깡민쓰~IT Story

[환경]

Windows Server 2008 R2

파워쉘을 이용하여 사용자 계정에 대한 최근 접속 이력을 체크하고 특정 조건을 사용하여 비활성화 하는 방법

1. Active Directory 모듈 활성

Get-ADUser, Disable-ADAccount, Move-ADObject 명령을 실행하기 위해 도메인 컨트롤러 서버에서 Active Directory Powershell 모듈을 활성화합니다.

2. 조회

다음 조건을 만족하는 사용자를 조회합니다.

*조건1. 마지막 로그온 날짜가 30일 이상 지남

3. 계정 Disable

다음 조건을 만족하는 사용자는 상태를 disable로 변경합니다.

*조건1. 마지막 로그온 날짜가 30일 이상 지남

결과> 계정 상태 변경 (disable)

4. 계정 OU 이동

다음 조건을 만족하는 사용자를 "Prison" OU로 이동합니다.

*조건1. 마지막 로그온 날짜가 30일 이상 지남

*조건2. Disable 상태

결과> Users2 에서 Prison 으로 OU 변경 됨

• Exchange Server에서 PartnerApplication 설정

  "C:\Program Files\Microsoft\Exchange Server\V15\Scripts\Configure-EnterprisePartnerApplication.ps1 -AuthMetaDataUrl 'https://pool01.koreare.com/metadata/json/1' -ApplicationType Lync"

     

  

     

  • SFB 서버에서 서버간 인증구성

  

     

  • SFB서버에서 Exchange 서버를 파트너어플리케이션으로 생성

  New-CsPartnerApplication -Identity Exchange -ApplicationTrustLevel Full -MetadataUrl "https://autodiscover.koreare.com/autodiscover/metadata/json/1"

  

     

  • SFB Server에서 테스트 진행(success면 성공)

• SFB서버에서 Exchange 트러스트 어플리케이션 풀 생성 해줍니다.(하기는 미리 구성 되어 있어서 설정값만 수정 후 조회했습니다.)

  또한 5199포트로 OutlookWebapp에 대한 트러스트어플리케이션 생성

• Exchange 서버에서 OCS 사용 설정

• Exchange 서버에서 IM(노란색 참조)

• 클라이언트에서 OWA에 접속하여 Presence 상태가 나오는지 확인
• OWA에서 IM 테스트

누가 언제 계정을 삭제 했는지 확인 해 달라는 경우가 있습니다.

GPO를 이용한 계정 감사를 해보았습니다.

계정 관리 감사 활성화 방법입니다.

• 그룹 정책 관리 -> Default Domain Policy -> 편집 -> 컴퓨터 구성 -> Windows 설정 -> 보안 설정 -> 로컬 정책 -> 감사 정책

  

• 계정 관리 감사 정책 활성화

  

• 실행 -> cmd -> gpupdate /force 실행

     

  상위와 같이 계정 관리 감사 정책을 활성화 하면 계정 생성 및 삭제 된 정보가 이벤트 로그에 남게 됩니다.

     

• 계정 생성 테스트

  계정을 생성하게 되면 하기와 같이 4738 이벤트가 발생

  

• 계정 삭제 테스트

  계정을 삭제하면 하기와 같이 4726 이벤트가 발생

              

  

     

  끝

Enable-ADOptionalFeature –Identity "CN=RecycleBin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=koreare,DC=com" –Scope ForestOrConfigurationSet –Target "koreare.com"

Get-ADObject -SearchBase "CN=Deleted Objects,DC=koreare,DC=com" -ldapFilter "(objectClass=*)" -includeDeletedObjects | Format-List Name,ObjectClass,ObjectGuid

Restore-ADObject –identity c6cbe4b3-ed3d-45d6-ab46-fd6223ca7075

생성 된 계정 확인

끝.

1

Step by Step: Adding Your Second Lync Standard Edition Server 2013 & Creating an Associated Backup Pool for Resiliency Part 4

By Matt Landis __on 8/06/2012 10:23:00 AM

We are on a journey installing various Lync Server 2013 roles. In today's step by step, we will setup our 2nd Lync Server Standard Edition pool and then set it up as a Backup Registrar so automatic failover can happen. We will also look at Lync Server 2013's new failover capabilities that allow full client capability to be restored in the event of a disaster. To use this blog the only other lab you need to have done is Part 1.

Previous Articles in this Series:

• Part 1 – Step by Step Installing Lync Server 2013 Standard Edition Front End
• Part 2- Step by Step Installing Lync Server 2013 SE Monitoring Server
• Part 3 – Step by Step Installing Lync Server 2013 Persistent Chat Server
• Part 4 - Step by Step Installing Your 2nd Lync Server 2013 SE Server Associated Backup Pool for Resiliency

  Prepare the 2nd Front End Server: Prerequisites

  See Lync Server 2013 prerequisites here. Installing your 2nd Lync Pool is much like installing the first. We will go over the steps below briefly, with special notes. But for detailed notes on installing an FE server, just refer to the Part1 blog in this series.

  Install Lync Server 2013

  Insert Lync Server 2013 CD, and when you see popup below, click Yes

  

  Once the Deployment Wizard appears we are done here for now.

  

  Open Topology Builder to Add Your 2nd Front End Server/Pool

  Right Click on "Standard Edition Front End Servers" | New Front End Pool

  NOTE: While the topology builder and this blog refer to a Standard Edition Front End Pool, just be aware that a Standard Edition Front End Pool really is just one Front End Server, because there only can be one server in a Standard Edition Pool.

  

  Next | Enter our Backup Front End FQDN (FE02.lab.local) | Next

  

  Check Conferencing, Enterprise Voice. (Note: you will not be able to check CAC because only 1 per Site)

  

  Now instead of screenshots for each screen, we'll just note what we want to check.

• Collocate Mediation = Yes | Next
• Enable and Edge Pool = No | Next
• let defaults | Next
• let Defaults (Note: you need to create this share just like your original share) | Next
• let defaults | Next
• let defaults | Next
• Action | Topology | Publish

  Goto the Primary (FE01.lab.local) Standard Server and Open Lync Server 2013 Deployment Wizard

  Click on "Install or Update Lync Server System"

  step 2 and Run

  After it completes, click Finish.

  Now Goto the Backup (FE02.lab.local) Standard Server and Open Lync Server 2013 Deployment Wizard

  Click on "Install or Update Lync Server System"

• Step 1 Run (15-30minute wait) Finish
• Step 2: Run | Next (10minutes wait)
• Step 3
• Step 4

  We'll Test Our 2nd Pool/Server By Moving Users to It

  To test, log into Lync Server control panel. Notice you will now be asked which Lync pool you want to log in to. Let's select FE01.lab.local.

  

  Once the LSCP is open well click Users | Find | Select u1@lab.local | Action | Move Selected Users to Pool… |

  

  Now lets select our new Pool/Server (FE02.lab.local) and click OK.

  

  After you move a user there is no need to refresh the user list, this is automatically done for you. And, sure enough, the u1@lab.local is now on FE02.lab.local! Great.

  

  Now lets open Lync 2013 client and login using user u1@lab.local that we just enabled on our 2nd Standard Edition Front End Pool/Server (FE02.lab.local). Good, our new pool works!

  What Happens when we change Pools During an Active Conversation or Call?

  Since we could easily move user(s) to our new Pool/Server with no sweat, now lets get dangerous. Call someone using u1@lab.local and CHANGE POOLS DURING THE CALL. 

  

  Let's repeat the steps we just took above, but do it during a live call and see what happens.

  Below is a screenshot of what happens if you change pools/servers during a peer to peer call:

• The Lync 2013 client will momentarily logout and back in again
• During this time (as you see below) the call continues
• Sharing continues
• Video continues
• As noted in the conversation window, functionality is momentarily limited:
• Video cannot be started during momentary logout/in
• Sharing limited and below items will be interrupted
• Polls
• whiteboard
• Powerpoint

  

  That' pretty cool, right? Yeah.

  Setup a Resilient Pool (aka Associated Backup Pool)

  Now let's setup our 2nd Front End Pool/Server as an Associated backup pool so that if our 1st Front End Pool goes down the clients can automatically failover to the 2nd Front End Pool.

  Open Topology Builder and download the topology.

  Next, we'll edit the primary "Standard Edition Front End Servers" by right clicking and click "Edit Properties"

  

  Now we can define our Resiliency settings

• Associated backup pool = FE02.lab.local; (Note the warning about having both FE's in the same site. For our lab, and in some production we can ignore this)
• Automatic = Checked
• Failover = 30secs (for lab purposes, this would be short for production…)
• Failback = 30secs (for lab purposes)
• Then click OK to finish.

  

  Let's Publish the Topology by clicking: Action | Topology | Publish | Next |

  Open text file to see what you should do next. In our case we are instructed to run Install or Update Setup/Update on FE01 and FE02. Now click Finish.

  

  Based on our "next steps" instructions noted above, lets open Lync Server Deployment Wizard on FE01.lab.local and click on "Install or Update Lync Server System"

• Step 2 Run | Next |Next
• Step 4 Run | Next | (this will get our new Lync server Backup Service running)

  Lets open Lync Server Deployment Wizard on FE02.lab.local and click on "Install or Update Lync Server System"

• Step 2 Run | Next
• NOTE: If Step 2 fails with "Can not update database XDS"  error then we need to manually install the rtc database using the PS command below:
• install-csdatabase –centralmanagementdatabase –sqlserverfqdn FE02.lab.local –sqlinstancename rtc
• Now run Step 2 again.
• Step 3 (if necessary)
• Step 4

  Run the below Powershell commands on your FE01.lab.local to ensure conferencing data is replicated:

• Invoke-CSBackupServiceSync –PoolFqdn FE01.lab.local
• Invoke-CSBackupServiceSync –PoolFqdn FE02.lab.local

  Add DNS SRV Record for Backup Pool/Server

  Now lets go into DNS and add a record for our Backup Pool /Server. This SRV record is necessary so that if the first server (FE01.lab.local in our lab) goes down, the client can find the backup Pool/Server.

  So let open the DNS server management and add the SRV record. The things that are important:

• Service = _sipinternaltls
• Protocol = _tcp
• Priority = 10 (take note: this value is different than your initial SRV record)
• Weight = 10 (take note: this value is different than your initial SRV record)
• Port number = 5061
• Host offering this server = FE02.lab.local

  

  After you have added this DNS record you might want to verify it has taken effect on the client PC by running NSLookup on the clients you will be testing.

• NSLookup
• set type=srv
• _sipinternaltls._tcp.lab.local

  

  You Might Need This Step, But Only do it if Needed: Remove The Cert Without the Backup Server Name in it

  NOTE: Please, take a minute and thank Dustin Hannifin and Jason Lee for providing this crucial step in this blog post. 

  

  With both Primary and Backup Front End Server running do the following:

  Exit Lync 20013 client on client machine.

  On same client machine: Open MMC

  File | Add/Remove Snap-in… | Certificates | My User Account | Ok

  Navigate to: Personal | Certificates and delete the cert named same as your Lync username.

  

  Now let log back into Lync 2013 client.

  Now, Let's Test Resiliency by Disabling NIC on Primary Front End (FE01.lab.local)

  Make sure all your users (that you want to test resiliency for) are homed on FE01.lab.local. Next, we'll simulate our FE01.lab.local machine being down by disabling the NIC.

  

  Now around 30 seconds, our client(s) should log out. Sure enough!

  

  Now they will try to login to the backup pool (in this case FE02.lab.local)…

  NOTE: We setup our failover to happen in 30seconds. I've noticed in my lab the failing Lync clients will logout very near 30 seconds, but it could take several minutes till the clients are able to log back into the Associated Backup Pool/Server (FE02.lab.local). (ie: be fully failed over) I haven't taken the time to investigate if this is my lowly lab's performance 

  

  , or something built into Lync. (if someone knows, please post a comment)

  But sure enough, it logged into backup pool! You will notice the Lync 2013 client let's you know you have some limitations:

• Contact List is unavailable
• Call Forwarding may not be working
• Delegates and Team-Call may not be receiving calls
• Limited chat room access
• Etc.

  

  Now if we enable the NIC on FE01.lab.local the clients should Failback to FE01.lab.local in 30 seconds. (NOTE: on my lab some clients would failback as soon as 10 seconds.)

  Next We Will Take a Look at New Lync Server 2013 Failover Options

  Much of what we have discussed in this blog so far is largely the functionality you will find in Lync Server 2010. (I suspect you could use most of the above steps in Lync 2010.) But with Lync Server 2013, the Lync Server administrator can now failover the CMS and the failed pool so that the "Limited Functionality due to outage" is removed. Let's get started with our failover.

  Our first step is to find out where the Active Central Management Database is hosted. To do this we run the PowerShell:

• Get-CsService –CentralManagement

  As shown below, FE01.lab.local is the PoolFqdn (we will refer to this as $CMS_Pool) of the currently Active CMS.

  

  The next step is to check if the the $CMS_Pool is running Lync Server 2013. You can do this in Topology Builder (in our lab we know it is, but in a live environment we might not) If the $CMS_Pool is running Lync 2013 we can use this PowerShell to see who it's backup pool is:

  Get-CsPoolBackupRelationship –PoolFQDN $CMS_Pool

  As shown below we can see the $Backup_Pool is FE02.lab.local

  

  Next we will see if the $CMS_Pool is available right now:

  Get-CsManagementStoreReplicationStatus –CentralManagementStoreStatus

  Below we have an example how this command will look with the $CMS_Pool available.

  

  Now lets disable the NIC on $CMS_Pool (ie FE01.lab.local) to simulate server down. Our primary Lync FE is now down! (shown below)

  

  Now run the Get-CsManagementStoreReplicationStatus –CentralManagementStoreStatus  command again. Note that the command will fail/error out if the $CMS_Pool/FE01.lab.local is not available.

  (NOTE: If this is a Ent. Edition server you will need to check which Back End holds the primary CMS using: Get-CsDatabaseMirrorState -DatabaseType CMS -PoolFqdn <Backup_Pool Fqdn> . Read more about this command by Clicking Here. Running this command on Std. Edition will fail. On a Std. Edition server there is only one server so we know which it is. )

  Next we will run the command to failover the Central Management Server to our Backup Server:

• Invoke-CsManagementServerFailover -BackupSqlServerFqdn FE02.lab.local –BackupSqlInstanceName RTC –Force

  

  Now lets verify the move happened by running:

• Get-CsManagementStoreReplicationStatus –CentralManagementStoreStatus

  Sure enough! the new ActiveMasterFQDN is now FE02.lab.local (as shown below). Great!

  

  Now we can fail over the Pool by running:

• Invoke-CsPoolFailOver –PoolFqdn FE01.lab.local –Disastermode –Verbose

  After running…Voila! The Lync Client services are automatically restored to Lync 2013and the "Limited Functionality" notice disappears with no user interaction!

  

  Notes:

• On my 3 user lab this script took about 50 seconds to complete. After it completed I waited a little over a minute until full capability was restored to the Lync client!
• The Chat service was not restored because resiliency was not setup in our lab for this service.

  Conclusion

  Well--yahoo! We have successfully setup a Lync Standard Edition Associated Backup Pool and we have demonstrated Lync Server 2013's very improved complete Failover resiliency.

  Continue your lab with more articles in this Lync Server 2013 Step by Step Series:

• Part 1 – Step by Step Installing Lync Server 2013 Standard Edition Front End
• Part 2- Step by Step Installing Lync Server 2013 SE Monitoring Server
• Part 3 – Step by Step Installing Lync Server 2013 Persistent Chat Server
• Part 4 - Step by Step Installing Your 2nd Lync Server 2013 SE Server Associated Backup Pool for Resiliency
• Part 5 – Step by Step Enabling Lync Server 2013 Enterprise Voice Features, Response Groups and Managers
• Using Lync 2013 and OneNote 2013 Integration

     

  Special Thanks to Elan Shudnow and his great article on Lync 2010 Resiliency:

  http://www.shudnow.net/2012/05/04/lync-2010-central-site-resilience-w-backup-registrars-failovers-and-failbacks-part-3/

     

  http://social.technet.microsoft.com/wiki/contents/articles/9289.second-lync-standard-edition-server-to-provide-a-limited-high-availability-en-us.aspx

  http://jasonmlee.net/archives/459

• See this post
• And this post

  If you want to Fail Back to FE01.lab.local

• Invoke-CsPoolFailback -PoolFQDN FE01.lab.local –Verbose  (may take 10-15minutes; Lync will logout/in near end)
• Invoke-CsManagementServerFailover -BackupSqlServerFqdn FE02.lab.local BackupSqlInstanceName RTC –Force ( this just takes 10secs)

     

  출처: <http://windowspbx.blogspot.kr/2012/08/step-by-step-adding-your-second-lync.html>