728x90

Update 2021-12-18 – This looks like a much more competent script for detecting this vulnerability and there is a python version for Linux: https://github.com/CERTCC/CVE-2021-44228_scanner

Updated 2021-12-17 – Script is v1.4 and looks for .war files now too

Original post below

Inspired by the one-liner here: https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b#find-vulnerable-software-windows

gci 'C:\' -rec -force -include *.jar -ea 0 | foreach {select-string "JndiLookup.class" $_} | select -exp Path

I wrote a script to expand on the command, support Windows Server 2008 onward and to be more automated.

This script is basically the one liner with a bit of logic to get all the local fixed disks on a server and iterate through them all looking for Log4j jar file:

<#
.Synopsis
Checks the local system for Log4Shell Vulnerability [CVE-2021-44228]
.DESCRIPTION
Gets a list of all volumes on the server, loops through searching each disk for Log4j stuff
 
Version History
1.0 - Initial release
1.1 - Changed ErrorAction to "Continue" instead of stopping the script
1.2 - Went back to SilentlyContinue, so much noise
Replace attribute -Include by -Filter (prevent unauthorized access exception stopping scan)
Remove duplicate path with Get-Unique cmdlet
.EXAMPLE
.\check_CVE-2021-44228.ps1
.NOTES
Created by Eric Schewe 2021-12-13
Modified by Cedric BARBOTIN 2021-12-14
#>
 
# Get Windows Version string
$windowsVersion = (Get-WmiObject -class Win32_OperatingSystem).Caption
 
# Server 2008 (R2)
if ($windowsVersion -like "*2008*") {
 
$disks = [System.IO.DriveInfo]::getdrives() | Where-Object {$_.DriveType -eq "Fixed"}
 
}
# Everything else
else {
 
$disks = Get-Volume | Where-Object {$_.DriveType -eq "Fixed"}
 
}
 
# I have no idea why I had to write it this way and why .Count didn't just work
$diskCount = $disks | Measure-Object | Select-Object Count -ExpandProperty Count
 
Write-Host -ForegroundColor Green "$(Get-Date -Format "yyyy-MM-dd H:mm:ss") - Starting the search of $($diskCount) disks"
 
foreach ($disk in $disks) {
 
# gci 'C:\' -rec -force -include *.jar -ea 0 | foreach {select-string "JndiLookup.class" $_} | select -exp Path
 
# Server 2008 (R2)
if ($windowsVersion -like "*2008*") {
 
Write-Host -ForegroundColor Yellow " $(Get-Date -Format "yyyy-MM-dd H:mm:ss") - Checking $($disk.Name): - $($disk.VolumeLabel)"
Get-ChildItem "$($disk.Name)" -Recurse -Force -Include @("*.jar","*.war") -ErrorAction SilentlyContinue | ForEach-Object { Select-String "JndiLookup.class" $_ } | Select-Object -ExpandProperty Path | Get-Unique
 
}
# Everything else
else {
 
Write-Host -ForegroundColor Yellow " $(Get-Date -Format "yyyy-MM-dd H:mm:ss") - Checking $($disk.DriveLetter): - $($disk.VolumeLabel)"
Get-ChildItem "$($disk.DriveLetter):\" -Recurse -Force -Include @("*.jar","*.war") -ErrorAction SilentlyContinue | ForEach-Object { Select-String "JndiLookup.class" $_ } | Select-Object -ExpandProperty Path | Get-Unique
 
}
 
}
 
Write-Host -ForegroundColor Green "$(Get-Date -Format "yyyy-MM-dd H:mm:ss") - Done checking all drives"

Sample output with nothing found:

Sample output with something found:

Good luck everyone.

728x90
728x90

We’ve run into a strange problem with our Windows Server 2019 VMs where sometimes when we clone a new VM from our template it works perfectly fine and sometimes it won’t let you install any new Roles and throws a 0x80073701 error. Better still, sometimes it lets you install a new Role and then months later when you go to add something else it fails also with a 0x80073701.

For the longest time the only solution I was able to find online was nuke it and start over which is typically what we did. That or to manually dig through registry keys for packages installed in Windows with a different language than that of your operating system. I never was able to get that suggestion to work because I couldn’t gain the permissions I needed to delete the registry keys. We also had zero luck running DISM with it’s variety of flags.

At some point a co-worker of mine stumbled across a PowerShell script that solved the problem for us and saved us having to rebuild a few more complicated VMs.

I had to use that script tonight on a VM but this time it didn’t work. I tried to see if I could find a new version but I couldn’t even find the original script. With some fiddling I eventually got the script to work but it dawned on me that lots of people might have having this problem and the script to fix it with out wiping/reloading might not be easily found anymore.

Full Disclosure. I did not write this script, I’ve only used it a few times with success. I searched for the authors name to see if they had a Github repo or something out there and found nothing other than a LinkedIn.

Near as I can tell this script does the following:

  1. Elevates its privileges in a very specific looking way. I did not dig much into it since the rest of the script does not appear to do anything malicious and you should run this “As an administrator” anyway I just went with it
  2. It then asks you for the location of your CBS log file, if none is provided it uses the default location
  3. It then parses the CBS log file for any instances of ERROR_SXS_ASSEMBLY_MISSING and then parses those lines to pull out the specific package names that are causing problems
  4. Using it’s elevated privileges it takes ownership of that packages registry keys and changes the ‘Currentstate’ key to ‘0’ which I assume means not installed or ignored
  5. It does some checks to make sure the ‘Currentstate’ was successfully changed and then completes

Once the script has run you do not need to reboot. You should be able to start adding Roles to the server right away.

I have found that running the script against “C:\Windows\Logs\CBS\CBS.log” does not always solve the problem. Tonight I went into “C:\Windows\Logs\CBS\” and had to run it against the second newest log “CbsPersist_20230310065917.log”. After doing that the issue was resolved for me.

In our case it appears the issue is with KB4598230 which has been pulled from the Microsoft Update Catalogue and can no longer be downloaded. I have seen plenty of form posts involving other KBs causing the exact same error though.

Sorry, that was a lot of reading. Here is what you are after:

 
 
 
 
<#
.SYNOPSIS
 
This script will fix the SXS assmbly missing issue while installing feature
 
.DESCRIPTION
 
The script mark the resolved packages absent which are missing manifest.
 
.PARAMETER
 
Provide CBS file path
 
.OUTPUTS
<Outputs if any, otherwise state None - example: Log file stored in current working directory "AssemblyMissingScript-" + [datetime]::Now.ToString("yyyyMMdd-HHmm-ss") + ".log")>
.NOTES
Version: 1.0
Author: Abhinav Joshi
Creation Date: 14/11/2020
Purpose/Change: Initial script development
 
.EXAMPLE
 
Run the script ERROR_SXS_ASSEMBLY_MISSING.ps1
 
Please enter CBS file path (Default Path: c:\windows\logs\cbs\cbs.log): C:\windows\Logs\cbs\cbs2.log
#>
 
 
function enable-privilege {
param(
## The privilege to adjust. This set is taken from
[ValidateSet(
"SeAssignPrimaryTokenPrivilege", "SeAuditPrivilege", "SeBackupPrivilege",
"SeChangeNotifyPrivilege", "SeCreateGlobalPrivilege", "SeCreatePagefilePrivilege",
"SeCreatePermanentPrivilege", "SeCreateSymbolicLinkPrivilege", "SeCreateTokenPrivilege",
"SeDebugPrivilege", "SeEnableDelegationPrivilege", "SeImpersonatePrivilege", "SeIncreaseBasePriorityPrivilege",
"SeIncreaseQuotaPrivilege", "SeIncreaseWorkingSetPrivilege", "SeLoadDriverPrivilege",
"SeLockMemoryPrivilege", "SeMachineAccountPrivilege", "SeManageVolumePrivilege",
"SeProfileSingleProcessPrivilege", "SeRelabelPrivilege", "SeRemoteShutdownPrivilege",
"SeRestorePrivilege", "SeSecurityPrivilege", "SeShutdownPrivilege", "SeSyncAgentPrivilege",
"SeSystemEnvironmentPrivilege", "SeSystemProfilePrivilege", "SeSystemtimePrivilege",
"SeTakeOwnershipPrivilege", "SeTcbPrivilege", "SeTimeZonePrivilege", "SeTrustedCredManAccessPrivilege",
"SeUndockPrivilege", "SeUnsolicitedInputPrivilege")]
$Privilege,
## The process on which to adjust the privilege. Defaults to the current process.
$ProcessId = $pid,
## Switch to disable the privilege, rather than enable it.
[Switch] $Disable
)
 
## Taken from P/Invoke.NET with minor adjustments.
$definition = @'
using System;
using System.Runtime.InteropServices;
 
public class AdjPriv
{
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,
ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);
 
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);
[DllImport("advapi32.dll", SetLastError = true)]
internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);
[StructLayout(LayoutKind.Sequential, Pack = 1)]
internal struct TokPriv1Luid
{
public int Count;
public long Luid;
public int Attr;
}
 
internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
internal const int SE_PRIVILEGE_DISABLED = 0x00000000;
internal const int TOKEN_QUERY = 0x00000008;
internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
public static bool EnablePrivilege(long processHandle, string privilege, bool disable)
{
bool retVal;
TokPriv1Luid tp;
IntPtr hproc = new IntPtr(processHandle);
IntPtr htok = IntPtr.Zero;
retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
tp.Count = 1;
tp.Luid = 0;
if(disable)
{
tp.Attr = SE_PRIVILEGE_DISABLED;
}
else
{
tp.Attr = SE_PRIVILEGE_ENABLED;
}
retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
return retVal;
}
}
'@
 
$processHandle = (Get-Process -id $ProcessId).Handle
$type = Add-Type $definition -PassThru
$type[0]::EnablePrivilege($processHandle, $Privilege, $Disable)
}
 
$logfile = [System.IO.Path]::Combine($rootDir, "AssemblyMissingScript-" + [datetime]::Now.ToString("yyyyMMdd-HHmm-ss") + ".log")
if (-not (Test-Path "$PWD\logs")) {
New-Item -Path "$PWD\logs" -ItemType Directory -Verbose
}
Start-Transcript -Path "$PWD\logs\$logfile"
 
$cbspathTEMP = Read-Host -Prompt "Please enter CBS file path (Default Path: c:\windows\logs\cbs\cbs.log)"
 
$cbspath = $cbspathTEMP.Replace('"','')
 
write-host ""
 
write-host -ForegroundColor Yellow $cbspath
 
 
if ($cbspath -eq $null -or $cbspath.Length -eq "0"){
 
Write-Host -ForegroundColor Yellow "No path was entered"
 
Write-Host "Setting up default CBS path"
 
$cbspath = "c:\Windows\Logs\CBS\CBS.log"
 
Write-Host -ForegroundColor Cyan $cbspath
}
 
 
$CheckingpackagesResolving = "Resolving Package:"
 
$checkingFailure = Get-Content $CBSpath | Select-String "ERROR_SXS_ASSEMBLY_MISSING"
 
if ($checkingFailure -ne $null -and $CheckWhichFeature -ne 0) {
 
Write-Host "Checking resolving packages"
 
$CBSlines = Get-Content $CBSpath | Select-String $CheckingpackagesResolving
 
$Result = @()
 
if ($CBSlines) {
 
foreach ($CBSline in $CBSlines) {
 
$packageLine = $CBSline | Out-String
 
$package = $packageLine.Split(":").Trim().Split(',').Trim() | Select-String "Package_"
 
$Result += $package
}
 
Write-host "Found following resolving packages"
 
$Results = $Result | Select-Object -Unique
 
foreach ($regpackage in $Results) {
 
$bb = "SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\$regpackage"
 
$uname = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
 
enable-privilege SeTakeOwnershipPrivilege
 
$key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey($bb, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree, [System.Security.AccessControl.RegistryRights]::takeownership)
# You must get a blank acl for the key b/c you do not currently have access
$acl = $key.GetAccessControl([System.Security.AccessControl.AccessControlSections]::None)
$me = [System.Security.Principal.NTAccount]$uname
$acl.SetOwner($me)
$key.SetAccessControl($acl)
 
# After you have set owner you need to get the acl with the perms so you can modify it.
$acl = $key.GetAccessControl()
$rule = New-Object System.Security.AccessControl.RegistryAccessRule ($uname, "FullControl", "Allow")
$acl.SetAccessRule($rule)
$key.SetAccessControl($acl)
 
$key.Close()
 
Write-Host "Mark this package absent $regpackage"
 
Set-ItemProperty -Path "HKLM:\$bb" -Name Currentstate -Value 0 -Type DWord -Force
}
 
Write-host "Verifying package state"
 
$Verifcationcheckvalue = "1"
 
foreach ($Regpackagecheck in $Results) {
 
$CurrentstateOfpackage = (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\$Regpackagecheck").CurrentState
 
if ($CurrentstateOfpackage -eq "0") {
 
Write-host -ForegroundColor Green $CurrentstateOfpackage of $Regpackagecheck
 
$Verifcationcheckvalue += "1"
 
 
}
else {
 
Write-host -ForegroundColor red $CurrentstateOfpackage of $Regpackagecheck
 
$Verifcationcheckvalue += "0"
}
}
 
if ($Verifcationcheckvalue -notmatch "0") {
 
write-host "========================================================================="
 
write-host ""
 
Write-host -f white -BackgroundColor green "Verification passed, Retry Enabled"
 
write-host ""
 
write-host "========================================================================="
 
$Global:try = $true
 
}
else {
 
write-host "========================================================================="
 
write-host ""
 
write-host -f white -BackgroundColor Red "Verification Failed, Can't contiune. Collect $logfile and CBS.log"
 
write-host ""
 
write-host "========================================================================="
 
$Global:try = $false
}
 
}
else {
 
Write-Error "Error while finding resolving packages"
}
}
 
else {
 
Write-Host "Looks like $CBSpath is not right CBS File, check manually. "
 
}
 
 
 
stop-Transcript
 
pause

Abhinav Joshi, whoever you are. Thank you very much for this script. It’s saved us a ton of time and headache.

728x90
728x90

Use Ctrl-F to find a specific code.

Some codes have a recommended action using PowerShell as well as the general action.

Links to other error code pages can be found at 
System Center 2012 Portal: Virtual Machine Manager (VMM) Error Codes - TechNet Articles - United States (English) - TechNet Wiki (microsoft.com)

If you have additional information about an error, please add it to the "Additional Troubleshooting Information" column.

 

 

#000000;padding:0in 5.4pt;background-color:transparent;">

Code Message Recommended Action (in product) Additional Troubleshooting Information
       
24000 Error in connecting to the WSUS server %ServerName;, Port %TCPPort;. Detailed error - %DetailedErrorMessage; Ensure that the server connection information is valid. Then try the operation again.  
24001 Update server operation failed with error - %DetailedErrorMessage; BLANK  
24002 Update server is currently processing another configuration request or is synchronizing updates and cannot process current configuration change request. Try the operation after some time.  
24003 VMM can manage only one Update server instance. %ServerName; is already managed by VMM. BLANK  
24004 Update server %ServerName; is a replica downstream WSUS server. Please specify the root or non-replica downstream WSUS server for integration. Please specify the root or non-replica downstream WSUS server and re try the operation again.  
24005 Update Server %ServerName; has unsupported version of Windows Software Update Server (WSUS). Please specify Update Server with WSUS version 3.0 SP2.  
24006 Baseline with name %BaselineName; already exists. Please make sure the baseline name is unique and retry the operation.  
24007 Update (ID - %Id;) is already added to baseline %BaselineName;, it can be added only once to the given baseline Please make sure the update to be added to the baseline is not already added to the baseline and retry the operation.  
24008 Update (ID - %Id;) cannot be removed from the baseline %BaselineName;, it is not added to the baseline. Please make sure the update to be removed from the baseline is added to the baseline and retry the operation.  
24009 Assignment scope (ID - %Id;, ObjectType - %ObjectType;) is already assigned to baseline %BaselineName;. It can be assigned only once to the given baseline. Please make sure the assignment scope to be assigned to the baseline is not already assigned to the baseline and retry the operation.  
24010 Assignment scope (ID - %Id;, ObjectType - %ObjectType;) cannot be removed from the baseline %BaselineName;. It is not assigned to the baseline. Please make sure the assignment scope to be removed from the baseline is assigned to the baseline and retry the operation.  
24011 Software update (%Name; - %Id;) does not have license agreement. Please ensure the software update has license agreement that needs to be accepted before update can be deployed and retry the operation.  
24012 License agreement for software update (%Name; - %Id;) is already accepted. Please ensure the software update has license agreement that needs to be accepted before update can be deployed and retry the operation.  
24013 Unable to find the object requested Try refreshinglease ensure the software update has license agreement that needs to be accepted before update can be deployed and retry the operation.  
 
24014 License agreement for software update (%Name; - %Id;) needs to be accepted before update can be added to any baseline. Please ensure the software update license agreement is accepted and retry the operation.  
24015 Host - %VMHostName; is a clustered host. Individual cluster nodes cannot be assigned as a baseline scope. Please use a cluster as baseline assignment scope and retry the operation.  
24016 Host - %VMHostName; is not a Hyper-V host. Only Hyper-V hosts can be added as baseline assignment scope. Please ensure the host is Hyper-V host and retry the operation.  
24017 Cluster - %VMHostName; is not a Hyper-V cluster. Only Hyper-V clusters can be add ed as baseline assignment scope. Please ensure the cluster is Hyper-V cluster and retry the operation.  
24018 Baseline %BaselineName; is not assigned to %TargetType; %TargetName;. Please ensure the baseline is assigned and retry the operation.  
24019 %TargetType; %TargetName; has no baselines assigned. Please ensure at least one baseline is assigned and retry the operation.  
24020 No updates were found for compliance scan or remediation operation for %TargetTyp e; %TargetName;. Please ensure baseline has at least one update added to it and retry the operation.  
24021 Compliance scan of %TargetType; %TargetName; succeeded with warning - %DetailedErrorMessage; Try the operation again.  
24022 To enable Update Server, WSUS 3.0 SP2 console needs to be installed on VMM server. Please install WSUS 3.0 SP2 console on the VMM server and restart VMM service and retry the operation.  
24023 Update category - %Name; is not valid. Ensure update category is valid and retry the operation.  
24024 Update classification - %Name; is not valid. Ensure update classification is valid and retry the operation.  
24025 Language code - %Name; is not valid. Ensure update language code is valid and retry the operation.  
24026 Update Remediation of %TargetType; %TargetName; failed. Detailed error - %DetailedErrorMessage; Try the operation again.  
24027 Update Remediation of %TargetType; %TargetName; timed out. Try the operation again.  
24028 Update remediation of %TargetType; %TargetName; succeeded with warning - %DetailedErrorMessage; Try the operation again.  
24029 Update remediation orchestration for host cluster - %HostClusterName; failed as one or more nodes within the cluster are in the maintenance mode. Please ensure all nodes of the host cluster are out of maintenance m ode or use –BypassMaintenanceModeCheck switch and retry the operation.  
24030 Update remediation orchestration is supported only for Hyper-v clusters. Host cluster - %HostClusterName; is not a Hyper-v cluster.  
24030 Please ensure the host cluster is Hyper-V cluster and retry the operation.  
24031 Proxy server credentials configuration from VMM is supported only for Update Server in SSL mode. Please ensure the Update Server is configured for SSL communication and retry the operation.  
24032 Update Server %ServerName; is not configured to use proxy server. None of the proxy server related settings can be configured in this mode. Please ensure the Update Server is configured to use proxy server and retry the operation.  
24033 The host %VMHostName; does not belong to the cluster %HostClusterName;. Ensure the host belongs to the cluster and then try the operation again.  
24034 Software update %Name; is not added to the baseline %BaselineName;. Ensure the update is added to the baseline and then try the operation again.  
24035 Compliance scan failed with error - %DetailedErrorMessage;. Ensure the WinHTTP proxy settings are correctly configured for the communication with WSUS. If WSUS is configured to use SSL, ensure the WSUS certificate is installed in Trusted Root CA for the machine and then try the operation again.  
24036 Compliance state for software update %Name; as part of the baseline %BaselineName ; for %TargetName; is currently unknown. Adding or removing exemption cannot be completed. Please scan the baseline to determine the compliance state of the update and then try the operation again.  
24037 Softwaris currently unknown. Adding or removing exemption cannot be completed. Ensure the update is not marked exempt and then try the operation again.  
24038 Software update %Name; as part of the baseline %BaselineName; for %TargetName; is not "Exempt". Remove exemption cannot be completed. Ensure the update is marked exempt and then try the operation again.  
24039 VMM has changed setting on WSUS server to store the update binaries locally. Please ensure there is enough disk space to support this setting.  
24040 VMM has changed update language setting on WSUS server to %Name;. N/A  
24041 VMM has changed update binaries download setting on WSUS server to download the binaries when approved. N/A  
24042 Baseline name cannot be an empty string. Please use valid name for baseline and try operation again.  
24043 User %User; (User Role - %UserRoleName;) does not have permission to modify/remove the baseline %BaselineName;. Ensure user has sufficient permissions and then try the operation again.  
24044 Compliance scan or update remediation action cannot be completed on %ComputerName ;. Ensure the specified machine is managed by VMM server and has at least one baseline assigned and then try the operation again.  
24045 Error occurred in downloading End User License Agreement for Update %Name;. Ensure the network connectivity between WSUS and WU/MU and then try the synchronization operation again.  
24046 Update remediation operation cannot be performed on the cluster %HostClusterName; since node %VMHostName; is not in valid state. Ensure all the nodes in the cluster are in valid state and retry the operation again.  
24046 Update remediation operation cannot be performed on the cluster %HostClusterName; since node %VMHostName; is not in valid state. 24047 VMM agent installed on machine %ComputerName; does not support compliance scan or update remediation operations. Ensure the machine has latest VMM agent installed and retry the operation.  
24048 Proxy username for UpdateServer cannot be empty. Ensure the proxy username is valid and retry the operation.  
24049 Credentials cannot be specified when the proxy server access is set to be anonymous. Please do not specify credentials and retry the operation.  
24050 WSUS synchronization with WU/MU failed with error - %DetailedErrorMessage;. Ensure WSUS can reach WU/MU sites and retry the operation.  
24051 License agreement for update %Name; cannot be accepted at this time as the last attempt to download the license agreement has failed. Synchronize the update server and retry the operation.  
24052 VMM can store only %UpdateCount; updates from WSUS in its DB. The total number of updates VMM is trying to import from the latest synchronization and the count of its existing updates in DB exceeds this limit. Ensure the maximum update count is set correctly and retry the operation.  
24053 VMM target group %TargetGroupName; cannot be found on update server %ComputerName ;. Please remove the update server from VMM management and re-add it to VMM management. Please remove the update server from VMM management and re-add it to VMM management. 24053
24054 Error occurred in removing VMM target group %TargetGroupName; on update server %ComputerName;. Please remove the specified target group manually from WSUS console. Please remove the specified target group manually from WSUS console.  
24055 Configuration properties of update server %ComputerName; cannot be changed from V MM as this is a downstream WSUS server. Please ensure the configuration property changes are made for root WSUS server.  
24056 Update server %ComputerName; is configured to prevent any configuration property changes from VMM. Please ensure the specified update server is configured to allow such changes and retry the operation.  
24300 Object import failed. Schema validation failed with error: "%ActualException;" Fix validation error then try operation again  
24301 Virtual machine %VMName; has unsupported virtual system type "%Name;" Fix validation error then try operation again  
24302 Unknown resource type "%Name;" was found. Fix validation error then try operation again  
24303 Duplicate element with %Name; property "%Value;" Fix validation error then try operation again  
24304 Unknown processor type %Name; Fix validation error then try operation again  
24305 Cannot find virtual hard disk "%Name;" (family name:"%FamilyName;", release:"%Release;"). Disk binding (%BusType;, %Bus;, %Lun;) will not be created for virtual machine %VMName;. Fix validation error then try operation again  
24306 Cannot find ISO resource "%Name;" (family name:"%FamilyName;", release:"%Release; "). ISO will be removed from DVD drive with binding (%BusType;, %Bus;, %Lun;) on virtual machine %VMName;.  
Fix validation error then try operation again  
24307 Value "%Value;" of element "%Name;" has invalid format. Fix validation error then try operation again  
24308 Required element "%Name;" is missing. Fix validation error then try operation again  
24309 Value "%Value;" of element "%Name;" is invalid. The value should be between %MinLimit; and %MaxLimit;. Fix validation error then try operation again  
24310 Value "%Value;" of element "%Name;" is invalid. Value length should be between %MinLimit; and %MaxLimit;. Fix validation error then try operation again  
24311 Cannot find virtual floppy disk resource "%Name;" (family name:"%FamilyName;", release:"%Release;"). Virtual floppy disk will be removed from the floppy drive on virtual machine %VMName;. Fix validation error then try operation again  
24312 Logical network "%LogicalNetworkName;" cannot be found. Network adapter "%Name;" will be disconnected on virtual machine %VMName;. Fix validation error then try operation again  
24313 Object import failed. Operation failed with error: "%ActualException;" Fix validation error then try operatip> Fix validation error then try operation again  
24314 Failed to export object "%Name;". Operation failed with error: "%ActualException; " Fix validation error then try operation again  
24315 Failed to write to file "%FileName;". Operation failed with error: "%ActualException;" Fix the error then try operation again  
24316 Required attribute "%Name;" is missing. Fix validation error then try operation again  
24317 Unknown disk format found: "%Name;" Fix validation error then try operation again  
24318 Cannot find custom resource "%Name;" (family name:"%FamilyName;", release:"%Release;"). Custom resource will be removed from script command %Command; on virtual machine %VMName;. Fix validation error then try operation again  
24319 Cannot find custom resource "%Name;" (family name:"%FamilyName;", release:"%Release;"). Custom resource will be removed from script command %Command; in application deployment %ObjectName; on virtual machine %VMName;. Fix validation error then try operation again  
24320 Cannot find application package "%Name;" (family name:"%FamilyName;", release:"%Release;"). Application deployment %ObjectName; will be removed from virtual machine %VMName;. Fix validation error then try operation again  
24321 Cannot find answer file "%Name;" (family name:"%FamilyName;", release:"%Release;" ). Answer file will be removed from virtual machine %VMName;. Fix validation error then try operation again  
24322 Virtual Machine %VMName; refers to virtual hard disks with different virtualization platforms. Fix validation error then try operation again  
24323 Virtual Machine %VMName; refers to virtual hard disks with different virtualization platforms. Custom property %Name; is missing and will be created No action is needed  
24324 Custom property %Name; is missing member type "Service Template". "Service Template" will be added to the member list. No action is needed  
24325 Custom property %Name; is missing member type "Template". "Template" will be added to the member list. No action is needed  
24326 Service Template "%Name;", release "%Release;" already exists. Use -Overwrite option to overwrite existing service template.  
24327 VM Template "%Name;" already exists. Use -Overwrite option to overwrite existing template.  
24328 Cannot export object "%Name;". File "%FileName;" already exists. Use -Overwrite option to overwrite existing file.  
24329 Import operation failed. File "%FileName;" is not a valid template package. Fix the problem, then try operation again,  
24330 Import operation failed. File "%FileName;" is not a valid template package. Package data cannot be decrypted with the password provided. Check the password, then try operation again,  
24331 Password can only be specified for encrypted packages Remove -Password parameter, then try operation again,  
24332 A password must be provided when importing settings in encrypted packages. Provide a -Password parameter, then try operation again,  
24333 Cannot find element %Name;. Fix validation error, then try operation again,  
24334 Cannot decode value "%Value;". Base64 encoding is expected. Fix validation error, then try operation again,  
24335 Invalid encryption algorithm was specified: "%Name;" Fix validation error, then try operation again,  
24336 Run As account "%Name;" cannot be located for application deployment "%ObjectName ;" Run As account reference will be replaced with mandatory service setting.  
24337 Run As account "%Name;" cannot be found. Run As account reference will be removed from script command "%ObjectName;" Fix validation error then try operation again  
24338 Path %SharePath; is not on a library share that is managed by VMM Server. Provide a path on a library share.  
24339 Cannot find VIP template "%Name;". VIP template reference will be removed from computer tier template %TemplateName;. Fix validation error then try operation again  
24340 Local Administrator Run As account "%Name;" cannot be found. Run As account reference will be removed from VM template %TemplateName;" Fix validation error then try operation again Fix validation error then try operation again  
24341 Domain user Run As account "%Name;" cannot be found. Run As account reference will be removed from VM template %TemplateName;" Fix validation error then try operation again  
24342 User with Security Identifier "%SecurityIdentifier;" is not found. Reference to this user will be removed from object %Name;. Fix validation error then try operation again  
24343 Security Identifier "%SecurityIdentifier;" doesn't belong to user "%UserName;". Reference to this user will be removed from object %Name;. Fix validation error then try operation again  
24344 User role %UserRoleName; is not found for user %UserName;. Reference to the user will be removed from object %Name;. Fix validation error then try operation again  
24345 User %UserName; doesn't exist. Reference to the user will be removed from object %Name;. Fix validation error then try operation again  
24346 VIP template "%Name;" is found, but has different properties. Check VIP template properties in the package, create new VIP template if needed.  
24347
24346
VIP template "%Name;" is found, but has different properties. Specified library object cannot be modified or deleted. Make sure that you have necessary permissions to modify or delete th e object.  
24348 Cannot import package %FilePath;. The package is either corrupted or has an incorrect file type. Operation failed with error: "%ActualException;" Fix validation error then try operation again  
24349 Template package %FilePath; is invalid Check the contents of the file then try operation again  
24350 Agent Service Run As account %RunAsAccountName; cannot be located for SQL Server deployment %Name; on template %TemplateName; Run As account reference will be replaced with mandatory service setting.  
24351 Deployment Run As account %RunAsAccountName; cannot be located for SQL Server deployment %Name; on template %TemplateName; Run As account reference will be removed.  
24352 Reporting Service Run As account %RunAsAccountName; cannot be located for SQL Server deployment %Name; on template %TemplateName; Run As account reference will be removed.  
24353 SQL Server Service Run As account %RunAsAccountName; cannot be located for SQL Server deployment %Name; on template %TemplateName; Run As account reference will be replaced with mandatory service setting.  
24354 SA Run As account %RunAsAccountName; cannot be located for SQL Server deployment %Name; on template %TemplateName; Run As account reference will be removed.  
24355 Cannot find SQL Server Configuration file "%Name;" (family name:"%FamilyName;", release:"%Release;"). Answer file will be removed from SQL Server deployment %ObjectName; on template %TemplateName;. Fix validation error then try operation again  
24356 User role %UserRoleName; is not found. Reference to the user role will be removed from object %Name;. Fix validation error then try operation again  
24356 24357 Run As account "%Name;" cannot be found. Run As account reference will be removed from SQL Server script command in application deployment "%ObjectName;" in Template "%TemplateName;". Fix validation error then try operation again  
24358 Cannot find SQL Server script file "%Name;" release "%Release;". SQL Server script command "%CommandName;" in application deployment "%ObjectName;" in Template "%TemplateName;" will be removed. Fix validation error then try operation again  
24359 Storage classification "%Name;" cannot be found. Storage classification reference will be removed from disk (%BusType;, %Bus;, %Lun;) on virtual machine %VMName;. Fix validation error then try operation again  
24360 Capability Profile "%Name;" release "%Release;" cannot be found. Capability Profile reference will be removed from object "%ObjectName;" Fix validation error then try operation again  
24361 Release parameter cannot be empty. Please ensure release parameter is valid and try the operation again.  
24362 Password parameter is used to encrypt private settings and can only be specified together with SettingsIncludePrivate parameter. Specify SettingsIncludePrivate parameter and try the operation again.  
24363 VMM agent on library spt private settings and can only be specified together with SettingsIncludePrivate parameter. Specify SettingsIncludePrivate parameter and try the operation again.  
Ensure VMM agent on library server is in OK state and try the operation again.  
24364   Run the client (Cmdlet/Admin Console) with elevated administrator privileges.  
24365 Failed to Create BITS job on the client. Restart BITS service and try the operation again.  
24366 The BITS client job failed to succeed for %ResourceName; when attempting %CmdletName; resource with following error: %DetailedErrorMessage; Restart BITS service and try the operation again. Also make sure that the client has permissions on the source and the destination.  
24367 VMM server sent an invalid SSL cert for the HTTPS transfer to Library server. Check the presence of library server certificate on VMM server's Trusted People store.  
24368 Path %FolderPath; must be a valid directory accessible to client. Check the path specified and make sure that client has permissions to access it.  
24370 Resource %ResourceName; is on a library server that requires Encryption. Try the operation with Encryption option as the server only supports this mode  
24371 Resource "%Name;" already exists at %FolderPath;. Use -Overwrite option to overwrite existing resource.  
24372 Connected role %UserRoleName; doesn't have access to %FolderPath;. Contact Administrator to get access to the desired path or use the R /W path to which the role has access to.  
24373 Connected Administrator role did not specify a valid library Path for importing resource. Administrator roles must specify a valid path when importing resources into library.  
24374 Addition of default resources to library share (%SharePath;) failed. DetailedErrorMessage: %DetailedErrorMessage; Fix the problem,ify a valid path when import then try operation again.  
24375 Error occurred in communicating with the VMM agent on machine %ComputerName;. Ensure the agent is in responding state, then try operation again.  
24376 The client imported a resource %ResourceName; that library server agent doesn't recognize. The client should only import known resource types into the VMM library  
24377 User tried to specify both of IncludeAllLibraryResources and IncludeLibraryResources. Only one of these parameters is allowed at a time. Specify either one of IncludeAllLibraryResources or IncludeLibraryResources.  
24378 User tried to specify local file mapping for %ResourceName; package. Specify either one of IncludeAllLibraryResources or IncludeLibraryResources.  
24379 The cmdlet stopped as the pipeline execution was terminated. Try running the cmdlet again.  
24380 SA Run As account %RunAsAccountName; cannot be located for SQL Server deployment %Name; on template %TemplateName; Run As account reference will be replaced with mandatory service setting.  
24381 SA Run As account %RunAsAccountName; cannot be located for SQL Server deployment %Name; on template %TemplateName; Run As account reference will be replaced with mandatory service setting. The transfer did not succeed. The failure could be due to timeout on the server, client cancelling the job, or client cmdlet failure. Try running the cmdlet again.  
24382 Service Template "%Name;", release "%Release;" cannot be overwritten as it is not accessible under user role %UserRoleName; Use different name/release combination  
24383 Template "%Name;" cannot be overwritten as it is not accessible under user role % UserRoleName; Use different name.  
24384 To change identity properties of the library resources, all the specified resources must belong to the same namespace. Ensure all the specified library resources belong to same namespace and try the operation again.  
24385 Library resource %Name; is not valid for deployment. Ensure the object resides on library share under VMM management and try the operation again.  
24386 For setting identity properties on a group of objects, all objects must be of same object type. Ensure all objects are of same object type and try the operation again.  
24387 Multiple library resources were discovered during import of "%SharePath;" folder. This could be an issue if it occurred during importing a Service Template. Ensure that importing multiple resources was the intent. If this occurred during Service template import, check the Imported template before deploying it.  
24388 Run As account %RunAsAccountName; specified for service setting %Name; cannot be found. Run As account reference will be removed.  
24389 Invalid operation on object %Name; as it does not reside on any of the VMM manage d library servers. Ensure the object is a valid library object and try the operation again.  
24390 Template uses unsupported XSD schema version "%XSDVersion;" Upgrade Virtual Machine Manager and export template again or change template XML to conform to the schema.  
24391 The list of resources being imported is empty. Try specifying a non-empty resource list to be exported.  
24392 Unable to add default resources to library share (%SharePath;) on cluster library server %Name; as VMM agent is not installed on the current active node. Ensure that VMM agent is installed on the current active node of cluster library server and then try the operation again.  
24393 VHDs %Name; cannot be marked equivalent with family name %FamilyName; and release %Release; because they have different VHD formats. Ensure that the VHDs have the same VHD format before marking them as equivalent.  
24394 VHDs %Name; cannot be marked equivalent of VHD %ObjectName; (Family name: %Family Name;, Release: %Release;) because they have different VHD formats. Ensure that the VHDs have the same VHD format before marking them as equivalent.  
24700 The day of the week entered is invalid. Valid values are “Monday”, “Tuesday”, “Wednesday”, “Thursday”, “Friday”, “Saturday”, and “Sunday”. Refer to PowerShell help on this cmdlet for more details.  
24701 The numeric form for the day of the week is invalid. This must be between 1 and 7 representing Monday through Sunday respectively. Refer to PowerShell help on this cmdlet for more details.  
24702 Unable to find the specified servicing window. The servicing window name may be incorrect, or the servicing window may have been renamed or deleted. Verify that the servicing window name is correct and try the operation again.  
24703 A servicing window named %Name; already exists. Provide a unique servicing window name and try the operation again.  
24704 Unable to find the specified servicing window subscription. The subscription, the servicing window or the subscribed object may have been deleted. Verify that the servicing window is correct and try the operation again.  
24705 This object is already associated with this servicing window. Select a different servicing window to associate this object with an d try the operation again.  

 

728x90
728x90

그룹 정책: IE 보안 강화 구성(IE ESC) 사용 안 함

2016년 2월 19일 윈도우 서버+가상화 5,915 조회 수

Internet Explorer Enhanced Security Configuration (ESC)

테스트 환경에서 매번 직접 IE ESC를 끄는 불편함을 해소. 운영 환경에서는 서버에서 웹 브라우징을 하지 않아야 하겠지만.

IE 보안 강화 구성은 기본으로 [사용]으로 되어 있다.

IE 보안 강화 구성에 관하여…

Internet Explorer 보안 강화 구성 사용
사용자 서버에서 현재 Internet Explorer 보안 강화 구성을 사용하고 있습니다. 이 설정은 사용자가 인터넷 및 인트라넷 웹 사이트 검색 방법을 정의하는 다양한 보안 설정을 구성합니다. 또한 보안의 위험성이 있는 웹 사이트에 사용자 서버가 노출되는 것을 줄입니다. 이 구성의 자세한 보안 설정 목록을 보려면 Internet Explorer 보안 강화 구성 효과를 참조하십시오.

이런

이런 경고를 보고 싶지 않다면…

—– 도메인 환경에서 위 기능을 일괄적으로 사용하지 않는 방법 —–

컴퓨터 구성 -> 기본 설정 -> Windows 설정 -> 레지스트리

레지스트리 항목 새로 만들기

For administrators:
Key Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}
For users:
Key Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}
출처: <https://4sysops.com/archives/disable-internet-explorer-enhanced-security-configuration-ie-esc-with-group-policy/>

위 경로를 찾아가 IsInstalled 값을 선택

값 데이터에는 00000000 (Disable)을 입력(00000001 은 Enable)

이렇게 지정됨.(필자는 두 값 모두를 Disable 함)

  • {A509B1A7-37EF-4b3f-8CFC-4F3A74704073} (admin)
  • {A509B1A8-37EF-4b3f-8CFC-4F3A74704073} (user)

정책 업데이트가 끝나면

이렇게 바뀜.

728x90
728x90

System Administrator command line shortcuts to popular Microsoft Management Consoles (MMCs).

Admin Snap-inCommandCategory

Quality of Service Control Management ACSsnap.msc Network
ADSI Edit ADSIedit.msc AD Configuration
Authorization manager AZman.msc Security
Certificates Management - Local machine Certlm.msc Security
Certificates Management - Current user Certmgr.msc Security
Certification Authority Management Certsrv.msc Security
Certificate Templates Certtmpl.msc Security
Failover cluster Manager Cluadmin.exe Disc, File
Component Services Comexp.msc  
Computer Management Compmgmt.msc  
Device Manager Devmgmt.msc Hardware
Notifications/Start menu/policy DevModeRunAsUserConfig.msc  
Disk Defragmenter Defrag.exe (formerly Dfrg.msc) Disc, File
Distributed File Service Mgmt DFSmgmt.msc Disc, File
Disk Manager DiskMgmt.msc Disc, File
DNS Manager DNSmgmt.msc Network
AD Domains and Trusts Domain.msc AD Configuration
AD Users and Computers DSA.msc Security
AD Sites and Services DSsite.msc AD Configuration
Embedded Lockdown Manager EmbeddedLockdown.msc Security
Event Viewer Eventvwr.msc  
Shared Folders open files FSmgmt.msc Disc, File
File Server Resource manager FSRM.msc Disc, File
Local Group Policy Editor GPedit.msc Policy
Group Policy Management GPmc.msc Policy
Group Policy Management Editor GPme.msc Policy
Group Policy Starter GPO Editor GPTedit.msc Policy
Local Users and Groups Manager LUsrMgr.msc Security
Teminal Services RDP MSTSC Remote Access
Teminal Services RDP to Console MSTSC /v:[server] /console Remote Access
NAP client configuration NapCLCfg Network
Performance Monitor PerfMon.msc  
Print Management PrintManagement.msc Print
Resultant Set of Policy RSOP.msc Policy
Local Security Settings Manager SecPol.msc Policy
Server Roles, Features ServerManager.msc  
Services Management Services.msc  
SQL Server configuration Manager SQLServerManager11.msc  
Storage Mgmt StorageMgmt.msc Disc, File
Telephony Management TAPImgmt.msc Phone/Modem
Task Scheduler TaskSchd.msc  
Trusted Platform Module TPM.msc Security
Terminal Server Manager TSadmin.exe Remote Access
Remote Desktop TSmmc.msc Remote Access
Windows Mangement Instrumentation WmiMgmt.msc  
Windows Server Backup (Local+Remote) WBadmin.msc Disc, File
Windows Local Backup WLBadmin.msc Disc, File
Windows Firewall WF.msc Remote Access

The commands above can be entered from START ➞ Run, or from the command line.
Availability will vary by OS and by the features installed.

“I don’t do anything in order to cause trouble. It just so happens that what I do naturally causes trouble.
 I'm proud to be a troublemaker” ~ Sinead O'Connor

Related commands

How-to: ms-settings - Shortcuts to settings.
How-to: Run Commands
How-to: Keyboard shortcuts For CMD, PowerShell and Windows.

728x90
728x90

사용자 지정 Active Directory 특성 만들기

 
기존 특성을 사용할 수 없는 사용자 지정 Active Directory 특성을 만드는 방법에 대해 설명합니다. 예를 들어 사용자의 "메디케어 카드 번호"를 보유할 속성을 만듭니다.
 
사용자 지정 특성을 추가하려면 스키마 관리자 및 엔터프라이즈 관리자 그룹의 구성원이어야 하는 AD 스키마의 수정이 포함됩니다. 기본적으로 관리자 계정은 스키마 관리자 그룹의 구성원입니다.
또는 스키마를 확장하는 대신 스키마를 확장하지 않고 사용자 지정 데이터를 저장하는 데 사용할 수 있는 ExtensionAttribute1부터 ExtensionAttribute15까지의 기존 특성이 있습니다.

사용자 속성의 속성 편집기 탭을 통해 사용자 개체 속성을 볼 수 있습니다.


스키마에 속성을 추가하기 전에 기본적으로 Active Directory 스키마는 관리 콘솔에서 사용할 수 없으므로 스키마 스냅인을 등록해야합니다.
  • 시작 > 실행 >mmc로 이동합니다.
  • 파일 열기 > 스냅인 추가/제거를 엽니다.
 
  • "활성 디렉토리 스키마"가 없음을 알 수 있습니다.
  • 스키마 스냅인을 등록하려면 실행 텍스트 상자에 RegSvr32 SchmMgmt.dll를 입력하고 확인을 누릅니다.
  • SchmMgmt.dll 등록에 성공하면 Windows에 정보 메시지 상자가 표시됩니다.
  • 스키마 스냅인을 엽니다. 시작 > 실행 > mmc.exe > 파일 >스냅인 추가/제거 >Active Directory 스키마 > 추가
  • Active Directory 스키마를 확장하고 특성을 마우스 오른쪽 단추로 클릭한 다음 "특성 만들기.."를 클릭합니다.


  • 계속을 클릭하면 스키마 개체 생성 경고 메시지가 표시됩니다.

다음 단계를 진행하려면 고유 X500 개체 ID 필드에 대한 OID(개체 식별자)를 생성해야 합니다.
PowerShell 또는 VBScript를 사용하여 OID를 생성할 수 있습니다.

PowerShell을 사용하여 OID 생성(Microsoft Link):

Windows PowerShell > Windows PowerShell
> 모든 프로그램 > 액세서리 >시작 시작으로 이동하여 PowerShell 창에 다음 문을 복사하여 붙여넣습니다.


#---
$Prefix="1.2.840.113556.1.8000.2554"
$GUID=[System.Guid]::NewGuid(). ToString() $Parts=@()

$Parts+=[UInt64]::P arse($guid. SubString(0,4),"AllowHexSpecifier")
$Parts+=[UInt64]::P arse($guid. SubString(4,4),"AllowHexSpecifier")
$Parts+=[UInt64]::P arse($guid. SubString(9,4),"AllowHexSpecifier")
$Parts+=[UInt64]::P arse($guid. SubString(14,4),"AllowHexSpecifier")
$Parts+=[UInt64]::P arse($guid. SubString(19,4),"AllowHexSpecifier")
$Parts+=[UInt64]::P arse($guid. SubString(24,6),"AllowHexSpecifier")
$Parts+=[UInt64]::P arse($guid. SubString(30,6),"AllowHexSpecifier")
$OID=[String]::Format("{0}.{ 1}. {2}. {3}. {4}. {5}. {6}. {7}",$prefix,$Parts[0],$Parts[1],$Parts[2],$Parts[3],$Parts[4],$Parts[5],$Parts[6])
$oid
#---
OID 문자열(점으로 구분된 숫자 문자열)을 복사하여 고유한 X500 개체 ID 필드에 붙여넣습니다.

VBScript (마이크로 소프트 링크)를 사용하여 OID 생성 :
웹 브라우저에서 다음 링크를 열고 VB 스크립트 코드를 복사하여 메모장에 붙여 넣습니다.
 


http://gallery.technet.microsoft.com/scriptcenter/56b78004-40d0-41cf-b95e-6e795b2e8a06
C: 드라이브에

"OIDGen.vbs"(큰따옴표로 묶음, 그렇지 않으면 접미사 .txt .vbs 뒤에 접미사) 이름으로 메모장 파일 저장 명령 프롬프트를 열고이 스크립트를 실행하십시오. 시작 > cmd.exe >> CScript.exe C:\OIDGen.vbs
OID 문자열(점으로 구분된 숫자 문자열)을 복사하여 고유한 X500 개체 ID 필드에 붙여넣습니다.

  • 새 속성 만들기 대화 상자에 일반 이름(이 경우 메디케어 번호)을 입력합니다.
  • LDAP 표시 이름 필드는 일반 이름(공백 없음)에서 자동으로 채워집니다.
  • 이전 단계에서 생성한 OID 문자열을 고유 X500 개체 ID 필드에 붙여넣습니다.
  • 텍스트 상자에 설명을 씁니다.
  • 드롭다운 목록에서 적절한 구문을 선택하여 속성 유형(이 경우 Medicare 번호는 숫자 값)을 선택합니다. 이것은 다른 유형일 수 있으며 각 특성의 사용법에 따라 다릅니다)
  • 확인을 클릭합니다.

사용자 지정 속성 medicareNumber가 생성됩니다.

  • 이제 이 새 특성을 User 클래스에 추가/연결합니다. 클래스 리프로 이동하여 사용자 클래스를 선택합니다.
  • 사용자를 마우스 오른쪽 버튼으로 클릭하고 속성을 클릭합니다.
  • 속성 탭으로 이동합니다. 추가를 클릭합니다.
  • 메디케어넘버 속성을 찾아 확인을 클릭한 후 다시 확인을 클릭합니다.
  • 특성이 User와 연결되었는지 확인하려면 User, 속성을 마우스 오른쪽 단추로 클릭하고 속성 탭으로 이동합니다. medicareNumber 속성은 선택적 속성 목록에 있어야 합니다.
이것으로 사용자 지정 특성 만들기가 완료됩니다.

사용자 및 컴퓨터 스냅인을 열고 사용자 지정 특성에 대한 사용자 속성을 확인합니다.


이 속성의 값은 편집 버튼을 클릭하고 적절한 값을 입력하여 설정할 수 있습니다.


메디케어 카드 번호가 설정된 모든 사용자를 보려면 다음 명령줄 문을 실행할 수 있습니다.

DSQuery * -Filter (medicareNumber=*) -Attr Name, medicareNumber

끝.

728x90
728x90

So you’ve got some DNS Zones on your Domain Controllers and you’re building a test lab or another domain that you want to copy these to. Easy right – not so easy if they are AD integrated zones. This means the files for these zones are not stored in C:\Windows\System32\dns an normal, they are actually stored and replicated to all DCs inside AD.

I had a requirement to move an integrated forward lookup zone from one domain to another so I’m sharing what I did below.

Logon to your DC with the integrated zone and fireup our friend Powershell.

Get-DNSServerZone

You’ll see your zones listed out.

You’ll see here which zones are integrated and which are not.

The ZoneName column is key for the next bit, make a note of the ZoneName you want to export.

Export-DNSServerZone -Name <ZoneName from the above> -Filename <Yourzone.dns>

There’s no confirmation for this command, but this will export the zone to a file that can be resuable.

Open up C:\Windows\System32\dns in explorer.

 

You’ll see here you DNS zone file. Take a copy of this and place it somewhere.

Log in to your new DNS server where the zone will be imported.

Open up C:\Windows\System32\dns in explorer and copy the file you just exported into this folder.

Now open the DNZ Management Console.

Right click “Forward Lookup Zones” and select “New Zone”, Select “Next” to get started.

Select the zone type and remember to untick the “Store the zone in Active Directory” option.

I know, I know, we want it to be in AD; don’t worry. It will still be once we are done.

Select “Next”.

Populate the Zone Name and select “Next”.

Select “Use the existing file” and enter the name of the file you copied into “C:\Windows\System32\dns”, select “Next”.

Select “Next” on the dynamic update options. Note: The secure option will be available once we convert this zone to an AD integrated zone.

The zone should now appear fully populated in the DNS console. Now time to convert this zone back to an AD integrated zone.

Right click the zone and select “Properties”.

Select “Change” on the right of “Type”.

You might recognise this screen, Select “Store the zone in Active Directory” and click “OK”. Confirm you want to move the zone to AD.

You now have the option to change the dynamic updates to this zone, select as per your preference.

This wraps up the zone import, the whole process could be easily scripted with Powershell. Happy to take a crack at it if anyone is interested.

728x90
728x90

DNS 또는 도메인 이름 서버 레코드가 변경 될 때마다 DNS 전파가 시작됩니다.이 작업은 완료하는 데 몇 시간 또는 며칠이 걸릴 수 있으며이 시간 동안 DNS IP가 변동합니다. 방문자가 새 웹 사이트 또는 이전 웹 사이트로 끝날 수 있습니다..

네가 원한다면 DNS 전파 중 DNS 레코드의 현재 상태 확인, 우리는 당신이 이것을 할 수있는 7 가지 유용한 온라인 도구 목록을 가지고 있습니다. 이 도구는 사용하기가 쉽고 사용하기 쉽습니다. 내가 유용하다고 생각하길 바래..

1. 앱 종합 모니터

이 도구에는 네 가지 기능이 있습니다. 90 개 위치. 웹 사이트의 상태를 확인하고 DNS를 분석하고 IP의 traceroute를 확인할 수도 있습니다.

2. DNS 검사기

에서 DNS 전파 검사 실행 22 개 위치 세계적인. 이 도구가 지원하는 레코드 유형에는 다음이 포함됩니다. A, AAAA, CNAME, MX, NS, PTR, SOA  TXT.

삼. ceipam.eu DNS 조회

다음을 확인하는 또 다른 도구가 있습니다. 17 개 위치. 지원되는 레코드 유형은 다음과 같습니다. A, MX, NS, SPF, TXT. 이 사이트는 기타 무료 이메일 및 웹 사이트 도구뿐만 아니라 테스트 서비스를 제공합니다.

4. ViewDNS.info

ViewDNS.info는 DNS 전파를 확인합니다. 20 개 위치. 또한 IP 위치 찾기, IP traceroute, MAC 주소 조회 등의 다양한 유용한 도구를 제공합니다..

5. Nexcess

다음은 DNS 검사를 수행하는 방법입니다. 22 개 위치 다음 레코드 유형을 확인할 수 있습니다. A, AAAA, CNAME, NS, MX, TXT, SOA.

6. WhatsMyDNS.net

에서 DNS 전파 확인 21 개소. 지원되는 레코드 유형은 다음과 같습니다. A, AAAA, CNAME, MX, NS, PTR, SOA, TXT.

7. Site24x7

이 도구는 DNS 전파 검사를 지원합니다. 50 개 위치, 사용자가 위치 확인을 사용자 정의하고 DNS 확인 시간, 연결 시간, 첫 번째 및 마지막 바이트 등의 세부 정보를 제공합니다..

 
 
 
 
 
728x90

 

728x90
728x90

Create A Send Connector

The fresh exchange server installation will not have a connector send email to an internet email address. We need to create one to do so. Here are the how-to steps to create a send connector using the Exchange admin center. Login to Exchange Admin Center and goto MailflowàSend Connector. Click Add or + sign on top of the icons.

 

The New Send Connector wizard will open. Type a descriptive name and select Internet as type.

 

As we are going to send emails to internet users straight from the exchange server, we are going to select an MX record associated with the recipient domain and click Next.

 

Add address space, click + sign on the address space commands.

 

Type * in the FQDN column and click save.

 

Once the address space has been saved, click next.

 

On the Source Server, click + sign to add the only server we just installed.

 

Add the Exchange Server and click OK

 

We have completed Creating Send connector, click Finish to close the wizard.

 

Configure Virtual Directories

Exchange Server 2019 Installation and Configuration

We are going to configure virtual directories such as OWA, ActiveSync, and so on with the internal and external URLs using Exchange Management Shel. You can navigate to StartàMicrosoft Exchange Server from the Menu and right-click the Exchange Management shell and choose to run as Administrator to open elevated Shell to configure Virtual Directories.

 

The following script will set the virtual directories of each feature. We need to specify the Server_Name and FQDN variables relevant to our Exchange Server name and external domain name.

 $Server_name = "ex"
 $FQDN = "mail.mrigotechno.club"
 Get-OWAVirtualDirectory -Server $Server_name | Set-OWAVirtualDirectory -InternalURL "https://$($FQDN)/owa" -ExternalURL "https://$($FQDN)/owa"
 Get-ECPVirtualDirectory -Server $Server_name | Set-ECPVirtualDirectory -InternalURL "https://$($FQDN)/ecp" -ExternalURL   "https://$($FQDN)/ecp"
 Get-OABVirtualDirectory -Server $Server_name | Set-OABVirtualDirectory -InternalURL "https://$($FQDN)/oab" -ExternalURL   "https://$($FQDN)/oab"
 Get-ActiveSyncVirtualDirectory -Server $Server_name | Set-ActiveSyncVirtualDirectory -InternalURL "https://$($FQDN)/Microsoft-Server-ActiveSync" -ExternalURL "https://$($FQDN)/Microsoft-Server-ActiveSync"
 Get-WebServicesVirtualDirectory -Server $Server_name | Set-WebServicesVirtualDirectory -InternalURL "https://$($FQDN)/EWS/Exchange.asmx" -ExternalURL "https://$($FQDN)/EWS/Exchange.asmx"
 Get-MapiVirtualDirectory -Server $Server_name | Set-MapiVirtualDirectory -InternalURL "https://$($FQDN)/mapi" -ExternalURL https://$($FQDN)/mapi 

You would see the Exchange Management Shell as shown in the below out after you copy and paste the script to the EMS.

 

Configure Outlook Anywhere

To Outlook Clients access from internal and external networks, we need to configure Outlook anywhere from the Servers/Outlook Anywhere settings with the exchange hostname(FQDN) such as mail.comain.com. You can navigate to Outlook Anywhere settings, as shown in the steps on the image.

 

Click OK to the Warning to Negotiate client authentication.

 

Set Service Connection Point

Exchange Server 2019 Installation and Configuration

The next step is to set the Autodiscover internal URI for internal outlook clients to get the Autodiscover details from the active directory. The Autodiscover internal URI will set the Service Connection Point(SCP) on the Active Directory.

Set-ClientAccessService -Identity ex -AutodiscoverServiceInternalURI  https://mail.mrigotechno.club/Autodiscover/Autodiscover.xml
 

Rename default database and move database path

Move mailbox database path to separate disk for database and transactional log files to recover the database quickly in case of disk failure. I have mentioned C: drive where you can substitute with a relevant drive letter with the command below.

Get-MailboxDatabase -Server ex | Set-MailboxDatabase -Name MBX-DB-2019
Move-DatabasePath -Identity MBX-DB-2019 -EdbFilePath C:\ExchangeDatabases\MBX-DB-2019\MBX-DB-2019.EDB -LogFolderPath C:\ExchangeDatabases\MBX-DB-2019_Log
 

Install Certificate

We are going to create a Certificate Signing Request(CSR) on the Exchange Admin Center and install the certificate for the services like IIS, SMTP, and so on. Login to Exchange Admin Center and go to ServersàCertificate to create certificate signing request (CSR) file to generate a certificate from third-party Certification Authority (CA) like Verisign or GoDaddy.

The Certificate Signing certificate must be created by clicking the + sign on the Certificate tab.  Select “Create a request for a certificate from a Certification Authority” and click Next.

 

Type a friendly name of the certificate and click Next.

 

We are going to request a Subject Alternative Name (SAN) certificate, so leave the default and click Next.

 

The request has to be saved on the Exchange server, click browse and select the only exchange server and click ok.

 

The exchange server has been selected click Next.

 

We skip this page, and we are going to create a request with some names where we can specify names on the list. Click Next.

 

Select only the FQDN that we used on the virtual directories and Outlook Anywhere. As you know, we provided the name mail.mrigotechno.club, alongside we need to add the name for Autodiscover, the subject name will be Autodiscover.mrigotechno.club, remove other local hostnames.

 

The local hostnames are removed and added only FQDN And autodiscover hostnames, click Next.

 

Type information about your organization and click Next.

 

Save the request in a file, type the UNC path, and click Next.

 

The Certificate Request has been created and using the CSR file, and we need to generate a Certificate from a third-party certification authority. Once certificates are received, come back to the Certificate tab on the Exchange Admin Center and select the request entry and click Complete to apply the Certificate.

 

Type the UNC path of the certificate received from the CA and click ok.

 

The next step is to assign services to the certificate, open the certificate entry on the EAC, and check the hostnames.

 

Go to Services on the same window select the services you want this certificate to use IIS and SMTP are selected generally, but if you wish to use IMAP and POP to use the certificate or these services are enabled, select them and click Save.

 

Click Yes to the confirmation message, and you would see valid in the Certificate Status.

 

Conclusion

In this article, we have discussed how to Install Exchange Server 2019 using Graphical User Interface and configured the server using the Exchange Admin Center and Exchange Management Shell. In my other three-part article, I have demonstrated how to migrate Exchange Server 2013 to Exchange Server 2019. I have added the link to those articles below. If you are interested in knowing how to install Exchange Server using the Command line, that article covers the installation process. You may have some questions or feedback to share with me, please click the comments below and share your thoughts. I’m so happy to answer your questions.

728x90
728x90

Preface

In this article, we are going to immerse the installation of Exchange Server 2019 and configure some of the exchange components such as Virtual Directories, Outlook anywhere, etc. This article will cover how to Install and Configure Exchange Server 2019 using  GUI.

I have already created a three-part article for the Migrating Exchange server 2013 to Exchange Server 2019 Installation and Configuration covered in that. It was installed using the command line interface, and most of the admins prefer the Graphical User Interface method to Install and Configure Exchange Server. Having that in mind, I have created this new article for the Exchange admins using GUI. Even though we have demonstrated the Exchange Server 2019 installation in those article series, configuring the Exchange server in the new Exchange Organization is somewhat different from configuring Exchange Server in an existing organization.

Also, this article will cover a complete configuration for a necessary Exchange Server deployment. This article will assume you have a Domain Controller up and running on your network, and you are going to install the Exchange Server 2019 on the active directory environment. If you are doing this installation on no Domain controller installed on the network or Test network, I would recommend installing a domain controller using my other article before installing the Exchange Server 2019. I also recommend going through this Microsoft link if you want to know all the Active Directory schema changes when you install Exchange Server 2019 on your Active Directory environment. You are advised to go through the complete document before starting the installation that way, and you will not get stuck on any step when you are trying to do Install and Configuring Exchange Server 2019. We are going to do the following tasks on Installing and Configuring Exchange Server 2019.

  1. Install Exchange Server Pre-requisite
  2. Install Exchange Server 2019 using GUI
  3. Create new outbound send connector to send emails to internet email
  4. Configure Virtual Directories
  5. Configure Outlook Anywhere
  6. Set Service Connection Point
  7. Rename default database and move database path
  8. Install Certificate

Pre-requisite to Install and Configure Exchange Server

The Windows Server 2019 has to be prepared and installed with Exchange Server 2019 Pre-requisites installing the Exchange Servers binaries.

The following Windows Server packages need to be installed before installing Exchange 2019 Server

.NET Framework 4.8
Visual C++ Redistributable Package for Visual Studio 2013
Unified Communications Managed API 4.0
Windows feature

Install .NET Framework 4.8

The .Net Framework 4.8 is required to install as a prerequisite software package. The package needs to be downloaded from the link below.

https://go.microsoft.com/fwlink/?linkid=2088631

Exchange Server 2019 Installation and Configuration

Once the offline installer has been downloaded, right-click the package and run it as an administrator to install it on the server.

Check the license agreement checkbox and click install.

 

Click Finish to complete the installation.

 

Install Visual C++ Redistributable Package for Visual Studio 2013

The next pre-requisite to install on the server is Visual C++ redistributable package for visual studio 2013. You can download this package from the link below, choose the language that you are planning to install on the server.

https://support.microsoft.com/en-in/help/4032938/update-for-visual-c-2013-redistributable-package

Once the package has been downloaded, right-click the downloaded file and run as administrator.

Accept the license and click Install to install the package.

 

Click close when the install completes.

 

Install Unified Communications Managed API 4.0

The next pre-requisite package we are going to install on the server is Micrsft Unified Communications managed API 4.0 runtime setup. Download the package from the below link.

https://www.microsoft.com/en-us/download/details.aspx?id=34992

Once the package is downloaded, run it as an administrator to begin the installation. Click Next to continue.

 

Click Install to install the package and click Finish when the install is over.

 

Exchange Server 2019 Installation and Configuration

Install Windows Feature

The next pre-requisite is Windows Server features installation. Open a Powershell window as administrator and run the following commands once the installation of features is completed do a restart of the Windows Operating System.

Install-WindowsFeature Server-Media-Foundation, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-ADDS 
 

Install and Configure Exchange Server

Exchange Server 2019 Installation and Configuration

Open the Exchange server installation media and double click the setup.exe to start the installation. Select Connect to the Internet and check for update and click Next.

 

On the next screen, the installation wizard will try to download the updates If there is any from the Microsoft update server. Click Next to continue.

 

Go through the introduction and click next to continue the wizard.

 

Accept the license agreement and click next to continue.

 

Select Use Recommended Settings and click Next.

 

Select the server role, this demonstration for Exchange server Mailbox role, select Mailbox role, and the management tools checkbox will be automatically selected. Also, check Automatically install roles and features and click Next.

 

Select the Drive where the exchange server to be installed. In most cases, it would be on the Drive other than System Drive. I have left the installation path as-is for this demonstration. But you can choose a drive and path as you want.

 

Specify an Organization name. In this case, I leave it to default. Click Next.

 

If you are planning to use some third party Malware Protection, you can select to disable Malware Protection. If you want to use the Exchange server inbuilt one, select Disable malware protection to No and click Next.

 

The install wizard will start Readiness Check, wait for that to complete and check if you have received an error message.

 

If there is any error, act on that error and rectify that and then restart the Exchange Server Installation. If you have followed these installation steps, most probably, you won’t have any error. Click Install to start the installation.

 

Exchange Server 2019 Installation and Configuration

The Setup will start, and you can monitor the progress along the way, it would take some time to complete. Be patient and wait for the setup to complete.

 

The Setup is in progress and may take some more time to complete.

 

Exchange Server Setup is complete, select launch Exchange Administration Center, and click Finish.

 

Exchange Admin Center or Exchange Control panel is the web console where is Exchange Server is configured or managed. This console can be accessed initially with the web URL https://localhost/ecp

The login screen is shown in the image below, where the administrator can log in to get the full admin access console with username as domain\username and password.

 
728x90

+ Recent posts