728x90

hub and spoke 구조는 Virtual WAN을 사용하지 않고 virtual network 로만 구성하고자 할때 Azure에서 권장하는 구조입니다. 일반적으로 온프레미스와 virtual network gateway간 연결해서 사용할 때 자주 볼 수 있는 아키텍쳐이며, 본 포스트는 아래와 같은 구조에서 virtual machine끼리 통신하도록 하는 예제입니다.

단순 vnet peering 만으로는 spoke1-vm과 spoke2-vm간 통신이 불가능하고, route tables라는 리소스를 생성해서 적용해 줘야 합니다. Azure 공식 문서에는 잠깐의 언급만 하고 자세히 다루지는 않아서 본 포스트에서 spoke1-vm과 spoke2-vm간 통신하는 예제를 다루어 보았습니다.

*링크 : Create, change, or delete an Azure virtual network peering | Microsoft Docs

 

리소스 그룹 생성

포털에 resource group 검색 후 create 버튼 클릭

 

virtual network 생성

총 3개의 vnet을 생성합니다.

hub-vnet : 10.50.0.0/16, default 10.50.1.0/24, GatewaySubnet 10.50.2.0/24

(게이트웨이 서브넷 이름은 무조건 'GatewaySubnet'이어야 함)

spoke1-vnet : 10.60.0.0/16, default 10.60.1.0/24

spoke2-vnet : 10.61.0.0/16, default 10.61.1.0/24

spoke1-vnet과 spoke2-vnet도 위와 같이 생성합니다.

 

Virtual network gateway 생성

포털에서 virtual network gateway 검색 후 create 클릭

 

피어링 설정

hub-vnet과 spoke1-vnet간 vnet peering을, hub-vnet과 spoke2-vnet간 vnet peering을 맺습니다

add 버튼 클릭

 

 

hub-vnet과 spoke2-vnet에 대해서도 위와 같이 설정해 줍니다.

 

Virtual Machine 생성

spoke1-vm과 spoke2-vm을 생성합니다.

아래 화면처럼 spoke1-vnet을 선택해 줍니다.

 

spoke2-vm에 대해서도 위와 같이 생성해 줍니다.

 

spoke1-vm에 ssh 연결해서 spoke2-vm으로 ping을 보내면 전부 packet loss 됨을 확인할 수 있습니다.

 

Route tables 생성 및 적용

spoke1-udr, spoke2-udr을 각각 만들어 줍니다

*udr : user defined route

 

Routes 탭에서 add 버튼을 클릭한 후, destination ip addresses에 spoke2-vnet의 대역을 입력합니다

(마찬가지로 spoke2-udr에는 spoke1-vnet의 대역을 입력합니다)

 

route 생성 후, 아래와 같이 spoke1-vnet의 default 서브넷, spoke2-vnet의 default 서브넷에 각각 적용시켜 줍니다

route table 을 각 서브넷에 적용 후, spoke1-vm에서 spoke2-vm으로 ping을 날리면 정상적으로 패킷 송수신이 되는 것을 확인하실 수 있습니다.

 

테스트가 완료되었을 경우 resource group을 삭제합니다.

728x90
728x90

Windows Server의 RRAS (Routing and Remote Access Service) 기능을 사용하여 Azure Virtual Network와 S2S VPN을 연결하는 방법을 소개합니다.

 

S2S (Site to Site) VPN은 온프레미스 네트워크와 Azure Virtual Network 간의 연결을 의미하는데, 온프레미스의 VPN 장비와 Azure의 VPN Gateway를 서로 연결해서 구성합니다.

S2S VPN 구성을 테스트하고 싶어도 온프레미스에 VPN 장비가 없으면 테스트가 거의 불가능합니다.

 

이 글에서는 Azure Virtual Network를 온프레미스 네트워크라고 가정하고, Windows Server에 RRAS 역할을 설치하여 VPN 장비처럼 동작하도록 구성하는 방법을 소개합니다.

테스트 구성도를 보시면 좀 더 쉽게 이해하실 수 있을겁니다.

 

RRAS 테스트 구성도

 

 

왼쪽의 Virtual Network를 온프레미스 네트워크라고 가정하고, rras-vm을 VPN 장비처럼 동작하도록 구성하는 방법을 소개할 예정입니다.

테스트 환경 구성이 완료되면 온프레미스의 dmz-svr01과 Azure의 mgmt-vm간에 private ip 주소로 통신이 가능해집니다.

 

*중요
Microsoft는 Azure 의 Windows Server 가상 머신에서의 RRAS 사용을 공식적으로는 지원하지 않습니다.

https://support.microsoft.com/en-us/help/2721672/microsoft-server-software-support-for-microsoft-azure-virtual-machines


따라서, Azure에서는 테스트 용도로만 RRAS를 사용해야 합니다.
Azure에서 RRAS를 사용하다가 문제가 생기더라도 Microsoft로부터 지원을 받을 수 없습니다.

 

*테스트에서는 Azure Korea Central 지역을 사용합니다.

 

1. 가상 네트워크 구성

구성도와 같이 두 개의 가상 네트워크를 만듭니다.

Onprem-NW Hub-VNET
Address spaces : 192.168.0.0/16
- RRAS-Subnet : 192.168.100.0/24
- DMZ-Subnet : 192.168.200.0/24
Address spaces : 172.16.0.0/16
- GatewaySubnet : 172.16.0.0/26
- Mgmt-Subnet : 172.16.1.0/24

 

 

 

2. VPN Gateway 생성

Hub-VNET에 VPN Gateway를 만듭니다.

저는 아래와 같이 설정하였습니다.

 

VPN Gateway 생성

 

 

VPN Gateway가 생성되면 Public IP address를 확인합니다.

 

 

 

 

3. RRAS용 Windows VM 생성

Windows Server 2019 VM을 생성합니다.

저는 아래와 같이 설정했습니다만, 동일하게 설정하지 않으셔도 됩니다.

  • Image : Windows Server 2019 Datacenter - Gen2
  • Size : Standard D2as_v4

 

 

 

Virtual network와 Subnet은 아래와 동일하게 설정합니다.

  • Virtual network : OnPrem-NW
  • Subnet : RRAS-Subnet

 

 

 

RRAS VM 생성이 완료되면 VM을 중지합니다. 

VM이 중지되면 IP 주소를 테스트 구성도처럼 지정합니다.

 

RRAS VM

 

 

첫 번째 NIC의 IP 주소를 테스트 구성도처럼 지정합니다. (192.168.100.101)

 

RRAS 첫 번째 NIC

 

 

두 번째 NIC 추가 및 테스트 구성도처럼 IP 주소를 지정합니다. (192.168.200.101)

두 번째 NIC는 DMZ-Subnet에 연결합니다.

 

RRAS 두 번째 NIC

 

 

두 번째 NIC의 IP configurations 메뉴에서 IP forwardingEnabled로 변경합니다.

 

RRAS 두 번째 NIC - IP forwarding Enabled

 

 

RRAS VM을 시작합니다.

 

 

4. RRAS VM Windows 방화벽 중지 및 NSG 설정

RRAS VM의 Windows 방화벽을 중지합니다.

 

Windows Firewall Turn off

 

 

VPN Gateway와 S2S VPN 연결을 위해, RRAS VM의 NSG의 Inbound 규칙에 아래의 Port들을 허용으로 추가합니다.
*Source는 VPN Gateway의 Public IP 주소, Destination은 RRAS VM의 첫 번째 NIC의 Private IP 주소
- TCP port 443 (SSTP)
- UDP port 500 (IKEv2)
- UDP port 4500 (IKEv2 NAT traversal)

 

RRAS-Subnet의 NSG

 

 

 

5. VPN Gateway 설정

Local Network Gateway와 Connection 리소스를 생성합니다.

 

Local Network Gateway를 생성할 때,

IP address에는 RRAS VM의 Public IP 주소를 입력하고,

Address Space에는 온프레미스 IP 대역을 입력합니다. (192.168.0.0/16)

 

Local network gateway

 

 

Connection 리소스를 생성할 때, Connection type은 Site-to-site (IPsec)을 선택합니다.

 

 

 

Virtual network gateway, Local network gateway, Shared key(PSK)를 지정합니다.

나머지 옵션은 기본값을 사용합니다.

* Shared key는 RRAS 구성에서도 사용됩니다.

 

 

 

 

6. RRAS 역할 설치

RRAS VM에 원격으로 접속한 후 RRAS 역할을 설치하고 구성합니다.

 

Server Manager - Add Roles and Features

 

Server Manager

 

 

Server Roles에서 Remote Access를 선택합니다.

 

Server Roles - Remote Access

 

 

Role Services에서 DirectAccess and VPN (RAS), Routing을 선택합니다.

 

Role Services - DirectAccess and VPN (RAS), Routing

 

 

나머지 옵션들은 기본값을 사용해서 RRAS 역할을 설치합니다.

 

 

7. RRAS 구성

* 이 부분이 이번 글에서 핵심입니다.

 

RRAS 역할이 설치된 후 Azure VPN Gateway와 연결하기 위해 RRAS를 구성합니다.

 

Routing and Remote Access 관리 콘솔을 실행합니다.

 

 

 

RRAS VM을 오른쪽 버튼 클릭하고 'Configure and Enable Routing and Remote Access'를 클릭합니다.

 

Configure and Enable Routing and Remote Access

 

 

Routing and Remote Access Server Setup Wizard

  • [Next]

 

 

 

Configuration

  • 'Secure connection between two private networks' 
  • [Next]

 

 

 

Demand-Dial Connections

  • 'No' 
  • [Next]

 

 

 

Completing the Routing and Remote Access Server Setup Wizard

  • [Finish]

 

 

 

 

Network Interfaces 오른쪽 버튼 클릭 - 'New Demand-dial Interface' 클릭

 

 

 

Demand-Dial Interface Wizard

  • [Next]

 

 

 

Interface Name

  • Interface name : AzureVPNGW
  • [Next]

 

Interface name

 

 

Connection Type

  • Connect using virtual private networking(VPN)
  • [Next]

 

Connection Type - Connect using virtual private networking (VPN)

 

 

VPN Type

  • IKEv2
  • [Next]

 

VPN Type - IKEv2

 

 

Destination Address

  • VPN Gateway의 Public IP 주소 입력
  • [Next]

 

 

 

Protocols and Security

  • Route IP packets on this interface
  • [Next]

 

 

 

Static Routes for Remote Networks

  • [Add]
  • Azure IP 대역 등록 (172.16.0.0/16)
  • [Next]

 

Azure IP 대역 등록

 

 

Dial-Out Credentials

  • [Next]

 

 

 

Completing the Demand-Dial Interface Wizard

  • [Finish]

 

 

 

 

*Preshared key를 지정합니다.

 

새로 생성된 Network Interface 오른쪽 버튼 클릭 - 'Properties'

 

 

 

[Security] 탭

  • Use preshared key for authentication - Preshared key 입력 ('12345')
  • [OK]

 

Preshared key 등록

 

 

*Azure VPN Gateway와 연결합니다.

 

AzureVPNGW 오른쪽 버튼 클릭 - 'Connect'

 

Connect

 

연결 완료 (Connection State가 Connected로 표시됩니다.)

 

 

 

 

VPN Gateway Connection 리소스를 확인해보면, Status가 Connected로 표시됩니다.

(Connected로 표시되기까지 약 3~5분 정도 걸립니다.)

 

 

 

이제 S2S VPN 연결이 완료되었습니다.

 

 

8. 테스트용 VM 생성

네트워크 통신 테스트를 위한 VM들을 온프레미스 네트워크(OnPrem-NW)와 Azure Virtual Network(Hub-VNET)에 생성합니다.

(dmz-svr01, mgmt-vm)

 

 

 

*VM을 생성하는 과정에 대한 설명은 생략합니다.

 

 

 

9. 온프레미스 서브넷에 UDR 설정

*이 부분도 중요합니다.

 

온프레미스(OnPrem-NW)에서 Azure Virtual network(Hub-VNET)의 IP 대역으로 나가는 트래픽이 RRAS를 통과하도록 하기위해 UDR을 사용합니다.

 

Routes에서

  • Address prefix는 Azure IP 대역을 지정하고 (172.16.0.0/16),
  • Next hop type은 'Virtual appliance',
  • Next hop IP address는 RRAS의 두 번째 NIC의 IP 주소를 입력합니다 (192.168.200.101).

UDR을 온프레미스 서브넷(DMZ-Subnet)에 연결합니다.

 

UDR

 

 

10. 네트워크 통신 테스트

테스트를 위해 VM의 Windows 방화벽은 중지합니다.

 

 

 

두 VM 간에 Private IP 주소로 통신이 가능한지 확인해봅니다.

 

 

끝.

728x90
728x90

서브넷 마스크 계산기 및 계산 방법 2가지(CIDR, netmask)

2023-01-31 by 나루

네트워크를 설정하다보면 서브넷 마스크 또는 마스크라고 되어 있는 부분에 입력을 해야 하는 경우가 있을 것입니다. 서브넷 마스크 계산 방법을 알아보고, 또 서브넷 마스크 계산기도 함께 준비했습니다.

서브넷 마스크란? CIDR?

클래스 단위로 결정된 주소 비트를 이론적으로 어느 정도의 서브넷이라는 단위로 나눌 것인지 지정하는 것입니다. 크게 네트워크 영역과 호스트 영역으로 나뉘게 되는데, 이를 통해서 네트워크의 성능을 보장하고, 제한된 자원을 효율적으로 사용할 수 있게 됩니다. 그리고 CIDR은 Classless Inter-Domain Routing의 줄임말로 클래스 없는 도메인 간 라우팅 기법입니다.

서브넷 마스크 계산 방법: CIDR을 Netmask로 변환

그림 1의 Addresses에서의 192.168.0.31/24 와 같이 뒤에 /24 를 표기하는 것을 CIDR 값이라고 부릅니다.

그림 1. CIDR로 서브넷 표기하기

그리고 그림 2와 같이 많은 분들이 흔히 사용하는 개인 네트워크의 사설 IP 주소 192.168.0.132와 같은 값을 이용할 때 Netmask 값은 255.255.255.0으로 설정해서 이용합니다.

그림 2. Netmask로 서브넷 표기하기

위의 두 가지 값은 표현은 다르게 되나 동일하게 처리됩니다. 아래 계산기에서 24라고 입력해 보시면 2진수 Netmask에서 11111111 11111111 11111111 00000000 이라고 표현되는 것을 볼 수 있습니다. 왼쪽에서부터 몇 비트를 마스킹할 것인지 표현하는 게 CIDR 표기법입니다.

Netmask는 그걸 십진수로 8비트씩 끊어서 10진수로 표현한 것입니다. 흔히 넷마스크로 사용하는 255.255.255.0이 그 예입니다.

CIDR과 Netmask 계산기

아래 CIDR에 숫자를 입력해 주면 Netmask 값으로 변환이 됩니다. Netmask에 값을 채워넣으면 CIDR로 변환됩니다. 두가지 경우 모두 2진수 Netmask 값으로도 변환됩니다. 단, netmask 값은 페이지 하단의 표를 참고해서 사용하시기 바랍니다.

CIDR 
Netmask 
Netmask(2진수) 11111111 11111111 11111111 11111000
그림 3. 서브넷 마스크 계산 방식

192.168.121.110/24로 표기한다면, 앞의 24비트인 192.168.121 까지가 호스트 주소이고, 이후의 110 값에 해당하는 8비트가 호스트 주소가 된다고 이해하시면 됩니다. 즉, 좌측부터 24개 비트가 1로 채워져 넷마스크 값은 255.255.255.0이 됩니다.

특히 회사나 학교와 같은 곳에서는 넷마스크 값을 네트워크 관리자를 통해 명확히 확인 후 사용하시기 바랍니다. 물론 개인이 사용하는 192.168.0.xxx의 경우에는 편안하게 255.255.255.0 사용하면 되겠습니다.

CIDR & Netmask 테이블

바로 위에 계산기를 준비해 놓았지만, 아래 표를 통해서도 확인할 수 있습니다.

CIDR Mask Hosts
/32 255.255.255.255 1
/31 255.255.255.254 2
/30 255.255.255.252 4
/29 255.255.255.248 8
/28 255.255.255.240 16
/27 255.255.255.224 32
/26 255.255.255.192 64
/25 255.255.255.128 128
/24 255.255.255.000 256
/23 255.255.254.000 512
/22 255.255.252.000 1024
/21 255.255.248.000 2048
/20 255.255.240.000 4096
/19 255.255.224.000 8192
/18 255.255.192.000 16384
/17 255.255.128.000 32768
/16 255.255.000.000 65536
/15 255.254.000.000 131072
/14 255.252.000.000 262144
/13 255.248.000.000 524288
/12 255.240.000.000 1048576
/11 255.224.000.000 2097152
/10 255.192.000.000 4194304
/9 255.128.000.000 8388608
/8 255.000.000.000 16777216
/7 254.000.000.000 33554432
/6 252.000.000.000 67108864
/5 248.000.000.000 134217728
/4 240.000.000.000 268435456
/3 224.000.000.000 536870912
/2 192.000.000.000 1073741824
/1 128.000.000.000 2147483648
표. CIDR, Netmask 별 이용가능한 호스트 개수

관련자료

위의 계산기에는 stackoverflow의 netmask 관련 코드를 사용했습니다.
위키피디아의 CIDR 페이지를 참고했습니다.

함께 읽으면 좋은 글

728x90
728x90

서브넷 마스크와 서브넷팅 계산 방법

 

 

하나의 네트워크에 16,777,214개의 호스트 IP를 할당할 수 있는 A 클래스 는 엄청나게 큰 규모의 국제적인 기업 또는 단체가 아니라면 매우 비효율적이다.

 

만약 이 장치가 4개가 있는 가정집에 A 클래스를 그대로 부여한다면 Network Address와 Broadcast Address까지 포함하여 6개가 사용되고 남은 16,777,208개는 아무도 사용하지 않고 낭비된다.

 

이러한 문제를 해결하기 위해 IP를 사용하는 네트워크 장치들의 수에 따라 효율적으로 사용할 수 있는 서브넷(Subnet)이 등장하게 되었다.

 

 

서브넷 마스크는 IP주소 체계의 Network ID와 Host ID를 서브넷 마스크를 통해 변경하여서 '네트워크 영역을 분리 또는 합체' 시키는 개념이다.

 

네트워크를 분리한 것을 서브넷팅(Subnetting), 합치는 걸 슈퍼넷팅(Supernetting)이라고 한다.

 

서브넷팅은 서브넷 마스크를 이용하여 Host ID를 Network ID로 변환하게 되고, 슈퍼넷팅은 서브넷 마스크를 이용하여 Network ID를 Host ID로 변환하게 되어서 가능해진다.

 

서브넷 마스크

 

  • IP 주소에는 반드시 서브넷 마스크가 있다.
  • 서브넷 마스크는 기본적으로 255와 0으로 이루어져 있다.
  • 여기서 255는 네트워크 부분이며 0은 호스트 부분이 된다.
  • 255로 된 부분은 무시하시고 0으로 된 부분에서 IP를 나눠쓰는 혹은 IP를 쪼개는 개념이다.

 

IP를 쪼개는 이유는 IP주소가 모자라기 때문이며 네트워크를 구축시에 가장 중요한 부분이라고 할수있으며 서버관리시에 꼭 필요한 부분이다.

 

 

서브넷 마스크의 형태는 IP주소와 똑같이 32bit의 2진수로 되어있으며, 8bit(1byte)마다, .(dot)으로 구분하고 있다.

즉, IP와 똑같은 OOO, OOO, OOO, OOO의 모습을 가지고 있다.

 

형태가 똑같은 이유는 IP주소와 서브넷 마스크를 AND 연산하기 위해서이다.

 

 

 

서브넷 마스크를 사용하는 이유

브로드캐스트 영역(네트워크)를 나누기 위함 입니다.

한 네트워크에 수 많은 호스트가 있을 경우 원활한 통신이 불가능해지게 됩니다. 이를 해결하기 위해서 네트워크를 적절하게 나누어 주셔야 합니다. 또한 네트워크를 적절하게 구분지어주기 때문에 IP 주소를 아끼는 효과가 있습니다.

 

호스트 이름으로부터 IP 주소지에 대한 네트워크 이름을 규정으로 32비트 크기로 만들어진다.

 

 

혹시 IP주소 뒤에 /24 같은 것들이 붙어 있는 것을 볼 수 있을것이다.

이는 Prefix(접두어)로 (CIDR이라고도 한다.)서브넷 마스크의 bit 수를 의미한다.

 

옥탯의 8bit가 모두 1일 경우 10진수로 255가 되기에 /24는 왼쪽으로 나열된 1bit의 수가 24개라는 뜻이다.

 

예시) 192.168.0.3/24는 IP주소가 192.168.0.3 이며, 서브넷 마스크는 255.255.255.0이라는 의미다.

 

클래스 범위 표기법
A 11111111.00000000.00000000.00000000 /8 OR 255.0.0.0
B 11111111.11111111.00000000.00000000 /16 OR 255.255.0.0
C 11111111.11111111.11111111.00000000 /24 OR 255.255.255.0

 

 

Bitmask (서브넷 마스크로 사용된 1의 개수) Netmask(255.255.255.x) 네트워크 수 (서브넷 개수) 호스트 수
/25 128 2 128
/26 192 4 64
/27 224 8 32
/28 240 16 16
/29 248 32 8
/30 252 64 4
/31 254 128 2
/32(Host Rount) 255 256 1

 

 

네트워크 수는 2의 제곱의 수로 계산하면 된다.

호스트 수 256을 네트워크수로 나누면 된다.

 

서브넷 마스크의 마지막인 32bit는 (255.255.255.255)를 호스트루트(Broadcast)라고 하는데 이것은 특정 호스트로 가는 경로를 알릴때 사용한다.

 

 

 

 

서브넷팅의 이해

 

IP주소 낭비를 방지하기 위한 원본 네트워크를 여러 개의 네트워크로 분리하는 과정(자신의 네트워크 주소를 더 작은 서브 네트워크로 2의 배수로 나누는 과정)을 말한다.

 

서브넷팅을 과정중에 분리된 네트워크 단위를 서브넷이라고 하며, 서브넷팅을 하기 위해서는 서브넷 마스크의 이해가 필요하다.

 

서브넷팅(Subnetting) 하는 법

 

 

192.168.32.0/24라는 네트워크 주소 하나를 25개씩의 호스트가 있는 각각의 네트워크로 분할하려고한다.

 

Ip Address Subnet mask
192.168.32.0 255.255.255.0
11000000.10101000.00100000.00000000 11111111.11111111.11111111.00000000

 

위에 표에 서브넷마스크(Subnet mask)는 1로 표시된 부분은 Network-ID로 사용되는 부분이며,

0 으로 표시된 Host-ID 부분을 가지고 서브넷팅을 하게된다.

 

위 표와 같이 하나의 옥텟은 8bit(00000000)로 이루어져 있으며, 1개의 bit는 2개의 정보를 표현할 수 있다.

 

이번에는 Host-ID 부분을 필요한 개수인 5개의 Bit로 쪼개보겠다.

 

192.168.32.000/00000

<-(Network ID) (Host ID)->

 

0~31 192.168.32.0 ~ 192.168.32.31
32~63 192.168.32.32 ~ 192.168.32.63
64~95 192.168.32.64 ~ 192.168.32.95
96~127 192.168.32.96 ~ 192.168.32.127
128~159 192.168.32.128 ~ 192.168.32.159
160~191 192.168.32.160 ~ 192.168.32.191
192~223 192.168.32.192 ~ 192.168.32.223
224~255 192.168.32.224 ~ 192.168.32.255

 

각각의 범위가 서로 다른 네트워크를 의미한다.

범위에 있는 숫자는 각각의 네트워크 안에서 호스트로 할당해줄 수 있는 IP의 범위가 된다.

 

범위의 맨 앞에 있는 게 각 네트워크 대표주소(192.168.32.0)가 되며,

마지막의 (192.168.32.255)의 숫자가 브로드캐스트 숫자가 된다.

728x90
728x90

Azure 가상 네트워크에 Azure Firewall을 배포하고, 가상 네트워크 간 라우팅, DNAT, 네트워크 필터링 규칙을 구성하는 방법을 설명합니다.

아래와 같은 테스트 환경을 구성하고 Azure Firewall을 테스트하였습니다.

  • 허브(Hub) 네트워크에 Azure Firewall을 배치하여 스포크(Spoke) 네트워크 간 라우팅 처리
  • Azure Firewall의 DNAT 규칙으로 인터넷 인바운드 처리
  • Azure Firewall의 네트워크 규칙(Network rule)으로 스포크 네트워크 간 RDP 연결 처리

 

Azure Firewall 테스트 구성도

 

 

위 테스트 환경 구성은 일반적인 허브-스포크(Hub-Spoke) 구성입니다.

허브 네트워크에 Azure VPN Gateway와 Azure Firewall을 배치하고, 온프레미스와는 S2S VPN으로 연결하고, 다른 Azure 가상 네트워크는 Peering으로 연결합니다.

테스트에서는 온프레미스의 Windows Server 2019에 RRAS(Routing and Remote Access Service) 역할을 구성하여 Azure VPN Gateway와 S2S로 연결하였습니다.

 

Windows Server 2019 RRAS

 

 

1. 가상 네트워크 생성 및 Peering으로 연결

Azure에 아래와 같이 3개의 가상 네트워크를 만듭니다.

 

3개의 Virtual network 준비

 

 

허브 네트워크(VNET-Hub)에 VPN Gateway를 배포하고, 온프레미스와 S2S VPN을 연결합니다. (온프레미스와 S2S VPN 연결에 대한 설명은 생략합니다.)

 

VPN Gateway

 

 

허브 네트워크(VNET-Hub)와 스포크 네트워크들(PRD-VNET, DEV-VNET)은 Peering으로 연결하였습니다.

 

VNET Peering

 

 

참고로, Peering 옵션에서 Gateway transit을 사용하도록 설정하였습니다.

 

VPN Gateway transit

 

 

가상 네트워크 구성이 완료된 후 가상 머신을 배포합니다.

 

2. Azure Firewall 배포

허브 네트워크(VNET-Hub)에 Azure Firewall을 배포합니다. Azure Firewall은 AzureFirewallSubnet이라는 이름의 전용 서브넷에 배포되어야 합니다. 서브넷 사이즈는 /26으로 만듭니다.

Azure Firewall 배포

 

Azure Firewall 배포

 

 

Azure Firewall 배포가 완료되면 Azure Firewall의 Private IP 주소를 확인합니다.

 

Azure Firewall - Private IP

 

 

3. 라우팅 테이블 구성 (UDR)

네트워크 간 트래픽이 Azure Firewall을 거치도록 라우팅 테이블을 구성합니다.

 

Azure Firewall - UDR

 

 

스포크 네트워크들(PRD-VNET, DEV-VNET)은 Next hop을 Azure Firewall로 지정합니다.

GatewaySubnet은 Next hop으로  Azure Firewall을 지정합니다.

 

 

4. DNAT 규칙 추가

인터넷에서 PRD-VNET의 WEB VM으로 HTTP (TCP 80) 접속을 허용하는 DNAT 규칙을 Azure Firewall에 추가합니다.

DNAT(Destination NAT) 규칙을 사용하면, 인터넷에서 Azure 가상 네트워크의 VM으로의 직접적인 연결은 차단하고, Azure Firewall의 공인 IP 주소를 통해 Azure VM으로 연결될 수 있도록 구성할 수 있습니다.

 

Azure Firewall DNAT

 

 

우선 Azure Firewall에 Public IP 주소를 하나 추가합니다.

 

Azure Firewall - Add Public IP Address

 

 

Azure Firewall의 Rule - NAT rule collection에 아래와 같이 DNAT 규칙을 추가합니다.

 

Azure Firewall - NAT Rule collection

 

 

브라우저에서 DNAT 규칙의 공인 IP 주소로 접속해봅니다.

 

 

 

 

5. 네트워크 규칙 추가

Azure Firewall에 온프레미스와 Azure PRD, DEV 네트워크간 RDP 연결을 허용하는 규칙을 생성합니다. 

네트워크 규칙(Network rule)으로 Azure VM으로 들어오고 나가는 네트워크 연결을 허용하거나 차단할 수 있습니다.

 

Azure Firewall - Network Rule

 

 

 

Azure Firwall - Rules - Network rule collection에 RDP 허용 규칙을 추가합니다.

 

Azure Firewall - Network Rule collection

 

 

 

OnPrem-PRD

 

 

 

OnPrem-DEV

 

 

 

PRD-DEV

 

 

RDP 허용 규칙 추가 후 각 네트워크 간 RDP 연결이 되는지 확인해봅니다.

온프레미스 -> PRD-VNET의 VM으로 RDP 연결

 

OnPrem to PRD VM

 

 

PRD-VNET의 VM에서 DEV-VNET VM으로 RDP 연결

 

PRD VM to DEV VM

 

 

-끝

728x90
728x90

Windows Server 2003 Active Directory에서 Windows Server 2008 이상 버전 (Windows Server 2008, 2008 R2, 2012, 2012 R2) 으로 마이그레이션 한 후에는 SYSVOL 복제 방식을 변경하는 것을 권장합니다.

 

도메인 기능 수준과 포리스트 기능 수준을 최소 Windows Server 2008 이상으로 올린 후, SYSVOL 복제 방식을 기존 File Replication Service에서 DFS-R 로 변경합니다.

 

작업이 완료되면 SYSVOL 폴더가 SYSVOL_DFSR 폴더로 대체됩니다.

 

 

1. 작업 전 확인

 

1. 현재 공유 중인 SYSVOL 정보 확인 (net share)


 
2. ADSIEDIT에서 복제 설정 확인 (NTFRS 로 표시됨)

 


3. 서비스 확인 – 파일복제 서비스와 DFS Replication 서비스 모두 실행 중

 

 

 

 

 

2. 복제 설정 변경

 

1. powershell 실행 후 아래 명령 실행
dfsrmig.exe /GetGlobalState

 

 

2. dfsrmig.exe /CreateGlobalObjects

 

 

3. dfsrmig.exe /GetGlobalState

 

 

4. dfsrmig.exe /GetMigrationState

 

 
5. dfsrmig.exe /SetGlobalState 0

 

 

6. dfsrmig.exe /SetGlobalState 1

 

 
7. dfsrmig.exe /GetMigrationState

 

 
8. 위 명령을 계속 수행하여, 아래와 같은 결과가 나올 때 까지 대기

 

 
9. 탐색기에서 SYSVOL_DFSR 폴더가 생성되었는지 확인

 

 
10. ADSIEDIT에서 Domain Controller 아래에 아래와 같이 DFSR-LocalSettings 가 표시되는지 확인

 

 

11. dfsrmig.exe /SetGlobalState 2

 

 
12. dfsrmig.exe /GetMigrationState (결과가 아래와 같이 나올 때까지 대기)

 

 

13. Registry 편집기에서 SYSVOL 경로가 변경되었는지 확인

 

 

14. dfsrmig.exe /SetGlobalState 3

 

 
15. dfsrmig.exe /GetMigrationState (결과가 아래와 같이 나올 때까지 대기)

 

 

16. dfsrmig.exe /GetGlobalState

 

 

17. 탐색기에서 SYSVOL 폴더가 삭제되었는지 확인

 

 

18. ADSIEDIT에서 NTFRS Subscriptions 가 삭제되었는지 확인

 

 

 

3. 작업 후 확인

 

1 DFS 관리 콘솔에서 확인
복제에 Domain System Volume 이 생성되었습니다.

 

 
2 서비스 확인
File Replication Service가 중지되고 사용 안 함으로 변경된 것을 확인.

 

 
3 SYSVOL 공유 확인
net share 

 

끝.

728x90
728x90

Update 2021-12-18 – This looks like a much more competent script for detecting this vulnerability and there is a python version for Linux: https://github.com/CERTCC/CVE-2021-44228_scanner

Updated 2021-12-17 – Script is v1.4 and looks for .war files now too

Original post below

Inspired by the one-liner here: https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b#find-vulnerable-software-windows

gci 'C:\' -rec -force -include *.jar -ea 0 | foreach {select-string "JndiLookup.class" $_} | select -exp Path

I wrote a script to expand on the command, support Windows Server 2008 onward and to be more automated.

This script is basically the one liner with a bit of logic to get all the local fixed disks on a server and iterate through them all looking for Log4j jar file:

<#
.Synopsis
Checks the local system for Log4Shell Vulnerability [CVE-2021-44228]
.DESCRIPTION
Gets a list of all volumes on the server, loops through searching each disk for Log4j stuff
 
Version History
1.0 - Initial release
1.1 - Changed ErrorAction to "Continue" instead of stopping the script
1.2 - Went back to SilentlyContinue, so much noise
Replace attribute -Include by -Filter (prevent unauthorized access exception stopping scan)
Remove duplicate path with Get-Unique cmdlet
.EXAMPLE
.\check_CVE-2021-44228.ps1
.NOTES
Created by Eric Schewe 2021-12-13
Modified by Cedric BARBOTIN 2021-12-14
#>
 
# Get Windows Version string
$windowsVersion = (Get-WmiObject -class Win32_OperatingSystem).Caption
 
# Server 2008 (R2)
if ($windowsVersion -like "*2008*") {
 
$disks = [System.IO.DriveInfo]::getdrives() | Where-Object {$_.DriveType -eq "Fixed"}
 
}
# Everything else
else {
 
$disks = Get-Volume | Where-Object {$_.DriveType -eq "Fixed"}
 
}
 
# I have no idea why I had to write it this way and why .Count didn't just work
$diskCount = $disks | Measure-Object | Select-Object Count -ExpandProperty Count
 
Write-Host -ForegroundColor Green "$(Get-Date -Format "yyyy-MM-dd H:mm:ss") - Starting the search of $($diskCount) disks"
 
foreach ($disk in $disks) {
 
# gci 'C:\' -rec -force -include *.jar -ea 0 | foreach {select-string "JndiLookup.class" $_} | select -exp Path
 
# Server 2008 (R2)
if ($windowsVersion -like "*2008*") {
 
Write-Host -ForegroundColor Yellow " $(Get-Date -Format "yyyy-MM-dd H:mm:ss") - Checking $($disk.Name): - $($disk.VolumeLabel)"
Get-ChildItem "$($disk.Name)" -Recurse -Force -Include @("*.jar","*.war") -ErrorAction SilentlyContinue | ForEach-Object { Select-String "JndiLookup.class" $_ } | Select-Object -ExpandProperty Path | Get-Unique
 
}
# Everything else
else {
 
Write-Host -ForegroundColor Yellow " $(Get-Date -Format "yyyy-MM-dd H:mm:ss") - Checking $($disk.DriveLetter): - $($disk.VolumeLabel)"
Get-ChildItem "$($disk.DriveLetter):\" -Recurse -Force -Include @("*.jar","*.war") -ErrorAction SilentlyContinue | ForEach-Object { Select-String "JndiLookup.class" $_ } | Select-Object -ExpandProperty Path | Get-Unique
 
}
 
}
 
Write-Host -ForegroundColor Green "$(Get-Date -Format "yyyy-MM-dd H:mm:ss") - Done checking all drives"

Sample output with nothing found:

Sample output with something found:

Good luck everyone.

728x90
728x90

We’ve run into a strange problem with our Windows Server 2019 VMs where sometimes when we clone a new VM from our template it works perfectly fine and sometimes it won’t let you install any new Roles and throws a 0x80073701 error. Better still, sometimes it lets you install a new Role and then months later when you go to add something else it fails also with a 0x80073701.

For the longest time the only solution I was able to find online was nuke it and start over which is typically what we did. That or to manually dig through registry keys for packages installed in Windows with a different language than that of your operating system. I never was able to get that suggestion to work because I couldn’t gain the permissions I needed to delete the registry keys. We also had zero luck running DISM with it’s variety of flags.

At some point a co-worker of mine stumbled across a PowerShell script that solved the problem for us and saved us having to rebuild a few more complicated VMs.

I had to use that script tonight on a VM but this time it didn’t work. I tried to see if I could find a new version but I couldn’t even find the original script. With some fiddling I eventually got the script to work but it dawned on me that lots of people might have having this problem and the script to fix it with out wiping/reloading might not be easily found anymore.

Full Disclosure. I did not write this script, I’ve only used it a few times with success. I searched for the authors name to see if they had a Github repo or something out there and found nothing other than a LinkedIn.

Near as I can tell this script does the following:

  1. Elevates its privileges in a very specific looking way. I did not dig much into it since the rest of the script does not appear to do anything malicious and you should run this “As an administrator” anyway I just went with it
  2. It then asks you for the location of your CBS log file, if none is provided it uses the default location
  3. It then parses the CBS log file for any instances of ERROR_SXS_ASSEMBLY_MISSING and then parses those lines to pull out the specific package names that are causing problems
  4. Using it’s elevated privileges it takes ownership of that packages registry keys and changes the ‘Currentstate’ key to ‘0’ which I assume means not installed or ignored
  5. It does some checks to make sure the ‘Currentstate’ was successfully changed and then completes

Once the script has run you do not need to reboot. You should be able to start adding Roles to the server right away.

I have found that running the script against “C:\Windows\Logs\CBS\CBS.log” does not always solve the problem. Tonight I went into “C:\Windows\Logs\CBS\” and had to run it against the second newest log “CbsPersist_20230310065917.log”. After doing that the issue was resolved for me.

In our case it appears the issue is with KB4598230 which has been pulled from the Microsoft Update Catalogue and can no longer be downloaded. I have seen plenty of form posts involving other KBs causing the exact same error though.

Sorry, that was a lot of reading. Here is what you are after:

 
 
 
 
<#
.SYNOPSIS
 
This script will fix the SXS assmbly missing issue while installing feature
 
.DESCRIPTION
 
The script mark the resolved packages absent which are missing manifest.
 
.PARAMETER
 
Provide CBS file path
 
.OUTPUTS
<Outputs if any, otherwise state None - example: Log file stored in current working directory "AssemblyMissingScript-" + [datetime]::Now.ToString("yyyyMMdd-HHmm-ss") + ".log")>
.NOTES
Version: 1.0
Author: Abhinav Joshi
Creation Date: 14/11/2020
Purpose/Change: Initial script development
 
.EXAMPLE
 
Run the script ERROR_SXS_ASSEMBLY_MISSING.ps1
 
Please enter CBS file path (Default Path: c:\windows\logs\cbs\cbs.log): C:\windows\Logs\cbs\cbs2.log
#>
 
 
function enable-privilege {
param(
## The privilege to adjust. This set is taken from
[ValidateSet(
"SeAssignPrimaryTokenPrivilege", "SeAuditPrivilege", "SeBackupPrivilege",
"SeChangeNotifyPrivilege", "SeCreateGlobalPrivilege", "SeCreatePagefilePrivilege",
"SeCreatePermanentPrivilege", "SeCreateSymbolicLinkPrivilege", "SeCreateTokenPrivilege",
"SeDebugPrivilege", "SeEnableDelegationPrivilege", "SeImpersonatePrivilege", "SeIncreaseBasePriorityPrivilege",
"SeIncreaseQuotaPrivilege", "SeIncreaseWorkingSetPrivilege", "SeLoadDriverPrivilege",
"SeLockMemoryPrivilege", "SeMachineAccountPrivilege", "SeManageVolumePrivilege",
"SeProfileSingleProcessPrivilege", "SeRelabelPrivilege", "SeRemoteShutdownPrivilege",
"SeRestorePrivilege", "SeSecurityPrivilege", "SeShutdownPrivilege", "SeSyncAgentPrivilege",
"SeSystemEnvironmentPrivilege", "SeSystemProfilePrivilege", "SeSystemtimePrivilege",
"SeTakeOwnershipPrivilege", "SeTcbPrivilege", "SeTimeZonePrivilege", "SeTrustedCredManAccessPrivilege",
"SeUndockPrivilege", "SeUnsolicitedInputPrivilege")]
$Privilege,
## The process on which to adjust the privilege. Defaults to the current process.
$ProcessId = $pid,
## Switch to disable the privilege, rather than enable it.
[Switch] $Disable
)
 
## Taken from P/Invoke.NET with minor adjustments.
$definition = @'
using System;
using System.Runtime.InteropServices;
 
public class AdjPriv
{
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,
ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);
 
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);
[DllImport("advapi32.dll", SetLastError = true)]
internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);
[StructLayout(LayoutKind.Sequential, Pack = 1)]
internal struct TokPriv1Luid
{
public int Count;
public long Luid;
public int Attr;
}
 
internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
internal const int SE_PRIVILEGE_DISABLED = 0x00000000;
internal const int TOKEN_QUERY = 0x00000008;
internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
public static bool EnablePrivilege(long processHandle, string privilege, bool disable)
{
bool retVal;
TokPriv1Luid tp;
IntPtr hproc = new IntPtr(processHandle);
IntPtr htok = IntPtr.Zero;
retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
tp.Count = 1;
tp.Luid = 0;
if(disable)
{
tp.Attr = SE_PRIVILEGE_DISABLED;
}
else
{
tp.Attr = SE_PRIVILEGE_ENABLED;
}
retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
return retVal;
}
}
'@
 
$processHandle = (Get-Process -id $ProcessId).Handle
$type = Add-Type $definition -PassThru
$type[0]::EnablePrivilege($processHandle, $Privilege, $Disable)
}
 
$logfile = [System.IO.Path]::Combine($rootDir, "AssemblyMissingScript-" + [datetime]::Now.ToString("yyyyMMdd-HHmm-ss") + ".log")
if (-not (Test-Path "$PWD\logs")) {
New-Item -Path "$PWD\logs" -ItemType Directory -Verbose
}
Start-Transcript -Path "$PWD\logs\$logfile"
 
$cbspathTEMP = Read-Host -Prompt "Please enter CBS file path (Default Path: c:\windows\logs\cbs\cbs.log)"
 
$cbspath = $cbspathTEMP.Replace('"','')
 
write-host ""
 
write-host -ForegroundColor Yellow $cbspath
 
 
if ($cbspath -eq $null -or $cbspath.Length -eq "0"){
 
Write-Host -ForegroundColor Yellow "No path was entered"
 
Write-Host "Setting up default CBS path"
 
$cbspath = "c:\Windows\Logs\CBS\CBS.log"
 
Write-Host -ForegroundColor Cyan $cbspath
}
 
 
$CheckingpackagesResolving = "Resolving Package:"
 
$checkingFailure = Get-Content $CBSpath | Select-String "ERROR_SXS_ASSEMBLY_MISSING"
 
if ($checkingFailure -ne $null -and $CheckWhichFeature -ne 0) {
 
Write-Host "Checking resolving packages"
 
$CBSlines = Get-Content $CBSpath | Select-String $CheckingpackagesResolving
 
$Result = @()
 
if ($CBSlines) {
 
foreach ($CBSline in $CBSlines) {
 
$packageLine = $CBSline | Out-String
 
$package = $packageLine.Split(":").Trim().Split(',').Trim() | Select-String "Package_"
 
$Result += $package
}
 
Write-host "Found following resolving packages"
 
$Results = $Result | Select-Object -Unique
 
foreach ($regpackage in $Results) {
 
$bb = "SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\$regpackage"
 
$uname = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
 
enable-privilege SeTakeOwnershipPrivilege
 
$key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey($bb, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree, [System.Security.AccessControl.RegistryRights]::takeownership)
# You must get a blank acl for the key b/c you do not currently have access
$acl = $key.GetAccessControl([System.Security.AccessControl.AccessControlSections]::None)
$me = [System.Security.Principal.NTAccount]$uname
$acl.SetOwner($me)
$key.SetAccessControl($acl)
 
# After you have set owner you need to get the acl with the perms so you can modify it.
$acl = $key.GetAccessControl()
$rule = New-Object System.Security.AccessControl.RegistryAccessRule ($uname, "FullControl", "Allow")
$acl.SetAccessRule($rule)
$key.SetAccessControl($acl)
 
$key.Close()
 
Write-Host "Mark this package absent $regpackage"
 
Set-ItemProperty -Path "HKLM:\$bb" -Name Currentstate -Value 0 -Type DWord -Force
}
 
Write-host "Verifying package state"
 
$Verifcationcheckvalue = "1"
 
foreach ($Regpackagecheck in $Results) {
 
$CurrentstateOfpackage = (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\$Regpackagecheck").CurrentState
 
if ($CurrentstateOfpackage -eq "0") {
 
Write-host -ForegroundColor Green $CurrentstateOfpackage of $Regpackagecheck
 
$Verifcationcheckvalue += "1"
 
 
}
else {
 
Write-host -ForegroundColor red $CurrentstateOfpackage of $Regpackagecheck
 
$Verifcationcheckvalue += "0"
}
}
 
if ($Verifcationcheckvalue -notmatch "0") {
 
write-host "========================================================================="
 
write-host ""
 
Write-host -f white -BackgroundColor green "Verification passed, Retry Enabled"
 
write-host ""
 
write-host "========================================================================="
 
$Global:try = $true
 
}
else {
 
write-host "========================================================================="
 
write-host ""
 
write-host -f white -BackgroundColor Red "Verification Failed, Can't contiune. Collect $logfile and CBS.log"
 
write-host ""
 
write-host "========================================================================="
 
$Global:try = $false
}
 
}
else {
 
Write-Error "Error while finding resolving packages"
}
}
 
else {
 
Write-Host "Looks like $CBSpath is not right CBS File, check manually. "
 
}
 
 
 
stop-Transcript
 
pause

Abhinav Joshi, whoever you are. Thank you very much for this script. It’s saved us a ton of time and headache.

728x90
728x90

Use Ctrl-F to find a specific code.

Some codes have a recommended action using PowerShell as well as the general action.

Links to other error code pages can be found at 
System Center 2012 Portal: Virtual Machine Manager (VMM) Error Codes - TechNet Articles - United States (English) - TechNet Wiki (microsoft.com)

If you have additional information about an error, please add it to the "Additional Troubleshooting Information" column.

 

 

#000000;padding:0in 5.4pt;background-color:transparent;">

Code Message Recommended Action (in product) Additional Troubleshooting Information
       
24000 Error in connecting to the WSUS server %ServerName;, Port %TCPPort;. Detailed error - %DetailedErrorMessage; Ensure that the server connection information is valid. Then try the operation again.  
24001 Update server operation failed with error - %DetailedErrorMessage; BLANK  
24002 Update server is currently processing another configuration request or is synchronizing updates and cannot process current configuration change request. Try the operation after some time.  
24003 VMM can manage only one Update server instance. %ServerName; is already managed by VMM. BLANK  
24004 Update server %ServerName; is a replica downstream WSUS server. Please specify the root or non-replica downstream WSUS server for integration. Please specify the root or non-replica downstream WSUS server and re try the operation again.  
24005 Update Server %ServerName; has unsupported version of Windows Software Update Server (WSUS). Please specify Update Server with WSUS version 3.0 SP2.  
24006 Baseline with name %BaselineName; already exists. Please make sure the baseline name is unique and retry the operation.  
24007 Update (ID - %Id;) is already added to baseline %BaselineName;, it can be added only once to the given baseline Please make sure the update to be added to the baseline is not already added to the baseline and retry the operation.  
24008 Update (ID - %Id;) cannot be removed from the baseline %BaselineName;, it is not added to the baseline. Please make sure the update to be removed from the baseline is added to the baseline and retry the operation.  
24009 Assignment scope (ID - %Id;, ObjectType - %ObjectType;) is already assigned to baseline %BaselineName;. It can be assigned only once to the given baseline. Please make sure the assignment scope to be assigned to the baseline is not already assigned to the baseline and retry the operation.  
24010 Assignment scope (ID - %Id;, ObjectType - %ObjectType;) cannot be removed from the baseline %BaselineName;. It is not assigned to the baseline. Please make sure the assignment scope to be removed from the baseline is assigned to the baseline and retry the operation.  
24011 Software update (%Name; - %Id;) does not have license agreement. Please ensure the software update has license agreement that needs to be accepted before update can be deployed and retry the operation.  
24012 License agreement for software update (%Name; - %Id;) is already accepted. Please ensure the software update has license agreement that needs to be accepted before update can be deployed and retry the operation.  
24013 Unable to find the object requested Try refreshinglease ensure the software update has license agreement that needs to be accepted before update can be deployed and retry the operation.  
 
24014 License agreement for software update (%Name; - %Id;) needs to be accepted before update can be added to any baseline. Please ensure the software update license agreement is accepted and retry the operation.  
24015 Host - %VMHostName; is a clustered host. Individual cluster nodes cannot be assigned as a baseline scope. Please use a cluster as baseline assignment scope and retry the operation.  
24016 Host - %VMHostName; is not a Hyper-V host. Only Hyper-V hosts can be added as baseline assignment scope. Please ensure the host is Hyper-V host and retry the operation.  
24017 Cluster - %VMHostName; is not a Hyper-V cluster. Only Hyper-V clusters can be add ed as baseline assignment scope. Please ensure the cluster is Hyper-V cluster and retry the operation.  
24018 Baseline %BaselineName; is not assigned to %TargetType; %TargetName;. Please ensure the baseline is assigned and retry the operation.  
24019 %TargetType; %TargetName; has no baselines assigned. Please ensure at least one baseline is assigned and retry the operation.  
24020 No updates were found for compliance scan or remediation operation for %TargetTyp e; %TargetName;. Please ensure baseline has at least one update added to it and retry the operation.  
24021 Compliance scan of %TargetType; %TargetName; succeeded with warning - %DetailedErrorMessage; Try the operation again.  
24022 To enable Update Server, WSUS 3.0 SP2 console needs to be installed on VMM server. Please install WSUS 3.0 SP2 console on the VMM server and restart VMM service and retry the operation.  
24023 Update category - %Name; is not valid. Ensure update category is valid and retry the operation.  
24024 Update classification - %Name; is not valid. Ensure update classification is valid and retry the operation.  
24025 Language code - %Name; is not valid. Ensure update language code is valid and retry the operation.  
24026 Update Remediation of %TargetType; %TargetName; failed. Detailed error - %DetailedErrorMessage; Try the operation again.  
24027 Update Remediation of %TargetType; %TargetName; timed out. Try the operation again.  
24028 Update remediation of %TargetType; %TargetName; succeeded with warning - %DetailedErrorMessage; Try the operation again.  
24029 Update remediation orchestration for host cluster - %HostClusterName; failed as one or more nodes within the cluster are in the maintenance mode. Please ensure all nodes of the host cluster are out of maintenance m ode or use –BypassMaintenanceModeCheck switch and retry the operation.  
24030 Update remediation orchestration is supported only for Hyper-v clusters. Host cluster - %HostClusterName; is not a Hyper-v cluster.  
24030 Please ensure the host cluster is Hyper-V cluster and retry the operation.  
24031 Proxy server credentials configuration from VMM is supported only for Update Server in SSL mode. Please ensure the Update Server is configured for SSL communication and retry the operation.  
24032 Update Server %ServerName; is not configured to use proxy server. None of the proxy server related settings can be configured in this mode. Please ensure the Update Server is configured to use proxy server and retry the operation.  
24033 The host %VMHostName; does not belong to the cluster %HostClusterName;. Ensure the host belongs to the cluster and then try the operation again.  
24034 Software update %Name; is not added to the baseline %BaselineName;. Ensure the update is added to the baseline and then try the operation again.  
24035 Compliance scan failed with error - %DetailedErrorMessage;. Ensure the WinHTTP proxy settings are correctly configured for the communication with WSUS. If WSUS is configured to use SSL, ensure the WSUS certificate is installed in Trusted Root CA for the machine and then try the operation again.  
24036 Compliance state for software update %Name; as part of the baseline %BaselineName ; for %TargetName; is currently unknown. Adding or removing exemption cannot be completed. Please scan the baseline to determine the compliance state of the update and then try the operation again.  
24037 Softwaris currently unknown. Adding or removing exemption cannot be completed. Ensure the update is not marked exempt and then try the operation again.  
24038 Software update %Name; as part of the baseline %BaselineName; for %TargetName; is not "Exempt". Remove exemption cannot be completed. Ensure the update is marked exempt and then try the operation again.  
24039 VMM has changed setting on WSUS server to store the update binaries locally. Please ensure there is enough disk space to support this setting.  
24040 VMM has changed update language setting on WSUS server to %Name;. N/A  
24041 VMM has changed update binaries download setting on WSUS server to download the binaries when approved. N/A  
24042 Baseline name cannot be an empty string. Please use valid name for baseline and try operation again.  
24043 User %User; (User Role - %UserRoleName;) does not have permission to modify/remove the baseline %BaselineName;. Ensure user has sufficient permissions and then try the operation again.  
24044 Compliance scan or update remediation action cannot be completed on %ComputerName ;. Ensure the specified machine is managed by VMM server and has at least one baseline assigned and then try the operation again.  
24045 Error occurred in downloading End User License Agreement for Update %Name;. Ensure the network connectivity between WSUS and WU/MU and then try the synchronization operation again.  
24046 Update remediation operation cannot be performed on the cluster %HostClusterName; since node %VMHostName; is not in valid state. Ensure all the nodes in the cluster are in valid state and retry the operation again.  
24046 Update remediation operation cannot be performed on the cluster %HostClusterName; since node %VMHostName; is not in valid state. 24047 VMM agent installed on machine %ComputerName; does not support compliance scan or update remediation operations. Ensure the machine has latest VMM agent installed and retry the operation.  
24048 Proxy username for UpdateServer cannot be empty. Ensure the proxy username is valid and retry the operation.  
24049 Credentials cannot be specified when the proxy server access is set to be anonymous. Please do not specify credentials and retry the operation.  
24050 WSUS synchronization with WU/MU failed with error - %DetailedErrorMessage;. Ensure WSUS can reach WU/MU sites and retry the operation.  
24051 License agreement for update %Name; cannot be accepted at this time as the last attempt to download the license agreement has failed. Synchronize the update server and retry the operation.  
24052 VMM can store only %UpdateCount; updates from WSUS in its DB. The total number of updates VMM is trying to import from the latest synchronization and the count of its existing updates in DB exceeds this limit. Ensure the maximum update count is set correctly and retry the operation.  
24053 VMM target group %TargetGroupName; cannot be found on update server %ComputerName ;. Please remove the update server from VMM management and re-add it to VMM management. Please remove the update server from VMM management and re-add it to VMM management. 24053
24054 Error occurred in removing VMM target group %TargetGroupName; on update server %ComputerName;. Please remove the specified target group manually from WSUS console. Please remove the specified target group manually from WSUS console.  
24055 Configuration properties of update server %ComputerName; cannot be changed from V MM as this is a downstream WSUS server. Please ensure the configuration property changes are made for root WSUS server.  
24056 Update server %ComputerName; is configured to prevent any configuration property changes from VMM. Please ensure the specified update server is configured to allow such changes and retry the operation.  
24300 Object import failed. Schema validation failed with error: "%ActualException;" Fix validation error then try operation again  
24301 Virtual machine %VMName; has unsupported virtual system type "%Name;" Fix validation error then try operation again  
24302 Unknown resource type "%Name;" was found. Fix validation error then try operation again  
24303 Duplicate element with %Name; property "%Value;" Fix validation error then try operation again  
24304 Unknown processor type %Name; Fix validation error then try operation again  
24305 Cannot find virtual hard disk "%Name;" (family name:"%FamilyName;", release:"%Release;"). Disk binding (%BusType;, %Bus;, %Lun;) will not be created for virtual machine %VMName;. Fix validation error then try operation again  
24306 Cannot find ISO resource "%Name;" (family name:"%FamilyName;", release:"%Release; "). ISO will be removed from DVD drive with binding (%BusType;, %Bus;, %Lun;) on virtual machine %VMName;.  
Fix validation error then try operation again  
24307 Value "%Value;" of element "%Name;" has invalid format. Fix validation error then try operation again  
24308 Required element "%Name;" is missing. Fix validation error then try operation again  
24309 Value "%Value;" of element "%Name;" is invalid. The value should be between %MinLimit; and %MaxLimit;. Fix validation error then try operation again  
24310 Value "%Value;" of element "%Name;" is invalid. Value length should be between %MinLimit; and %MaxLimit;. Fix validation error then try operation again  
24311 Cannot find virtual floppy disk resource "%Name;" (family name:"%FamilyName;", release:"%Release;"). Virtual floppy disk will be removed from the floppy drive on virtual machine %VMName;. Fix validation error then try operation again  
24312 Logical network "%LogicalNetworkName;" cannot be found. Network adapter "%Name;" will be disconnected on virtual machine %VMName;. Fix validation error then try operation again  
24313 Object import failed. Operation failed with error: "%ActualException;" Fix validation error then try operatip> Fix validation error then try operation again  
24314 Failed to export object "%Name;". Operation failed with error: "%ActualException; " Fix validation error then try operation again  
24315 Failed to write to file "%FileName;". Operation failed with error: "%ActualException;" Fix the error then try operation again  
24316 Required attribute "%Name;" is missing. Fix validation error then try operation again  
24317 Unknown disk format found: "%Name;" Fix validation error then try operation again  
24318 Cannot find custom resource "%Name;" (family name:"%FamilyName;", release:"%Release;"). Custom resource will be removed from script command %Command; on virtual machine %VMName;. Fix validation error then try operation again  
24319 Cannot find custom resource "%Name;" (family name:"%FamilyName;", release:"%Release;"). Custom resource will be removed from script command %Command; in application deployment %ObjectName; on virtual machine %VMName;. Fix validation error then try operation again  
24320 Cannot find application package "%Name;" (family name:"%FamilyName;", release:"%Release;"). Application deployment %ObjectName; will be removed from virtual machine %VMName;. Fix validation error then try operation again  
24321 Cannot find answer file "%Name;" (family name:"%FamilyName;", release:"%Release;" ). Answer file will be removed from virtual machine %VMName;. Fix validation error then try operation again  
24322 Virtual Machine %VMName; refers to virtual hard disks with different virtualization platforms. Fix validation error then try operation again  
24323 Virtual Machine %VMName; refers to virtual hard disks with different virtualization platforms. Custom property %Name; is missing and will be created No action is needed  
24324 Custom property %Name; is missing member type "Service Template". "Service Template" will be added to the member list. No action is needed  
24325 Custom property %Name; is missing member type "Template". "Template" will be added to the member list. No action is needed  
24326 Service Template "%Name;", release "%Release;" already exists. Use -Overwrite option to overwrite existing service template.  
24327 VM Template "%Name;" already exists. Use -Overwrite option to overwrite existing template.  
24328 Cannot export object "%Name;". File "%FileName;" already exists. Use -Overwrite option to overwrite existing file.  
24329 Import operation failed. File "%FileName;" is not a valid template package. Fix the problem, then try operation again,  
24330 Import operation failed. File "%FileName;" is not a valid template package. Package data cannot be decrypted with the password provided. Check the password, then try operation again,  
24331 Password can only be specified for encrypted packages Remove -Password parameter, then try operation again,  
24332 A password must be provided when importing settings in encrypted packages. Provide a -Password parameter, then try operation again,  
24333 Cannot find element %Name;. Fix validation error, then try operation again,  
24334 Cannot decode value "%Value;". Base64 encoding is expected. Fix validation error, then try operation again,  
24335 Invalid encryption algorithm was specified: "%Name;" Fix validation error, then try operation again,  
24336 Run As account "%Name;" cannot be located for application deployment "%ObjectName ;" Run As account reference will be replaced with mandatory service setting.  
24337 Run As account "%Name;" cannot be found. Run As account reference will be removed from script command "%ObjectName;" Fix validation error then try operation again  
24338 Path %SharePath; is not on a library share that is managed by VMM Server. Provide a path on a library share.  
24339 Cannot find VIP template "%Name;". VIP template reference will be removed from computer tier template %TemplateName;. Fix validation error then try operation again  
24340 Local Administrator Run As account "%Name;" cannot be found. Run As account reference will be removed from VM template %TemplateName;" Fix validation error then try operation again Fix validation error then try operation again  
24341 Domain user Run As account "%Name;" cannot be found. Run As account reference will be removed from VM template %TemplateName;" Fix validation error then try operation again  
24342 User with Security Identifier "%SecurityIdentifier;" is not found. Reference to this user will be removed from object %Name;. Fix validation error then try operation again  
24343 Security Identifier "%SecurityIdentifier;" doesn't belong to user "%UserName;". Reference to this user will be removed from object %Name;. Fix validation error then try operation again  
24344 User role %UserRoleName; is not found for user %UserName;. Reference to the user will be removed from object %Name;. Fix validation error then try operation again  
24345 User %UserName; doesn't exist. Reference to the user will be removed from object %Name;. Fix validation error then try operation again  
24346 VIP template "%Name;" is found, but has different properties. Check VIP template properties in the package, create new VIP template if needed.  
24347
24346
VIP template "%Name;" is found, but has different properties. Specified library object cannot be modified or deleted. Make sure that you have necessary permissions to modify or delete th e object.  
24348 Cannot import package %FilePath;. The package is either corrupted or has an incorrect file type. Operation failed with error: "%ActualException;" Fix validation error then try operation again  
24349 Template package %FilePath; is invalid Check the contents of the file then try operation again  
24350 Agent Service Run As account %RunAsAccountName; cannot be located for SQL Server deployment %Name; on template %TemplateName; Run As account reference will be replaced with mandatory service setting.  
24351 Deployment Run As account %RunAsAccountName; cannot be located for SQL Server deployment %Name; on template %TemplateName; Run As account reference will be removed.  
24352 Reporting Service Run As account %RunAsAccountName; cannot be located for SQL Server deployment %Name; on template %TemplateName; Run As account reference will be removed.  
24353 SQL Server Service Run As account %RunAsAccountName; cannot be located for SQL Server deployment %Name; on template %TemplateName; Run As account reference will be replaced with mandatory service setting.  
24354 SA Run As account %RunAsAccountName; cannot be located for SQL Server deployment %Name; on template %TemplateName; Run As account reference will be removed.  
24355 Cannot find SQL Server Configuration file "%Name;" (family name:"%FamilyName;", release:"%Release;"). Answer file will be removed from SQL Server deployment %ObjectName; on template %TemplateName;. Fix validation error then try operation again  
24356 User role %UserRoleName; is not found. Reference to the user role will be removed from object %Name;. Fix validation error then try operation again  
24356 24357 Run As account "%Name;" cannot be found. Run As account reference will be removed from SQL Server script command in application deployment "%ObjectName;" in Template "%TemplateName;". Fix validation error then try operation again  
24358 Cannot find SQL Server script file "%Name;" release "%Release;". SQL Server script command "%CommandName;" in application deployment "%ObjectName;" in Template "%TemplateName;" will be removed. Fix validation error then try operation again  
24359 Storage classification "%Name;" cannot be found. Storage classification reference will be removed from disk (%BusType;, %Bus;, %Lun;) on virtual machine %VMName;. Fix validation error then try operation again  
24360 Capability Profile "%Name;" release "%Release;" cannot be found. Capability Profile reference will be removed from object "%ObjectName;" Fix validation error then try operation again  
24361 Release parameter cannot be empty. Please ensure release parameter is valid and try the operation again.  
24362 Password parameter is used to encrypt private settings and can only be specified together with SettingsIncludePrivate parameter. Specify SettingsIncludePrivate parameter and try the operation again.  
24363 VMM agent on library spt private settings and can only be specified together with SettingsIncludePrivate parameter. Specify SettingsIncludePrivate parameter and try the operation again.  
Ensure VMM agent on library server is in OK state and try the operation again.  
24364   Run the client (Cmdlet/Admin Console) with elevated administrator privileges.  
24365 Failed to Create BITS job on the client. Restart BITS service and try the operation again.  
24366 The BITS client job failed to succeed for %ResourceName; when attempting %CmdletName; resource with following error: %DetailedErrorMessage; Restart BITS service and try the operation again. Also make sure that the client has permissions on the source and the destination.  
24367 VMM server sent an invalid SSL cert for the HTTPS transfer to Library server. Check the presence of library server certificate on VMM server's Trusted People store.  
24368 Path %FolderPath; must be a valid directory accessible to client. Check the path specified and make sure that client has permissions to access it.  
24370 Resource %ResourceName; is on a library server that requires Encryption. Try the operation with Encryption option as the server only supports this mode  
24371 Resource "%Name;" already exists at %FolderPath;. Use -Overwrite option to overwrite existing resource.  
24372 Connected role %UserRoleName; doesn't have access to %FolderPath;. Contact Administrator to get access to the desired path or use the R /W path to which the role has access to.  
24373 Connected Administrator role did not specify a valid library Path for importing resource. Administrator roles must specify a valid path when importing resources into library.  
24374 Addition of default resources to library share (%SharePath;) failed. DetailedErrorMessage: %DetailedErrorMessage; Fix the problem,ify a valid path when import then try operation again.  
24375 Error occurred in communicating with the VMM agent on machine %ComputerName;. Ensure the agent is in responding state, then try operation again.  
24376 The client imported a resource %ResourceName; that library server agent doesn't recognize. The client should only import known resource types into the VMM library  
24377 User tried to specify both of IncludeAllLibraryResources and IncludeLibraryResources. Only one of these parameters is allowed at a time. Specify either one of IncludeAllLibraryResources or IncludeLibraryResources.  
24378 User tried to specify local file mapping for %ResourceName; package. Specify either one of IncludeAllLibraryResources or IncludeLibraryResources.  
24379 The cmdlet stopped as the pipeline execution was terminated. Try running the cmdlet again.  
24380 SA Run As account %RunAsAccountName; cannot be located for SQL Server deployment %Name; on template %TemplateName; Run As account reference will be replaced with mandatory service setting.  
24381 SA Run As account %RunAsAccountName; cannot be located for SQL Server deployment %Name; on template %TemplateName; Run As account reference will be replaced with mandatory service setting. The transfer did not succeed. The failure could be due to timeout on the server, client cancelling the job, or client cmdlet failure. Try running the cmdlet again.  
24382 Service Template "%Name;", release "%Release;" cannot be overwritten as it is not accessible under user role %UserRoleName; Use different name/release combination  
24383 Template "%Name;" cannot be overwritten as it is not accessible under user role % UserRoleName; Use different name.  
24384 To change identity properties of the library resources, all the specified resources must belong to the same namespace. Ensure all the specified library resources belong to same namespace and try the operation again.  
24385 Library resource %Name; is not valid for deployment. Ensure the object resides on library share under VMM management and try the operation again.  
24386 For setting identity properties on a group of objects, all objects must be of same object type. Ensure all objects are of same object type and try the operation again.  
24387 Multiple library resources were discovered during import of "%SharePath;" folder. This could be an issue if it occurred during importing a Service Template. Ensure that importing multiple resources was the intent. If this occurred during Service template import, check the Imported template before deploying it.  
24388 Run As account %RunAsAccountName; specified for service setting %Name; cannot be found. Run As account reference will be removed.  
24389 Invalid operation on object %Name; as it does not reside on any of the VMM manage d library servers. Ensure the object is a valid library object and try the operation again.  
24390 Template uses unsupported XSD schema version "%XSDVersion;" Upgrade Virtual Machine Manager and export template again or change template XML to conform to the schema.  
24391 The list of resources being imported is empty. Try specifying a non-empty resource list to be exported.  
24392 Unable to add default resources to library share (%SharePath;) on cluster library server %Name; as VMM agent is not installed on the current active node. Ensure that VMM agent is installed on the current active node of cluster library server and then try the operation again.  
24393 VHDs %Name; cannot be marked equivalent with family name %FamilyName; and release %Release; because they have different VHD formats. Ensure that the VHDs have the same VHD format before marking them as equivalent.  
24394 VHDs %Name; cannot be marked equivalent of VHD %ObjectName; (Family name: %Family Name;, Release: %Release;) because they have different VHD formats. Ensure that the VHDs have the same VHD format before marking them as equivalent.  
24700 The day of the week entered is invalid. Valid values are “Monday”, “Tuesday”, “Wednesday”, “Thursday”, “Friday”, “Saturday”, and “Sunday”. Refer to PowerShell help on this cmdlet for more details.  
24701 The numeric form for the day of the week is invalid. This must be between 1 and 7 representing Monday through Sunday respectively. Refer to PowerShell help on this cmdlet for more details.  
24702 Unable to find the specified servicing window. The servicing window name may be incorrect, or the servicing window may have been renamed or deleted. Verify that the servicing window name is correct and try the operation again.  
24703 A servicing window named %Name; already exists. Provide a unique servicing window name and try the operation again.  
24704 Unable to find the specified servicing window subscription. The subscription, the servicing window or the subscribed object may have been deleted. Verify that the servicing window is correct and try the operation again.  
24705 This object is already associated with this servicing window. Select a different servicing window to associate this object with an d try the operation again.  

 

728x90
728x90

그룹 정책: IE 보안 강화 구성(IE ESC) 사용 안 함

2016년 2월 19일 윈도우 서버+가상화 5,915 조회 수

Internet Explorer Enhanced Security Configuration (ESC)

테스트 환경에서 매번 직접 IE ESC를 끄는 불편함을 해소. 운영 환경에서는 서버에서 웹 브라우징을 하지 않아야 하겠지만.

IE 보안 강화 구성은 기본으로 [사용]으로 되어 있다.

IE 보안 강화 구성에 관하여…

Internet Explorer 보안 강화 구성 사용
사용자 서버에서 현재 Internet Explorer 보안 강화 구성을 사용하고 있습니다. 이 설정은 사용자가 인터넷 및 인트라넷 웹 사이트 검색 방법을 정의하는 다양한 보안 설정을 구성합니다. 또한 보안의 위험성이 있는 웹 사이트에 사용자 서버가 노출되는 것을 줄입니다. 이 구성의 자세한 보안 설정 목록을 보려면 Internet Explorer 보안 강화 구성 효과를 참조하십시오.

이런

이런 경고를 보고 싶지 않다면…

—– 도메인 환경에서 위 기능을 일괄적으로 사용하지 않는 방법 —–

컴퓨터 구성 -> 기본 설정 -> Windows 설정 -> 레지스트리

레지스트리 항목 새로 만들기

For administrators:
Key Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}
For users:
Key Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}
출처: <https://4sysops.com/archives/disable-internet-explorer-enhanced-security-configuration-ie-esc-with-group-policy/>

위 경로를 찾아가 IsInstalled 값을 선택

값 데이터에는 00000000 (Disable)을 입력(00000001 은 Enable)

이렇게 지정됨.(필자는 두 값 모두를 Disable 함)

  • {A509B1A7-37EF-4b3f-8CFC-4F3A74704073} (admin)
  • {A509B1A8-37EF-4b3f-8CFC-4F3A74704073} (user)

정책 업데이트가 끝나면

이렇게 바뀜.

728x90

+ Recent posts