Estas herramientas las tenemos que instalar de las Support Tools del CD de Windows Server 2003.
Una vez instaladas las herramientas, utilizaremos las siguientes para diagnosticar el correcto estado y funcionamiento de nuestro servidor.
DCDIAG
La primera herramienta que utilizo es Dcdiag. Con esta veremos el estado del Controlador de Dominio en diferentes procesos, como registro de cuentas, netlogons, generacion de eventos, comunicacion Intersite, chequeo de los FSMO, etc.
aqui un ejemplo de un resultado de DCdiag en un DC correctamente configurado y funcional:
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Nombre-predeterminado-primer-sitio\VSSERVER
Starting test: Connectivity
......................... VSSERVER passed test Connectivity
Doing primary tests
Testing server: Nombre-predeterminado-primer-sitio\VSSERVER
Starting test: Replications
......................... VSSERVER passed test Replications
Starting test: NCSecDesc
......................... VSSERVER passed test NCSecDesc
Starting test: NetLogons
......................... VSSERVER passed test NetLogons
Starting test: Advertising
......................... VSSERVER passed test Advertising
Starting test: KnowsOfRoleHolders
......................... VSSERVER passed test KnowsOfRoleHolders
Starting test: RidManager
......................... VSSERVER passed test RidManager
Starting test: MachineAccount
......................... VSSERVER passed test MachineAccount
Starting test: Services
......................... VSSERVER passed test Services
Starting test: ObjectsReplicated
......................... VSSERVER passed test ObjectsReplicated
Starting test: frssysvol
......................... VSSERVER passed test frssysvol
Starting test: frsevent
......................... VSSERVER passed test frsevent
Starting test: kccevent
......................... VSSERVER passed test kccevent
Starting test: systemlog
......................... VSSERVER passed test systemlog
Starting test: VerifyReferences
......................... VSSERVER passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : visionsistemas
Starting test: CrossRefValidation
......................... visionsistemas passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... visionsistemas passed test CheckSDRefDom
Running enterprise tests on : visionsistemas.local
Starting test: Intersite
......................... visionsistemas.local passed test Intersite
Starting test: FsmoCheck
......................... visionsistemas.local passed test FsmoCheck
NETDIAG
Esta herramienta nos ayuda tambien a analizar como se encuentra nuestro DC con respecto a la red, por ejemplo, membresía, kerberos, descubrimiento de otros DC, configuración IP de cada adaptador, entre otrosl.
Un ejemplo de un reporte de NETDiag sería el siguiente:
....................................
Computer Name: VSSERVER
DNS Host Name: vsserver.visionsistemas.local
System info : Microsoft Windows Server 2003 R2 (Build 3790)
Processor : x86 Family 15 Model 44 Stepping 2, AuthenticAMD
List of installed hotfixes :
Q147222
Netcard queries test . . . . . . . : Passed
GetStats failed for 'Paralelo directo'. [ERROR_NOT_SUPPORTED]
[WARNING] The net card 'Minipuerto WAN (PPTP)' may not be working because it has not received any packets.
[WARNING] The net card 'Minipuerto WAN (PPPOE)' may not be working because it has not received any packets.
[WARNING] The net card 'Minipuerto WAN (IP)' may not be working because it has not received any packets.
GetStats failed for 'Minipuerto WAN (L2TP)'. [ERROR_NOT_SUPPORTED]
Per interface results:
Adapter : externa
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : vsserver
IP Address . . . . . . . . : 192.168.1.10
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.168.1.254
NetBIOS over Tcpip . . . . : Disabled
Dns Servers. . . . . . . . : 192.168.100.253
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Passed
NetBT name test. . . . . . : Skipped
NetBT is disabled on this interface. [Test skipped]
WINS service test. . . . . : Skipped
NetBT is disable on this interface. [Test skipped].
Adapter : LOCAL
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : vsserver
IP Address . . . . . . . . : 192.168.100.253
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . :
Dns Servers. . . . . . . . : 192.168.100.253
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Skipped
[WARNING] No gateways defined for this adapter.
NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.
WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.
Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{AC0EE159-0752-4D0B-A114-362C4FFE18DB}
1 NetBt transport currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server '192.168.100.253'.
Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{AC0EE159-0752-4D0B-A114-362C4FFE18DB}
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{AC0EE159-0752-4D0B-A114-362C4FFE18DB}
The browser is bound to 1 NetBt transport.
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Skipped
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Skipped
Note: run "netsh ipsec dynamic show /?" for more detailed information
The command completed successfully
REPLMON
Para mi, una herramienta muy util pues no solo sirve para verificar el estado de las replicaciones de las particiones de Active Directory con el resto de DC's, sino tambien, porque podemos chequear el estado actual de los roles FSMO de nuestro DC.
Un reporte basico de un restultado de Replmon seria mas o menos como el siguiente, aunque hay que tener en cuenta que para este ejemplo no conté sino con un solo DC, pero sirve para darnos una idea de lo que se arroja en los reportes:
Active Directory Replication Monitor
Printed on 19/10/2008 17:00:35
This report was generated on data from the server: VSSERVER
***************************************************************************
VSSERVER Data
***************************************************************************
This server currently has writable copies of the following directory partitions:
---------------------------------------------------------------------------
DC=visionsistemas,DC=local
CN=Configuration,DC=visionsistemas,DC=local
CN=Schema,CN=Configuration,DC=visionsistemas,DC=local
DC=DomainDnsZones,DC=visionsistemas,DC=local
DC=ForestDnsZones,DC=visionsistemas,DC=local
Because this server is a Global Catalog (GC) server, it also has copies
of the following directory partitions:
---------------------------------------------------------------------------
Current NTDS Connection Objects
-------------------------------
Current Direct Replication Partner Status
-----------------------------------------
Directory Partition: DC=visionsistemas,DC=local
Directory Partition: CN=Configuration,DC=visionsistemas,DC=local
Directory Partition: CN=Schema,CN=Configuration,DC=visionsistemas,DC=local
Directory Partition: DC=DomainDnsZones,DC=visionsistemas,DC=local
Directory Partition: DC=ForestDnsZones,DC=visionsistemas,DC=local
Current Transitive Replication Partner Status
---------------------------------------------
Directory Partition: DC=visionsistemas,DC=local
Partner Name: Nombre-predeterminado-primer-sitio\VSSERVER
Partner GUID: 94B57A62-7366-4575-8735-6826CFCB882A
USN: 111161
Directory Partition: CN=Configuration,DC=visionsistemas,DC=local
Partner Name: Nombre-predeterminado-primer-sitio\VSSERVER
Partner GUID: 94B57A62-7366-4575-8735-6826CFCB882A
USN: 111161
Directory Partition: CN=Schema,CN=Configuration,DC=visionsistemas,DC=local
Partner Name: Nombre-predeterminado-primer-sitio\VSSERVER
Partner GUID: 94B57A62-7366-4575-8735-6826CFCB882A
USN: 111161
Directory Partition: DC=DomainDnsZones,DC=visionsistemas,DC=local
Partner Name: Nombre-predeterminado-primer-sitio\VSSERVER
Partner GUID: 94B57A62-7366-4575-8735-6826CFCB882A
USN: 111161
Directory Partition: DC=ForestDnsZones,DC=visionsistemas,DC=local
Partner Name: Nombre-predeterminado-primer-sitio\VSSERVER
Partner GUID: 94B57A62-7366-4575-8735-6826CFCB882A
USN: 111161
Current Group Policy Object Status
----------------------------------
Default Domain Policy
Group Policy Object GUID: {31B2F340-016D-11D2-945F-00C04FB984F9}
Group Policy Object Version in the DS: 65551
Group Policy Object Version in SYSVOL: 65551
Default Domain Controllers Policy
Group Policy Object GUID: {6AC1786C-016F-11D2-945F-00C04fB984F9}
Group Policy Object Version in the DS: 13
Group Policy Object Version in SYSVOL: 13
Nuevo objeto directiva de grupo
Group Policy Object GUID: {FF0F3EC1-8602-4503-8405-60356A3EAC3A}
Group Policy Object Version in the DS: 0
Group Policy Object Version in SYSVOL: 0
The server VSSERVER knows about the following FSMO roles:
--------------------------------------------------------------------------
Schema FSMO: Nombre-predeterminado-primer-sitio\VSSERVER
Domain Naming FSMO: Nombre-predeterminado-primer-sitio\VSSERVER
Infrastructure FSMO: Nombre-predeterminado-primer-sitio\VSSERVER
Primary Domain Controller FSMO: Nombre-predeterminado-primer-sitio\VSSERVER
RID Pool FSMO: Nombre-predeterminado-primer-sitio\VSSERVER
Performance Statistics at Time of Report
----------------------------------------
Configuration (Registry)
NOTE: an empty value indicates that Windows 2000 will use the internal default
NOTE: all empty values may indicate insufficient permission to retrieve this information from the domain controller
------------------------
DSA
---
Days per Database Phantom Scan:
Initialize MAPI interface:
Enforce LIST_OBJECTS rights:
DSA Heuristics:
Max Threads (ExDS+NSP+DRA):
DSA Database file: C:\WINDOWS\NTDS\ntds.dit
DSA Working Directory: C:\WINDOWS\NTDS
Critical Object Installation:
DS Drive Mappings:
DSA Previous Restore Count:
REPLICATION
-----------
Replicator notify pause after modify (secs):
Replicator notify pause between DSAs (secs):
Replicator intra site packet size (objects):
Replicator intra site packet size (bytes):
Replicator inter site packet size (objects):
Replicator inter site packet size (bytes):
Replicator maximum concurrent read threads:
Replicator operation backlog limit:
Replicator thread op priority threshold:
Replicator intra site RPC handle lifetime (secs):
Replicator inter site RPC handle lifetime (secs):
Replicator RPC handle expiry check interval (secs):
LDAP
----
Max objects in LDAP Search (Admin Limit):
Max concurrent LDAP connections allowed:
Max time allowed for an LDAP Search:
Max concurrent LDAP searches allowed:
Max concurrent threads per LDAP connection allowed:
Minimum idle seconds before potential \ timeout of LDAP connection (non-authenticated client):
Minimum idle seconds before potential \ timeout of LDAP connection (authenticated client):
Database
--------
Database backup path: C:\WINDOWS\NTDS\dsadata.bak
Database backup interval (hours):
Database log files path: C:\WINDOWS\NTDS
Database logging/recovery: ON
Hierarchy Table Recalculation interval (minutes): 720
Database restored from backup:
Pending object ownership conversions:
EDB max buffers:
EDB max log buffers:
EDB log buffer flush threshold:
EDB buffer flush start:
EDB buffer flush stop:
EDB max ver pages (increment over the minimum:
Circular Logging:
Server Functionality:
TCP/IP Port:
Restore from disk backup:
Performance Counter Version: 17
KCC
---
Repl topology update delay (secs):
Repl topology update period (secs):
KCC site generator fail-over (minutes):
KCC site generator renewal interval (minutes):
KCC site generator renewal interval (minutes):
CriticalLinkFailuresAllowed:
MaxFailureTimeForCriticalLink (sec):
NonCriticalLinkFailuresAllowed:
MaxFailureTimeForNonCriticalLink (sec):
IntersiteFailuresAllowed:
MaxFailureTimeForIntersiteLink (sec):
KCC connection failures:
IntersiteFailuresAllowed:
IntersiteFailuresAllowed:
***************************************************************************
Enterprise Data
***************************************************************************
Globally Unique Identifiers (GUIDs) for each domain controller in the enterprise
NOTE: the absence of a GUID means that the server has been demoted.
--------------------------------------------------------------------------------
Site Name: Nombre-predeterminado-primer-sitio
---------------------------------------
Site Options :
Site Topology Generator: CN=NTDS Settings,CN=VSSERVER,CN=Servers,CN=Nombre-predeterminado-primer-sitio,CN=Sites,CN=Configuration,DC=visionsistemas,DC=local
Site Topology Renewal :
Site Topology Failover :
VSSERVER
Server GUID (used for DNS) : 94B57A62-7366-4575-8735-6826CFCB882A
Replication Database GUID (used to identify partner in replication): 94B57A62-7366-4575-8735-6826CFCB882A
DSA Options : NTDSDSA_OPT_IS_GC
DSA Computer Path : CN=VSSERVER,OU=Domain Controllers,DC=visionsistemas,DC=local
DSA Schema Location : CN=Schema,CN=Configuration,DC=visionsistemas,DC=local
DSA Mail Address : _IsmService@94b57a62-7366-4575-8735-6826cfcb882a._msdcs.visionsistemas.local
DSA DNS Host Name : vsserver.visionsistemas.local
DSA BridgeHead Transports :
Site Links and Site Link Bridges
-----------------------------------------------------
Site Links
----------
DEFAULTIPSITELINK
Link Type: : IP
Distinguished Name : CN=DEFAULTIPSITELINK,CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=visionsistemas,DC=local
Replication Interval : 180
Cost : 100
Options :
Site List :
Nombre-predeterminado-primer-sitio
Site Link Bridges
------------------
Active Directory Replication Monitor determined that no Site Link Bridges are present in the Directory.
Inter-Site Transports
---------------------
IP
Options :
DLL Name : ismip.dll
Address Type: dNSHostName
SMTP
Options : NTDSTRANSPORT_OPT_IGNORE_SCHEDULES
DLL Name : ismsmtp.dll
Address Type: mailAddress
Subnets
-------
Active Directory Replication Monitor determined that no Subnets are present in the Directory.
Active Directory Configuration Data
-----------------------------------
Stay of Execution for Servers: 0
SPN Mappings : host=alerter,appmgmt,cisvc,clipsrv,browser,dhcp,dnscache,replicator,eventlog,eventsystem,policyagent,oakley,dmserver,dns,mcsvc,fax,msiserver,ias,messenger,netlogon,netman,netdde,netddedsm,nmagent,plugplay,protectedstorage,rasman,rpclocator,rpc,rpcss,remoteaccess,rsvp,samss,scardsvr,scesrv,seclogon,scm,dcom,cifs,spooler,snmp,schedule,tapisrv,trksvr,trkwks,ups,time,wins,www,http,w3svc,iisadmin,msdtc
Existen mas utilidades pero con estas podremos analizar muy bien el estado en que se encuentren nuestros DC's y tomar decisiones oportunas, eso si, dependiendo de la periodicidad con la que se realicen estos analisis. Yo recomiendo una vez a la semana si se trata de uno o dos DC's.
MBSA
Esta es la que no puede faltar y nos ayudará mucho para asegurar nuestro Server. Microsoft Base Line Security Analizer, en su mas reciente versión. Esto con el fin de mantener los servidores segun las guias y recomendaciones de microsoft. Esta disponible en http://technet.microsoft.com/es-es/security/cc184923(en-us).aspx
---
Walter J. Taborda
MCP, MCSA / MCSE Windows Server 2003
VS Vision Sistemas
Itagui, Antioquia, Colombia
tel: 281 52 44 - celular: 313 797 53 33
walter.taborda@NOSPAMvisionsistemas.com.co
www.visionsistemas.com.co
No hay comentarios:
Publicar un comentario