for the Exchange admins using GUI. Even though we have demonstrated the Exchange Server 2019 installation in those article series, configuring the Exchange server in the new Exchange Organization is somewhat different from configuring Exchange Server in an existing organization.

Also, this article will cover a complete configuration for a necessary Exchange Server deployment. This article will assume you have a Domain Controller up and running on your network, and you are going to install the Exchange Server 2019 on the active directory environment. If you are doing this installation on no Domain controller installed on the network or Test network, I would recommend installing a domain controller using my other article before installing the Exchange Server 2019. I also recommend going through this Microsoft link if you want to know all the Active Directory schema changes when you install Exchange Server 2019 on your Active Directory environment. You are advised to go through the complete document before starting the installation that way, and you will not get stuck on any step when you are trying to do Install and Configuring Exchange Server 2019. We are going to do the following tasks on Installing and Configuring Exchange Server 2019.

1. Install Exchange Server Pre-requisite
2. Install Exchange Server 2019 using GUI
3. Create new outbound send connector to send emails to internet email
4. Configure Virtual Directories
5. Configure Outlook Anywhere
6. Set Service Connection Point
7. Rename default database and move database path
8. Install Certificate

Pre-requisite to Install and Configure Exchange Server

The Windows Server 2019 has to be prepared and installed with Exchange Server 2019 Pre-requisites installing the Exchange Servers binaries.

The following Windows Server packages need to be installed before installing Exchange 2019 Server

.NET Framework 4.8
Visual C++ Redistributable Package for Visual Studio 2013
Unified Communications Managed API 4.0
Windows feature

Install .NET Framework 4.8

The .Net Framework 4.8 is required to install as a prerequisite software package. The package needs to be downloaded from the link below.

https://go.microsoft.com/fwlink/?linkid=2088631

Exchange Server 2019 Installation and Configuration

Once the offline installer has been downloaded, right-click the package and run it as an administrator to install it on the server.

Check the license agreement checkbox and click install.

Click Finish to complete the installation.

Install Visual C++ Redistributable Package for Visual Studio 2013

The next pre-requisite to install on the server is Visual C++ redistributable package for visual studio 2013. You can download this package from the link below, choose the language that you are planning to install on the server.

https://support.microsoft.com/en-in/help/4032938/update-for-visual-c-2013-redistributable-package

Once the package has been downloaded, right-click the downloaded file and run as administrator.

Accept the license and click Install to install the package.

Click close when the install completes.

Install Unified Communications Managed API 4.0

The next pre-requisite package we are going to install on the server is Micrsft Unified Communications managed API 4.0 runtime setup. Download the package from the below link.

https://www.microsoft.com/en-us/download/details.aspx?id=34992

Once the package is downloaded, run it as an administrator to begin the installation. Click Next to continue.

Click Install to install the package and click Finish when the install is over.

Exchange Server 2019 Installation and Configuration

Install Windows Feature

The next pre-requisite is Windows Server features installation. Open a Powershell window as administrator and run the following commands once the installation of features is completed do a restart of the Windows Operating System.

Install-WindowsFeature Server-Media-Foundation, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-ADDS 

Install and Configure Exchange Server

Exchange Server 2019 Installation and Configuration

Open the Exchange server installation media and double click the setup.exe to start the installation. Select Connect to the Internet and check for update and click Next.

On the next screen, the installation wizard will try to download the updates If there is any from the Microsoft update server. Click Next to continue.

Go through the introduction and click next to continue the wizard.

Accept the license agreement and click next to continue.

Select Use Recommended Settings and click Next.

Select the server role, this demonstration for Exchange server Mailbox role, select Mailbox role, and the management tools checkbox will be automatically selected. Also, check Automatically install roles and features and click Next.

Select the Drive where the exchange server to be installed. In most cases, it would be on the Drive other than System Drive. I have left the installation path as-is for this demonstration. But you can choose a drive and path as you want.

Specify an Organization name. In this case, I leave it to default. Click Next.

If you are planning to use some third party Malware Protection, you can select to disable Malware Protection. If you want to use the Exchange server inbuilt one, select Disable malware protection to No and click Next.

The install wizard will start Readiness Check, wait for that to complete and check if you have received an error message.

If there is any error, act on that error and rectify that and then restart the Exchange Server Installation. If you have followed these installation steps, most probably, you won’t have any error. Click Install to start the installation.

Exchange Server 2019 Installation and Configuration

The Setup will start, and you can monitor the progress along the way, it would take some time to complete. Be patient and wait for the setup to complete.

The Setup is in progress and may take some more time to complete.

Exchange Server Setup is complete, select launch Exchange Administration Center, and click Finish.

Exchange Admin Center or Exchange Control panel is the web console where is Exchange Server is configured or managed. This console can be accessed initially with the web URL https://localhost/ecp

The login screen is shown in the image below, where the administrator can log in to get the full admin access console with username as domain\username and password.

OverviewPermalink

SSL(Secure Sockets Layer)은 클라이언트와 서버간의 통신을 제3자가 보증해주는 전자화된 문서입니다.

클라이언트가 서버에 접속한 직후, 서버는 클라이언트에게 해당 인증서 정보를 전달하고, 클라이언트는 받은 인증서 정보가 신뢰할 수 있는지 검증한 이후에 안전한 연결을 할 수 있게 됩니다.

현재 인터넷 연결은 HTTPS로 연결하는 것을 권장하고있습니다. HTTPS는 SSL위에서 돌아가는 프로토콜 중 하나이기때문에 HTTPS로 데이터 전송을 하려면 SSL이 제공하는 데이터 보안이 반드시 필요합니다.

이번 문서에서는 공인된 ssl을 무료로 발급받을 수 있는 방법에 대해서 기술하겠습니다.

ZeroSSLPermalink

90일간의 SSL인증서를 3개까지 무료로 발급해주는 사이트입니다.

보통 1년 2년 단위로 발급받는 유료 인증서에 비해 90일이라는 짧은 기간이긴 하지만 무료로 사용할 수 있다는게 큰 장점인것 같습니다.

ZeroSSL 무료 인증서 :

• 90일
• 3개까지 생성가능
• wildcard인증서 안됨

SSL발급받기Permalink

회원가입 후, Dashboard에서 New Certificate 버튼을 클릭합니다.

그 다음, ssl발급을 원하는 도메인을 기입합니다. 이때 와일드카드는 선택하지 않도록 합니다. (와일드 카드는 유료플랜)

다음 90일 certificate를 선택해줍니다.

넥스트를 한 후 이제 도메인이 유효한 도메인인지 검증을 해야합니다.

방법은 위와 같이 3가지 방법이 있습니다.

1. Email Verification
   • DNS에 작성된 메일서버(관리자용)로 메일발송 및 검증
2. DNS(CNAME)
   • DNS에 zerossl에서 주는 CNAME레코드를 추가하는걸로 검증
3. HTTP File Upload
   • zerossl에서 원하는 파일경로에 파일을 업로드시키고 다운로드 가능하게 설정하는걸로 검증

이중에서 저는 2번방법을 써서 검증해보겠습니다.

가지고 있는 DNS의 레코드에 zerossl에서 주는 CNAME레코드를 추가해줍니다.
주의해야할 점은, Name부분의 도메인은 떼고 넣어주셔야 합니다.

ex)
_038AB2F4959BEF94DBE168E1C9A95716.registry.gru.hololy-dev.com 이렇게 있으면 뒤에 hololy-dev.com은 떼고
_038AB2F4959BEF94DBE168E1C9A95716.registry.gru 만 적으면 됨.

레코드를 추가해주고 외부에서 nslookup같은 도구로 제대로 추가되었는지 확인해주겠습니다.
nslookup은 기본적으로 A레코드를 찾기 때문에 set type=CNAME을 해줘 CNAME레코드를 찾게 설정해주어야 합니다.

target url이 정상적으로 출력되었다면 Validation을 해주고 인증서를 받으시면 됩니다.

마지막으로 ssl 설치를 체크하는 부분이 있는데, 이부분은 그냥 넘어가셔도 됩니다.

[Windows] Event Log를 필터링하기(XML을 통한 Custom View생성)

1. 보안 이벤트에서 이벤트 ID 5061과 로그인 사용자가 gmkim 혹은 mani4u 값으로 조회, 24시간 이내 값만

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
*[System[(EventID=5061) and TimeCreated[timediff(@SystemTime) &lt;= 86400000]]]
and
*[EventData[Data[@Name='SubjectUserName'] and (Data='gmkim'  or Data='test9')]] 
</Select>
  </Query>
</QueryList>

2. 모든 스키마에서 검색 데이터 값이 있으면 모두 쿼리

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
*[EventData[Data and (Data="gmkim" or Data="mani4u")]]
</Select>
  </Query>
</QueryList>

Advanced XML filtering in the Windows Event Viewer | Microsoft Learn

WMI Reset 배치 파일

스크립트를 bat 파일로 만들어서 실행시키면 초기화된다. 

조건에 따른 쿼리문 종류는 다음과 같습니다.
Collection으로 지정은 PC 혹은 사용자를 대상으로 다양한 조건으로 생성이 가능합니다.
그 중에서 PC이름, IP주소, 사용자ID, OU(Organization Unit) 단위로 생성하는 쿼리는 알아보겠습니다.


PC이름

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where name in ("PC이름")

IP주소

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where IPSubnets in ("10.177.210.0")

사용자ID

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where lastlogonusername in ("userid")

OU(Organization Unit)

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SystemOUName = "OU Path"

상기 Query 외에 전체 Collection 중에서 SC agent가 미설치된 PC만을 선별할 수 있다.

 미설치된 PC 수집

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.Client is null

SCCM와 WSUS 관련 로그 설명

Client Log Files

• CAS - Content Access Service. Maintains the local package cache.

• Ccmexec.log - Records activities of the client and the SMS Agent Host service.

• CertificateMaintenance.log - Maintains certificates for Active Directory directory service and management points.

• ClientIDManagerStartup.log - Creates and maintains the client GUID.

• ClientLocation.log - Site assignment tasks.

• ContentTransferManager.log - Schedules the Background Intelligent Transfer Service (BITS) or the Server Message Block (SMB) to download or to access SMS packages.

• DataTransferService.log - Records all BITS communication for policy or package access.

• Execmgr.log - Records advertisements that run.

• FileBITS.log - Records all SMB package access tasks.

• Fsinvprovider.log (renamed to FileSystemFile.log in all SMS 2003 Service Packs) - Windows Management Instrumentation (WMI) provider for software inventory and file collection.

• InventoryAgent.log - Creates discovery data records (DDRs) and hardware and software inventory records.

• LocationServices.log - Finds management points and distribution points.

• Mifprovider.log - The WMI provider for .MIF files.

• Mtrmgr.log - Monitors all software metering processes.

• PolicyAgent.log - Requests policies by using the Data Transfer service.

• PolicyAgentProvider.log - Records policy changes.

• PolicyEvaluator.log - Records new policy settings.

• Remctrl.log - Logs when the remote control component (WUSER32) starts.

• Scheduler.log - Records schedule tasks for all client operations.

• Smscliui.log - Records usage of the Systems Management tool in Control Panel.

• StatusAgent.log - Logs status messages that are created by the client components.

• SWMTRReportGen.log - Generates a usage data report that is collected by the metering agent. (This data is logged in Mtrmgr.log.)

Server Log Files

• Ccm.log - Client Configuration Manager tasks.

• Cidm.log - Records changes to the client settings by the Client Install Data Manager (CIDM).

• Colleval.log - Logs when collections are created, changed, and deleted by the Collection Evaluator.

• Compsumm.log - Records Component Status Summarizer tasks.

• Cscnfsvc.log - Records Courier Sender confirmation service tasks.

• Dataldr.log - Processes Management Information Format (MIF) files and hardware inventory in the Configuration Manager 2007 database.

• Ddm.log - Saves DDR information to the Configuration Manager 2007 database by the Discovery Data Manager.

• Despool.log - Records incoming site-to-site communication transfers.

• Distmgr.log - Records package creation, compression, delta replication, and information updates.

• Hman.log - Records site configuration changes, and publishes site information in Active Directory Domain Services.

• Inboxast.log - Records files that are moved from the management point to the corresponding SMS\INBOXES folder.

• Inboxmgr.log - Records file maintenance.

• Invproc.log - Records the processing of delta MIF files for the Dataloader component from client inventory files.

• Mpcontrol.log - Records the registration of the management point with WINS. Records the availability of the management point every 10 minutes.

• Mpfdm.log - Management point component that moves client files to the corresponding SMS\INBOXES folder.

• MPMSI.log - Management point .msi installation log.

• MPSetup.log - Records the management point installation wrapper process.

• Ntsvrdis.log - Configuration Manager 2007 server discovery.

• Offermgr.log - Records advertisement updates.

• Offersum.log - Records summarization of advertisement status messages.

• Policypv.log - Records updates to the client policies to reflect changes to client settings or advertisements.

• Replmgr.log - Records the replication of files between the site server components and the Scheduler component.

• Rsetup.log - Reporting point setup log.

• Sched.log - Records site-to-site job and package replication.

• Sender.log - Records files that are sent to other child and parent sites.

• Sinvproc.log - Records client software inventory data processing to the site database in Microsoft SQL Server.

• Sitecomp.log - Records maintenance of the installed site components.

• Sitectrl.log - Records site setting changes to the Sitectrl.ct0 file.

• Sitestat.log - Records the monitoring process of all site systems.

• Smsdbmon.log - Records database changes.

• Smsexec.log - Records processing of all site server component threads.

• Smsprov.log - Records WMI provider access to the site database.

• SMSReportingInstall.log - Records the Reporting Point installation. This component starts the installation tasks and processes configuration changes.

• SMSSHVSetup.log - Records the success or failure (with failure reason) of installing the System Health Validator point.

• Srvacct.log - Records the maintenance of accounts when the site uses standard security.

• Statmgr.log - Writes all status messages to the database.

• Swmproc.log - Processes metering files and maintains settings.

Admin Console Log Files

• RepairWizard.log - Records errors, warnings, and information about the process of running the Repair Wizard.

• ResourceExplorer.log - Records errors, warnings, and information about running the Resource Explorer.

• SMSAdminUI.log - Records the local Configuration Manager 2007 console tasks when you connect to Configuration Manager 2007 sites.

Management Point Log Files

• MP_Ddr.log - Records the conversion of XML.ddr records from clients, and copies them to the site server.

• MP_GetAuth.log - Records the status of the site management points.

• MP_GetPolicy.log - Records policy information.

• MP_Hinv.log - Converts XML hardware inventory records from clients and copies the files to the site server.

• MP_Location.log - Records location manager tasks.

• MP_Policy.log - Records policy communication.

• MP_Relay.log - Copies files that are collected from the client.

• MP_Retry.log - Records the hardware inventory retry processes.

• MP_Sinv.log - Converts XML hardware inventory records from clients and copies them to the site server.

• MP_Status.log - Converts XML.svf status message files from clients and copies them to the site server.

Mobile Device Management Log Files

• DmClientHealth.log - Records the GUIDs of all the mobile device clients that are communicating with the Device Management Point.

• DmClientRegistration.log - Records registration requests from and responses to the mobile device client in Native mode.

• DmpDatastore.log - Records all the site database connections and queries made by the Device Management Point.

• DmpDiscovery.log - Records all the discovery data from the mobile device clients on the Device Management Point.

• DmpFileCollection.log - Records mobile device file collection data from mobile device clients on the Device Management Point.

• DmpHardware.log - Records hardware inventory data from mobile device clients on the Device Management Point.

• DmpIsapi.log - Records mobile device communication data from device clients on the Device Management Point.

• dmpMSI.log - Records the MSI data for Device Management Point setup.

• DMPSetup.log - Records the mobile device management setup process.

• DmpSoftware.log - Records mobile device software distribution data from mobile device clients on the Device Management Point.

• DmpStatus.log - Records mobile device status messages data from mobile device clients on the Device Management Point.

• FspIsapi.log - Records Fallback Status Point communication data from mobile device clients and client computers on the Fallback Status Point.

Mobile Device Client Log Files

• DmCertEnroll.log - Records certificate enrollment data on mobile device clients.

• DMCertResp.htm (in \temp) - Records HTML response from the certificate server when the mobile device Enroller program requests a client authentication certificate on mobile device clients.

• DmClientSetup.log - Records client setup data on mobile device clients.

• DmClientXfer.log - Records client transfer data for Windows Mobile Device Center and ActiveSync deployments.

• DmCommonInstaller.log - Records client transfer file installation for setting up mobile device client transfer files on client computers.

• DmInstaller.log - Records whether DMInstaller correctly calls DmClientSetup and whether DmClientSetup exits with success or failure on mobile device clients.

• DmInvExtension.log - Records Inventory Extension file installation for setting up Inventory Extension files on client computers.

• DmSvc.log - Records mobile device management service data on mobile device clients.

Operating System Deployment Log Files

• CCMSetup.log - Provides information about client-based operating system actions.

• CreateTSMedia.log - Provides information about task sequence media when it is created. This log is generated on the computer running the Configuration Manager 2007 administrator console.

• DriverCatalog.log - Provides information about device drivers that have been imported into the driver catalog.

• MP_ClientIDManager.log - Provides information about the Configuration Manager 2007 management point when it responds to Configuration Manager 2007 client ID requests from boot media or PXE. This log is generated on the Configuration Manager 2007 management point.

• MP_DriverManager.log - Provides information about the Configuration Manager 2007 management point when it responds to a request from the Auto Apply Driver task sequence action. This log is generated on the Configuration Manager 2007 management point.

• MP_Location.log - Provides information about the Configuration Manager 2007 management point when it responds to request state store or release state store requests from the state migration point. This log is generated on the Configuration Manager 2007 management point.

• Pxecontrol.log - Provides information about the PXE Control Manager.

• PXEMsi.log - Provides information about the PXE service point and is generated when the PXE service point site server has been created.

• PXESetup.log - Provides information about the PXE service point and is generated when the PXE service point site server has been created.

• Setupact.log Setupapi.log Setuperr.log Provide information about Windows Sysprep and setup logs.

• SmpIsapi.log - Provides information about the state migration point Configuration Manager 2007 client request responses.

• Smpmgr.log - Provides information about the results of state migration point health checks and configuration changes.

• SmpMSI.log - Provides information about the state migration point and is generated when the state migration point site server has been created.

• Smsprov.log - Provides information about the SMS provider.

• Smspxe.log - Provides information about the Configuration Manager 2007 PXE service point.

• SMSSMPSetup.log - Provides information about the state migration point and is generated when the state migration point site server has been created.

• Smsts.log - General location for all operating system deployment and task sequence log events.

• TaskSequenceProvider.log - Provides information about task sequences when they are imported, exported, or edited.

• USMT Log loadstate.log - Provides information about the User State Migration Tool (USMT) regarding the restore of user state data.

• USMT Log scanstate.log - Provides information about the USMT regarding the capture of user state data.

Network Access Protection Log Files

• Ccmcca.log - Logs the processing of compliance evaluation based on Configuration Manager NAP policy processing and contains the processing of remediation for each software update required for compliance.

• CIAgent.log - Tracks the process of remediation and compliance. However, the software updates log file, *Updateshandler.log - provides more informative details on installing the software updates required for compliance.

• locationservices.log - Used by other Configuration Manager features (for example, information about the client’s assigned site) but also contains information specific to Network Access Protection when the client is in remediation. It records the names of the required remediation servers (management point, software update point, and distribution points that host content required for compliance), which are also sent in the client statement of health.

• SDMAgent.log - Shared with the Configuration Manager feature desired configuration management and contains the tracking process of remediation and compliance. However, the software updates log file, Updateshandler.log, provides more informative details about installing the software updates required for compliance.

• SMSSha.log - The main log file for the Configuration Manager Network Access Protection client and contains a merged statement of health information from the two Configuration Manager components: location services (LS) and the configuration compliance agent (CCA). This log file also contains information about the interactions between the Configuration Manager System Health Agent and the operating system NAP agent, and also between the Configuration Manager System Health Agent and both the configuration compliance agent and the location services. It provides information about whether the NAP agent successfully initialized, the statement of health data, and the statement of health response.

System Health Validator Point Log Files

• Ccmperf.log -Contains information about the initialization of the System Health Validator point performance counters.

• SmsSHV.log - The main log file for the System Health Validator point; logs the basic operations of the System Health Validator service, such as the initialization progress.

• SmsSHVADCacheClient.log - Contains information about retrieving Configuration Manager health state references from Active Directory Domain Services.

• SmsSHVCacheStore.log - Contains information about the cache store used to hold the Configuration Manager NAP health state references retrieved from Active Directory Domain Services, such as reading from the store and purging entries from the local cache store file. The cache store is not configurable.

• SmsSHVRegistrySettings.log - Records any dynamic changes to the System Health Validator component configuration while the service is running.

• SmsSHVQuarValidator.log - Records client statement of health information and processing operations. To obtain full information, change the registry key LogLevel from 1 to 0 in the following location:HKLM\SOFTWARE\Microsoft\SMSSHV\Logging\@GLOBAL

Desired Configuration Management Log Files

• ciagent.log - Provides information about downloading, storing, and accessing assigned configuration baselines.

• dcmagent.log - Provides high-level information about the evaluation of assigned configuration baselines and desired configuration management processes.

• discovery.log - Provides detailed information about the Service Modeling Language (SML) processes.

• sdmagent.log - Provides information about downloading, storing, and accessing configuration item content.

• sdmdiscagent.log - Provides high-level information about the evaluation process for the objects and settings configured in the referenced configuration items.

Wake On LAN Log Files

• Wolmgr.log - Contains information about wake-up procedures such as when to wake up advertisements or deployments that are configured for Wake On LAN.

• WolCmgr.log - Contains information about which clients need to be sent wake-up packets, the number of wake-up packets sent, and the number of wake-up packets retried.

Software Updates Site Server Log Files

• ciamgr.log - Provides information about the addition, deletion, and modification of software update configuration items.

• distmgr.log - Provides information about the replication of software update deployment packages.

• objreplmgr.log - Provides information about the replication of software updates notification files from a parent to child sites.

• PatchDownloader.log - Provides information about the process for downloading software updates from the update source specified in the software updates metadata to the download destination on the site server.

• replmgr.log - Provides information about the process for replicating files between sites.

• smsdbmon.log - Provides information about when software update configuration items are inserted, updated, or deleted from the site server database and creates notification files for software updates components.

• SUPSetup - Provides information about the software update point installation. When the software update point installation completes, Installation was successful is written to this log file.

• WCM.log - Provides information about the software update point configuration and connecting to the Windows Server Update Services (WSUS) server for subscribed update categories, classifications, and languages.

• WSUSCtrl.log - Provides information about the configuration, database connectivity, and health of the WSUS server for the site.

• wsyncmgr.log -Provides information about the software updates synchronization process.

WSUS Server Log Files

• Change.log - Provides information about the WSUS server database information that has changed.

• SoftwareDistribution.log - Provides information about the software updates that are synchronized from the configured update source to the WSUS server database.

Software Updates Client Computer Log Files

• CAS.log - Provides information about the process of downloading software updates to the local cache and cache management.

• CIAgent.log - Provides information about processing configuration items, including software updates.

• LocationServices.log - Provides information about the location of the WSUS server when a scan is initiated on the client.

• PatchDownloader.log - Provides information about the process for downloading software updates from the update source to the download destination on the site server. This log is only on the client computer configured as the synchronization host for the Inventory Tool for Microsoft Updates.

• PolicyAgent.log - Provides information about the process for downloading, compiling, and deleting policies on client computers.

• PolicyEvaluator - Provides information about the process for evaluating policies on client computers, including policies from software updates.

• RebootCoordinator.log - Provides information about the process for coordinating system restarts on client computers after software update installations.

• ScanAgent.log - Provides information about the scan requests for software updates, what tool is requested for the scan, the WSUS location, and so on.

• ScanWrapper - Provides information about the prerequisite checks and the scan process initialization for the Inventory Tool for Microsoft Updates on Systems Management Server (SMS) 2003 clients.

• SdmAgent.log - Provides information about the process for verifying and decompressing packages that contain configuration item information for software updates.

• ServiceWindowManager.log - Provides information about the process for evaluating configured maintenance windows.

• smscliUI.log - Provides information about the Configuration Manager Control Panel user interactions, such as initiating a Software Updates Scan Cycle from the Configuration Manager Properties dialog box, opening the Program Download Monitor, and so on.

• SmsWusHandler - Provides information about the scan process for the Inventory Tool for Microsoft Updates on SMS 2003 client computers.

• StateMessage.log - Provides information about when software updates state messages are created and sent to the management point.

• UpdatesDeployment.log - Provides information about the deployment on the client, including software update activation, evaluation, and enforcement. Verbose logging shows additional information about the interaction with the client user interface.

• UpdatesHandler.log - Provides information about software update compliance scanning and about the download and installation of software updates on the client.

• UpdatesStore.log - Provides information about the compliance status for the software updates that were assessed during the compliance scan cycle.

• WUAHandler.log - Provides information about when the Windows Update Agent on the client searches for software updates.

• WUSSyncXML.log - Provides information about the Inventory Tool for the Microsoft Updates synchronization process. This log is only on the client computer configured as the synchronization host for the Inventory Tool for Microsoft Updates.

Windows Update Agent Log File

• WindowsUpdate.log - Provides information about when the Windows Update Agent connects to the WSUS server and retrieves the software updates for compliance assessment and whether there are updates to the agent components