Зубанов Ф.В. - active directory. Подход Профессионала
DESCRIPTION
Active DirectoryTRANSCRIPT
-
172 Active Directory:
SAM, REGBACK REGREST;
BDC, PDC. Windows 2000.
, -, , , . - . , , .
, . , Windows NT NetBIOS CENTRAL; Windows 2000 mycorp.ru. - , NetBIOS- MYCORP. , NetBIOS- - CENTRAL. - : - CENT-RAL, .
Windows / Windows 2000 \ Windows NT
Windows NT Windows 2000
NetBIOS- DNS- - CrossRef, - CN=Partitions,CN=ConfigurationXHMfl
DCPROMO Active Directory SAM: -, , .
-
Active Directory 173
. , (). - , .
Users Computers Builun Users Users
Kerberos - TGT, - - . - , -. , , . Windows NT, . PDC Windows 2000 - Windows 2000 Windows NT 4.0.Windows 2000 . - ( -, ), BDC . - PDC. Windows 2000-, PDC, BDC PDC. Windows 2000, PDC. , BDC .
PDC, Windows2000, , . . , .
? -, -. - . 100% - Windows 2000, , , NT 4 .
-
174 Active Directory:
, DCPROMO , , - . Windows NT , .
1. , Windows NT. SAM BDC.
2. BDC, , PDC, - .
, , - , .
- Active Direc-tory Windows 2000 Server. , , . .
(RID) (SID), Windows 2000 . , - , -, Active Directory.
-: Windows NT 4-0 Windows 2000 -,
. FRS LMRepl. Windows NT , Windows 2000. PDC LMRepl. Windows NT. .
PDC BDC LMRepl.
-
Active Directory 1 /!.
Lbridge.cmd Windows 2000 ServerResource Kit. , - Windows 2000, SYSVOL Export Windows NT, LMRepl.
Lbridge.cmd . robocopy Windows 2000Server Resource Kit.
Windows 2000
Windows 2000
Windows NT
- Windows 2000 Windows NT , . - - . - - .
Windows 2000 . :
ActiveDirectory ; ;
7-2005
-
176 Active Directory:
-
Active Directory 177
:'
t ,, fc,_ _ p.
1
**
4PING, NSLOOKIJP
tfla6
WINNT32
!7
;
a
29
FDC
3 ]|
Jla yi
*10
DCPHOMO
I11
t 13
*14
1
55
DCPROMO ? _
Net Start
WinNT4
!nyxrjyDNS
12DCPROMO.LOG
DCPROMOU-LOQ
1EFIOGON,NETLOGON
* NEROGON.DNS
DNS _ ?
1 19
i.'
?
1
1i24
LBndge.cmd
J
LH MSBACKUP|(C:\, System state)
j
26
AD ? __
FRS ?
LMBepl
REPADMINREPLMON
23SYS\OI
J ssr
1
Active Directory
j
27NTDSUT1L,
Sites S Services,DNS
2 | '
Windows NT
-
178 Active Directory:
4 ; . . - Windows NT 4.0;
- .
- .
: - , - - Windows NT 4.0.
-: , , , .
Windows NT 4.0
Windows NT - : , , , . - , .
, -. DNS, DHCP, WINS, DCPROMO , Windows NT 4.0 , - Windows 2000. , - , , - . , , - Microsoft Technet. , - , (support.microsoft.com).
- , - , , . - .
-
Active Directory
Active Directory-. , , , . . - , -.
. , SAM WindowsNT . -, -, . - Windows NT . - Windows NT -.
Active Directory - . , - -. , , - ...
, , Active Directory,, ! , - , ., . , , - , .
-
180 Active Directory:
Windows NT , , .
Windows 2000 . - , - . -, , , , , .
- , - .
, , Active Director}'. ?
Active Director)1 , :
;
;
+ .
, . , . . . - . - .
(), , , :
, - ;
; - , - isMemberOfPartialAttributeSet, - True.
.
, Active Directory . , -*, .
-
Active Directory 181
- . Active Directory .
, . , - - .
. .
, - . Active Directory . . - , - .
. - : , - , - -. - ,
; (-). , - - . - .
: , - -, - . -, , - . - , - - . , . - Active Directory .
-
182 Active Directory:
Active Director}' . , - . , - , , . , - . - , , - , .
Active Directory
, - Active Directory. 0 (. ). * , , , -, , . . ., . , . - .
* 5 , 30 . , . - .
1.,
, 2
: HKLM\System\ CurrentControl-Set\Services\NTDS\Paramel:ers. Replicator/Notify pause after
-
Active Directory 183
modify (sec) 300. Replicator notify pause between DSAs(sec) 30.
- . , - ( ) , 5- 15 ( , . ). - , Active Directory Sites and Services.
, , - . , , - .
Active Directory . LDAP- , - . . - , , - (originating update) . , - .
USN
, , , - , . -, ? - (USN update sequence number).USN . - USN 1. - USN . , USN - , , - . - USN : - USN .
USN . . -
-
184 Active Directory: _
USN, - . .
- USN . repadmin /shcwmeta
-
Active Directory 185
, , 1. - , 1.
, .
DSA GUID , .
repadmin /showmeta
-
. rt_IjJD Active Directory:
. ? , - . Active Directory -. . , - . :
isDeleted true;
, , , Active Directory;
, LDAP-;
+ objectGuid, objeccSid, distin-guishedName, nTSecurityDescriptor usnChanged;
.
, - , , . , ActiveDirectory. Active Directory 12 -. , , . , ActiveDirectory. -. 60 . , .
(tombstonelifetime) (garbagecolperiod) , - CN=Directory Service,CN=Win-dows NT,CN=Services,CN=Configuration,.
. - (, ).
, . GUID , - .
USN 2763. I.
-
Active Directory 187
USN - , 1. : , .
- . 7.
UsnCreated: 2764
givennameuserPassword
USN
276427642764
111
UsnChanged: 2764
22:34-4222:34-4222:34.42
DSA
USN
276427642764
, .
5 DCA -, DCB, , . - USN DCB 1533- USN 1. usnChanged usnCreated. .
UsnCreated: 1534 UsnChanged: 1534
givennameuserPassword
USN
153415341534
111
22:34.4222:34.4222:34.42
DSA
DCA
DCADCA
USN
276427642764
.
, DCB. USN 2211 ( - ). , USN - 1,
UsnCreated: 1534 UsnChanged: 2212
USN
DSA USN
givennameuserPassword
1534 1 15 1
2212 2
22:34.42 DCA22:34.42 DCA09:30.00 DCB
276427642212
-
1_88 Active^ Directory:
, USN userPassword, - usnChanged . , - DCB.
DCA, USN 3517. - :
UsnCreated: 1534
givennameuserPassword
USN
153415343518
112
UsnChanged: 3518
22:34.4222:34.4209:30.00
DSA
DCADCADCB
USN
276427642212
, usnChanged USN. - .
- , . , - , . , - , , , , , , . , , . , ( ), , -. . -, , - , - . - (high watermark) (up-to-datenessvector).
. . , - - , -. -, - - , .
-
Active Directory 189
, USN, - . - USN . - . , - - - . - , usnChanged - , -. , , - . -.
- . GUID , , USN. - . Active Directory replUpToDateVector . - , - . . , , , , , . , .
-. --' - , " - -. Active Directory - , , -, , . . , .
. DC1-DC4. , - DC1 DC2 , , - DC4.
-
190 Active Directory:
DC2
USN2053
DCS
USN 1217
USN DC1 4711, DC2 -2052. DC3 1217. DC4 3388. - DC4 :
DC4
GUID
DC1DC 2
USN
47112050
DC4
GUID
DC1DC3
USN
47111217
DC2 . USN 1 2053.
DC2 - DC1 . , USN DC 1, , , - USN 1, . . 4712. , , DC1 -, DC2.
DC1 DC4 . DC4 GetChange. .
, (NC).
DC4 (. . ), ,
-
Actjvejireclofy 191
. , DC4 .
USN, DC1 . ( 4711.)
, - ,
, -,
+ .
, - .
DC1 DC4 , - USN , , -, . , . - DC4 :
DC4 DC4
GU1D GUID
USN USN
DC1 4711 DC1 4712
DC2 2053 DC3 1217
DC2, , DC1, - DC3. , DC1, USN 1218.
DC3 DC4 , - , . - (. . DC2) - (2053), DC3 , USN . - DC4 :
DC4 DC4
GUID GUID
USN USN
DC1 4711 DC1 4712DC2 2053 DC3 1218
-
Active Directory;
DC4 , - (DC1 DC3), , -. , - , -.
, , -. LDAP - . .
Active Directory '
- Add Move ,
Modify -. Add Move - . - Add Move 1 - R. 2
. LostAndFound
, - - , : rdn ABC, - ABC'CNF:, CNF , - -, a GUID GUID
, .
Active Directory -,
-
Active Directory 193
. Knowledge Consistency Chec-ker (). - . ? 15 , , . - , , . , - , . . - .
Active Direc-tory . , , - - . , - , - , -, , , - . , - - . , - . - , .
Active Direc-tory, :
;
;
+ ;
+ ;
;
.
Active Directory -. . - Active Directory.
-, . . - . - . , NTDS Settings, .
-
194 Active Directory:
- . . , , - , .
, , - , , -. , - , . , .
. - , , . - , . -. . , '.
- . - . , - (. ' Active Directory).
, , , . , . , , IP. , - , - SMTP. .
? , Windows 2000 . RPC IP SMTP. - , . .
- RPC IP. . .
RPC IP, SMTP. . - .
-
Active Directory 195
+ SMTP - . - RFC IP . -, SMTP - , .
:
-
RPC IP
'
RPC IPSMTP
Active Directory , - , , -, , . ,. . . 10 , - .
, , , . . - , , - .
, RPC IP. , - . -, , . .
RPC TCP. Active Directory, RPC 135.
-
196 Active Directory:
RFC , ActiveDirectory. - Active Directory . ( , Active Direc-tory, , - .)
. HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters TCP/IP Port. , - .
SMTP
, RPC, a SMTP . -, , , - SMTP -, SMTP - . , , - , , , .
SMTP , , , .
, . .
RPC, SMTP -, :
- ;
Active Directory , - ; :
;
, , ;
, - ;
, TCP.
-
Active Directory 1_97
, SMTP , .
. , -? , - . -, - - !1 -, , , . , . , , -. SMTP - .
SMTP , .
, IP, - SMTP. , , , - .400.
100 1 000 , 0,01 . , 1/1 000 000 (. . 100 1 000 ). : - 1 . , - .
, HKLM\System\CurrentControlSet\Semces\NTDS\Para-meters. .
,
Replicator inira sitepacket size (objects)Replicator into sitepacket size (bytes)Replicator inter sitepacket size (objects)Replicator inter sitepacket size (bytes)Replicator async inter sitepacket size (objects)Replicator async inter sitepacket size (bytes)
RFC RPC RPC RPC ' SMTP SMTP
1
10
1
10
1
10
-
1_98 Active Directory:
\
, . .
: , , .
. , - : . , .
. .
, , . DC2 DC3- , - , : DC1 DC2. , - DC2 DC3 .
. .
, - ? , . , , , GUID . - , GUJD, , , - .
, - . ? -, - , .
: - 3 (hops) .
-
Active Directory 199
: , . & ,
5 ( - ) , - 15 .
, - 7. , . . , - , . , 8 . - .
, DC1. - , , DC1 DC5 - 4 . ,
-
200 Active Directory:
, DC5. : - DC1.
1
3
, DC3- , DC7. .
, , . , - .
, . , - : DC1 DC5 DC3 DC7 - DC2 DC4 - DC6 DCS. , DC2 DC5, - DC7, , , * * . , , . - .
, . , , . . -
-
Active Directory 201
, .
. , , - -, . 8 - , .
, .
, . Active Directory - , -, , , . , -, , -.
, - . . . , .
DCB2
DCB4 DCB3
$>
7, 3 : - .
-
202 Active Directory:
. .
- . , , - . . , - . 5 .
15 . , 15 .
. HKLM\SYSTEM\CurrentControl-Set\Services\NTDS\Pararneters. - Repl topology update delay (sees). 300. , DNS - , 500 . - Repl topology update period (sees), 900 .
? .
1. , ActiveDirectory, , :
, ;
, ; ,' , .
2. Active Directory, , , , .
. , -, -/ . - . - Knowledge Consistency Checker* HKLM\SYS-TEM\CurrentControISet\Services\NTDS\Diagnostics. 3 , , -
-
Active Directory 203
, - .
.
.
Active Directory Sites and Services - .
ADSIEdlt Ldp CN=NTDS Site Settings,CN=,CN=Sites,CN=Configura-1,
-
204 Active Directory:
, - .
1STG Active Directory , - , .
, .
30 . - site generatorrenewal interval (minutes) HKLM\SYSTEM\Current-ControlSet\Services\NTDS\Parametcrs. . , , , . -nojii (, ISTG. , - ISTG, - site generator fail-over (minutes) .'
. - Active Directory, , GUID . - - . .
, - , interSiteTopology-Generator CN=NTDS Site Settings,CN=,CN=Sites,CN=Configura[ion.
-
Active Directory 205
(1+D)*S"2
-
206 Active Directory:
On Error Resume Next'
wscript.echo " ..."set localMachine=GetObject("LDAP://localhost/rootdse")if err.number 0 then ReportErrorWscript.QuitServerName=localmachine.get("dnsHostName")if err.number 0 then ReportErroriWScript.Quitwscript.echo " " + ucase(ServerName)
' configNC=localMachine.get("configurationNamingContext")if err.number 0 then ReportErrorWscript.Quitwscript.echo " : " + configNC
' SitesSet ObJSites = GetObject("LDAP://" & ServerName & "/CN=Sites,"
& configNC)objSites.filter = array("Site")For each obj in ObJSiteswscript.echo " : " + obj.CNSet SiteSettings = Obj.GetObjectC'nTDSSiteSettings", "CN=NTDS Site
Settings")
' optionsorigOptions=SiteSettings.Get("options")if hex(err.number) = "8000500D" then origOptions=0
elseif err.njmber=0 then' elseReportErronWscript.Quitend ifmodOptions=origOptions
', if lcase(Args(0))="/disable" then' , , if modOPtions And 16 thenwscript.echo " .
."elsemod20ptions=modOptions Or 16wscript.echo " . ."
. . .
-
Active Directory 207
SiteSettings.Put "options", mod20ptionsSiteSettings.Setlnfoif err.number 0 then' , if hex(err.number) = "8000500D" then' elseReportErrorscript.echo " options."script.echo " ."wscript.echo " ."Wscript.Quitend ifend ifend ifelse' , ,
,if modOPtions And 16 thenwscript.echo " .
."mod2Qptions=modO,ptions XOr 16SiteSettings.Put "options", mod20ptionsSiteSettings.Setlnfoif err.number 0 then' , if hex(err.number) = "8000500D" then' elseReportErrorwscript.echo " options."wscript.echo " ."wscript.echo " ."Wscript.Quitend ifend ifelsewscript.echo " .
."end ifend ifNext
End Sub
8-2005
-
208 Active Directory:
VBS :
cscript
-
Active Directory 209
, -. , - . , - -; , .
. , - . - , , .
, - ? , , - . , - , .
-, . - 15 , - , -, 15 . Active Directory, - . . Windows 2000 Windows NT 4.0 Windows 2000.
-
210 Active Directory:
Windows 2000 Windows 2000 Windows 2000 Windows NT 4.0
LSA ( ) RID-
- LSA ( )
, , . . , , , - , 15 , - ID.
Syntax
, . - options , . - ADSIEdit Ldp. , -
-
Active Directory 211
DEFAULTIPSITELINK, - Active Directory CDEFAULTIPSITEUNK,CN=IP, CN=Inter-Site Transports, CN=Sites, CN=Configuration,. options 1 ( ), , - .
- Active Directory7
, . , IP, SMTP.
- , - .
- . Windows NT - , Windows 2000 . . , , . - . - . - , . , .
Windows NT , . - Windows 2000. - , PDC, , . , , , PDC, .
. . - HKLM\SYSTEM\CurrentControlSet\Services\NetIogon\Parameters AvoidPDCOnWan. . 1, PDC -
-
212 Active Directory:
. . .
, , , - , - , 1 AvoidPDCOnWan 1 ,:
PDC;
+ PDC, , , ;
.
2,- - -^ "
5. -
1 AvoidPDCOnWan
AvoidPDCOnWan - 1 PDC, - . SP2.
Active Directory :
;
-
Active Directory 213
;
DNS-,
;
(, - , IPSec);
.
- , - . , - : .
Support tools, -, . Windows 2000 Resour-ce Kit , - , .
, . , ;
+ -, Active Directory;
+ Active Directory Sites and Services, - Replicate now; , - .
, . - . .
, - GUID. GUID DNS _msdcs.( . Active Directory). - Nslookup.
, - repadmin ( ) replmon ().
Active Directory DsaStat. - Active Directory
-
214 Active Directory:
. , .
-. -, , . , - . , : - , - .
. , - , ( - ), DNS.
. , - Active Director)' Sites and Services.
, - . , , , . .
, , . . - .
- :
Active Director)7 Sites and Services;
repadmin /showreps;
Replication Monitor.
Active Directory Sites and Services
, . , ' . , - .
, , :
-
Active Directory 215
, !
'
1
*iActive Directory Sites and Service; j
Ustes,f j Inter-Site Transports I) SiteA
Servers- MIDI 1 ROOTI
5* |- | ROOTS
3 S**6
Subnets
J
Jtenw_^ L?r;>rft ? u4L_, J !SE^ 1 JS^ L- _ ^automatic ally general .. MlDi SiteB Comectior
-
216 Active Directory^
. , - , - .
==== INBOUND NEIGHBORS ======================================
CN=Schema,CN=Configuration,DC=mycorp,DC=ruDefault-Flrst-Site-Nante\MID1 via RFC
obJectGuid: 19c9dbc3-d5d2-47cc-94e3-5135adfc4t>cbLast attempt 2002-05-07 13:00.52 failed, result 8524:
Can't retrieve message string 8524 (Ox214c), error 1815,Last success 0 2002-05-06 19:52.36.4 consecutive failure(s).
Default-First-Site-Name\ROOT2 via RPCob]ectGuid: a6563eaf-9a97-40a9-9c28-23ba4f348593Last attempt @ 2002-05-07 13:39.47 was successful.
, - :ROOT2 MIDI, , IP (RPC IP). - ROOT2 , - MIDI , - . - .
CN=Configuration,DC=mycorp,DC=ruDefault-First-Site-Name\MID1 via RPC
objectGuid: 19c9dbc3-d5d2-47cc-94e3-5135adfc4bcbLast attempt 9 2002-05-07 13:01,13 failed, result 1722:
Can' t retrieve message string 1722 (), error 1815.Last success @ 2002-05-06 21:48.10.2 consecutive failure(s).
Default-First-Site-Name\ROOT2 via RPC
objectGuid: a6563e8f-9a97-40a9-9c28-23ba4f348593Last attempt @ 2002-05-07 13:39.47 was successful.
- mycorp.ru. ROOT2, - ,
DC=mycorp,DC=ruDefault-First-Site-Name\ROOT2 via RPC
ObjectGuid: a6563e8f-9a97-40a9-9c28-23ba4f348593Last attempt @ 2002-05-07 13:39.47 was successful.
, -
-
Active Directory 217
. , msk.mycorp.ru - MIDI, .
DC=msk,DC=mycorp, DC=ru
Default-Flrst-Site-Name\MID1 via RPC
object-Quid: 19c9dbc3-d5d2-47cc-94e3-5135adfc4bcb
Last attempt 2002-05-07 13:02.16 failed, result 1722:
Can't retrieve message string 1722 (), error 1815.
Last success @ 2002-05-06 21:47.40.
2 consecutive fallure(s).
-, ROOT1.
==== OUTBOUND NEIGHBORS CHANGE NOTIFICATIONS ============
. : ROOT2 MIDI. , - . repadmin .
CN=Schema,CN=Configuration, DC=tnycorp, DC=ruDefault-First-Site-Name\HID1 via RPC
ObjectGuid: 19c9dbc3-d5d2-47cc-94e3-5135adfc4bcbDefault-First-Site-Name\ROOT2 via RPC
objectGuid: a6563e8f-9a97-40a9-9c28-23ba4f348593CN=Configuration,DC=mycorp,DC=ru
Default-Flrat-Site-Name\HID1 via RPCobjectGuid: 19c9dbc3-d5d2-47cc-94e3-5135adfc4bcb
Default-First-Site-Name\ROOT2 via RPCobjectGuid: a6563e8f-9a97-40a9-9c28-23ba4f348593
mycorp.ru . msk.mycorp.ru . , - msk.mycorp.ru, . , .
DC=mycorp,DC=ruDefault-First-Site-Name\ROOT2 via RPC
objectGuid: a6563e8f-9a97-40a9-9c28-23ba4f348593
- . . -, , ,
-
218 Active Directory:
* - . repadmin .
, , repadmin /sbowreps
, - , repadmin /showconn.
Replication Monitor
- , . , , Replication Monitor. , repadmin.
,- File. - .
, - , , , , .
-
Active Directory 219
Slalusasol (HE 57
SBVH has snen charges for rhis direc Ihrougl- USN 6595
> Direct Replication Pane
sUSN 555
MS successful 1 look place at 6/29/2002 >36 2
of. 6/2/2012 0:38 52
has seen at changes lor itiis director partition through USN GSD?
Direct RepktMion PelnM Dgla
SBVH is cuienl Ihrough PropHto Update USN: 655
Iba iBOTcdion mft was tuccesslul.
has seen al changes a this irectoiy paation
-
220 Active Directory:
Replication Monitor
. . - Active Directory - , -.
DsaStat
DsaStat , - . , - . ROOT1 ( ) ROOT2. :
dsastat -s: rootl; root2 -b:dc=rnycorp,dc=ru -gcattrs:objectclass -p:16 -filter:(objectclass=user)
( - dsastat). -s. , , , LDAP-. , - 328.
-
Active Directory 221
:
Stat-Only mode,
llnsorted mode.
Opening connections...rootl..,success.
- :
Connecting to rootl...reading,..**> ntHixedDomain = 0reading...+*> Options = 1
Setting server as [rootl] as server to read Config Info...root2...success.
Connecting to root2.,.reading...**> ntHixedDomain = 0
reading...LocalException ; Cannot get Options .Generation Domain List on server rootl...> Searching server for GC attributes OID listRetrieving statistics...Paged result search...Paged result search.,....(Terminated query to rootl, )...(Terminated query to root2. )
( ).
-=!*** DSA Diagnostics ***|=-Objects per server;Obj/Svr rootl root2 Totalcomputer 2 2 4user 7 6 13
9 8 17FAIL Server total object count mismatch
, user . , - . , . , 500 , ,
-
222 Active Directory: ^
1-2 , - . , , , - , :
15-20 ;
, - ; , , - dsastat;
.
, - .
Bytes per object:
computer 164user 429
Bytes per server:
rootl 313root2 280
Checking for missing replies,..No missing replies! INFO: Server sizes are not equal (min=313,max=280).
, . - .
*** Different Directory Information Trees. 1 errors (see above). ***FAIL -= FAIL =-closing connections...
rootl; root2;
Dcdiag repadmin. , ,
-
Active Directory 223
. . , .
dcdiag /test:replications /a
:
DC Diagnosis
performing initial setup:Done gathering initial info.
Doing initial non sklppeable testsTesting server: Default-First-Site-Name\ROOT1
Starting test: ConnectivityROOT1 passed test Connectivity
. , - IP, ping . ROOT1 , MIDI, , , - . , - .
Testing server; Default-First-Site-Name\MID1Starting test: Connectivity
Server MIDI resolved to this IP address 10.1.2.2,but the address couldn't be reached(pinged), so check the network.The error returned was: Win32 Error 11010This error more often means that the targeted server isshutdown or disconnected from the network
HID1 failed test Connectivity ROOT2 .
Testing server: Default-First-Slte-Name\ROOT2Starting test: Connectivity
ROOT2 passed test Connectivity
, . - MIDI,
Doing primary testsTesting server: Default-First-Site-Name\ROOT1
Starting test; Replications[Replications Check,ROOT1] A recent replication attempt failed:
From MIDI to ROOT1Naming Context: CN=Schema,CN=Configuration,DC=mycorp,DC=ru
The replication generated an error (1722):
Win32 Error 1722The failure occurred at 2002-05-07 19:10.02.
The last success occurred at 2002-05-06 19:52.36.
-
224 Active Directory:
11 failures have occurred since the last success.
The source remains down. Please check the machine.
[Replications Check,ROOT1] A recent replication attempt failed:
From MIDI to ROOT1
Naming Context: CN=Configuration, DC=roycorp,DC=ru
The replication generated an error (1722):
Win32 Error 1722
The failure occurrad at 2002-05-07 19:10.44.
The last success occurred at 2002-05-06 21:48,10.9 failures have occurred since the last success,The source remains down. Please check the machine.
[Replications Check,ROOT1] A recent replication attempt failed:From MIDI to ROOT1Naming Context: DC"msk,DC=mycorp,DC=ruThe replication generated an error (1722):Win32 Error 1722The failure occurred at 2002-05-07 19:11.26.The last success occurred at 2002-05-06 21:47.40.9 failures have occurred since the last success.The source remains down, Please check the machine.
ROOT1 passed test Replications
, . , , - .
MIDI, , . - :
Testing server: Default-First-Site-Name\MID1
Skipping all tests, because server MIDI isnot responding to directory service requests
- MIDI ROOT2 - , - .
Testing server: Default-First-Site-Name\ROOT2Starting test: Replications
[Replications Check,RQOT2] A recent replication attempt failed:From MIDI to ROOT2
Naming Context: CN=Echeffla,CN=Configuration,DC=mycorp,DC=ruThe replication generated an error (1722):Win32 Error 1722The failure occurred at 2002-05-07 18:50.46.
-
Active Directory 225
The last success occurred at 2002-05-06 19:53.29,
10 failures have occurred since the last success,
The source remains down. Please check the machine.
[Replications Check,ROOT2] A recent replication attempt failed:
From MIDI to ROOT2
Naming Context: CN=Configuration,DC=mycorp,DC=ru
The replication generated an error (1722):
Win32 Error 1722
The failure occurred at 2002-05-07 18:50.25,
The last success occurred at 2002-05-06 21:48.38.
8 failures have occurred since the last success.
The source remains down. Please check the machine.
HOOT2 passed test Replications
Running enterprise tests on : mycorp.ru
Repadmin
repadmin. - . , , - . , -? repadmin getchanges:
repadmin /getchanges dc=tnycorp,dc=ru root2.mycorp.ru a4818f4f-bd9a-4dd9-b8f9-f4e26a84eb7a
, mycorp.ru root2 , - GUID .
-. USN ( -):
Building starting position from destination server root2.mycorp.ru
Source Neighbor:
dc=mycorp,dc=ru
Default-First-Site-Name\ROOT1 via RPC
objectGuid: a4818f4f-bd9a-4dd9-b8f9-f4e26a84eb7a
Address: a4818f4f-bd9a-4dd9-b8f9-f4e26a84eb7a._msdcs.mycorp.ru
ntdsDsa invocationld: a48l8f4f-bd9a-4dd9-b8f9-f4e26a84eb7a
WRITEABLE SYNC_ON_STARTUP DO_SCHEDULED_SYNCS
USNs:' 4798/OU, 4798/PU
Last attempt a 2002-05-07 20:05.51 was successful.
-
226 Active Directory;
:
Destination's Up To Dateness Vector:2ff7fbaa-6607-472c-b3a5-CCf8445de5bf 9 USN 4973
a4818f4f-bd9a--4dd9-b8f9-f4e26a84eb7a @ USN 4847
, ,
( sn) CN=u2,OU=test,DC=mycorp,DC=ru:
== SOURCE DSA: a4818f4f-bd9a-4dd9-b8f9-f4e26a84eb7a._msdcs.mycorp.ru ==
Objects returned: 1(0) modify CN=4j2,OU=test,DC=mycorp,DC=ru
1> objectGUID: db92fe3;J-d14a-49b9-98ae-ec905ec39bf11> sn: Petrov
1> instanceType: 4
. . USN. , :
Source Neighbor:
dc=mycorp,dc=ruDefault-First-Site-Name\ROOT1 via RPC
objectGuid: a4818f4f-bd9a-4dd9-b8f9-f4e26a84eb7aAddress: a4818f4f-bd9a--4dd9-b8f9-f4e26a84eb7a._msdcs.mycorp.runtdsDsa iwocationld: Ei4818f4f-bd9a-4dd9-b8f9-f4e26a84eb7aWRITEA8LE SYNC_ON_STARTUP DO_SCHEDULED_SYNCS
USNs: 4850/OU, 4850/PULast attempt @ 2002-05-07 20:12.37 was successful.
Destination's Up To Dateness Vector:
2ff7fbaa-6607-472c-b3a5-ccf8445de5bf 0 USN 4989
a4818f4f-bd9a-4dd9-b8f9-f4e26a64eb7a 9 USN 4860
== SOURCE DSA: a4818f4f-bd9a-4dd9-b8f9-f4e26a84eb7a.jnsdcs.mycorp.ru ==
No changes.
-. 1JSN. :
repadmin /showmeta CN=u2,OU=test,DC=mycorp,DC=ru
. . , - root2. , USN sn. 450, . . , USN .
-
Active Directory . 227
Loc.USN Originating DSA Org.USN Org.Time/Date Ver Attribute
4678 Default-First-Site-Name\ROQT1 4678 2002-05-07 18:03.21
1 objectClass
4678 Default-First-$ite-Name\RQQT1 4678 2002-05-07 18:03.21
1 en4850 Default-FirST-Site-Narne\ROQT1 4850 2002-05-07 20:09.15
4 sn
4679 Default-First-Site-Name\ROQT1 4679 2002-05-07 18:03.22
1 description
4678 Default-Fir5t-Site-Name\ROOT1 4678 2002-05-07 18:03.21
1 givenName
4678 Default-First-Site-Name\ROOT1 4678 2002-05-07 18:03.21
1 instanceType4678 Default-First-Site-Name\ROOT1 4678 2002-05-07 18:03.21
1 whenCreated
4679 Default-First-Site-Name\ROOT1 4679 2002-05-07 18:03.22
1 displayName
, , , USN . ., , Replication Monitor, . - . . .
, . .
, , ,
Active Directory Replication MonitorPrinted on 07.05.2002 20:45:06This report was generated on data from the server: ROOT1
ROOT1, . -. , repadmin? - , , .
ROOT1 Data
This server currently has writable copies of the following directory
-
228 Aclive Directory:
partitions:
CN=Schema,CN=ConfIguration,DC=mycorp, DC=ruCN=Configuration,DC=mycorp,DC=ruDC=mycorp,DC=ru
, , - . , , - .
Because this server is a Global Catalog (GC) server, it also has copiesof the following directory partitions:
DC=msk,DC=mycorp,DC=ru
. , - repadmin. , . . - :
Current NTDS Connection Objects
Default-F:irst-Site-Name\MID1Connection Name : 828a2adb-a24b-45dB-bfOc-b65aa4cbfb95Administrator Generated?; AUTO
Ffcepiiil Option*
p1 'Ewefideil Siie Catilguiatjcfl
I? Cem(ti*tiM!eew*S*(a-,,
iv Sit* L**. ard Site U4; Cpr
p1 ifef-Sfle iVa-spoiiConfiguration-
F Subrtata
f7 Active Oi-ectarji |
,
-
Active Directory 229
: GUID. - Active Directory Sites and Services - Automatically generatedX , GUID. AUTO Automatically generated. , , :
Default-First-Site-Name\MID1Connection Name : From MIDI
Administrator Generated?: YES
. . , .
, . Ring neighbor. . , -:
Reasons for this connection:Directory Partition (DC=msk,DC=mycorp,DC=ru)Replicated because the replication partner is a ring neighbor,
Directory Partition (CN=Schema,CN=Configuration,DC=mycorp,DC=ru)Replicated because the replication partner is a ring neighbor.
Directory Partition (CN=Configuration,DC=mycorp,DC=ru)Replicated because the replication partner is a ring neighbor.
surpassedthe allowed failure limit. , . , . , . , .
Directory Partition (CN=Schema,CN=Configuration,DC=mycorp,DC=ru)This replication connection is created because anotherreplication partner has surpassed tne allowed failure limit.
Active Directory 1308 . The Directory-Service consistency checker has noticed that 2 successive replicationattempts with CN=NTDS Settings,CN=ROOT2,CN=Servers,CN=Defaiilt-First-Site-Name,CN=Sites,CN=Configuration,DC=mycorp,DC=ruhave failedover a period of 787 minutes. The connection object for this server will
-
230 Active Directory:
be kept in place, and new temporary connections will established to ensurethat replication continues. The Directory Service will continue to retryreplication with CN=NTDS Settings,CN=ROOT2,CN=Servers,CN=Default-First-Site-Name,CN=Sites.CN=Configuration,DC=mycorp.DC=ru; once suc-cessful the temporary connection will be removed*.
. , repadmin /showreps, - . , ,
Current Direct Replication Partner Status
Directory Partition: CN=Scheroa,CN=Configuration,DC=mycorp,DC=ru
Partner Name: Default-First-Site-Name\ROOT2Partner QUID: 2FF7FBAA-6607-472C-B3A5-CCF8445DE5BF
Last Attempted Replication: 5/7/2002 7:59:14 PH (local)Last Successful Replication: 5/7/2002 7:59:14 PH (local)Number of Failures: 0Failure Reason Error Code: 0Failure Description: The operation completed successfully.Synchronization Flags: DRS_WRIT_REP,DRS_INIT_SYNC,DRSJ>ER_SYNC
USN of Last Property Updated: 4928
USN of Last Object Updated; 4928
Transport: Intre-Slte RPC
, :
Directory Partit ion: CN=Schema,CN=Conf igura t ion,DC=mycorp,DC=ru
Partner Name: Default-First-Site-Name\MIDi
Partner QUID: 531BD902-1AEF-4F29-A8DC-D27AOCFC30Q3
Last Attempted Replication: 5/8/2002 9:52:06 AM (local)
Last Successful Replication: 5/7/2002 7:59:14 PH (local)
Number of Failures: 2
Failure Reason Error Code: 1722
Failure Description: T.he RPC server'is unavailable.Synchronization Flags: DRS_WRrr_REP,DRS_INIT_SYNC,DRS_PER_SYNC
USN of Last Property Updated: 6117
USN of Last Object Updated: 6117
Transport: Intra-Site RPC
. , 2 - , RPC. ,
-
Active Directory ______^___ 231
, .
, - .
,
, , . - , GUID, , -... . , - , :
Change Notifications for this Directory Partition
Server Name: Default-First-Site-Name\ROOT2
Object GUID: A6563E8F-9A97-40A9-9C28-23BA4F348593Time Added: 23.03.2002 13:14:31Flags: DRS_WRIT_REPTransport: RPC
:
Server Name: Site-1\VM20002Object GUID: 5E29E488-863B-46B1-B7EB-6C54A63D6A44Time Added: 23.06,2016 14:27:53
Flags: DRSJIRIT_REPTransport: RPC
. - 15 . - - . 15 , . . - , .
, . , , . - , - :
Performance Statistics at Time of Report
REPLICATION
Replicator notify pause after modify (sees): 300
Replicator notify pause between OSAs (sees): 30
-
232 Active Directory:
Replicator intra site packet size (objects):
Replicator intra site packet size (bytes):Replicator inter site packet size (objects):
Replicator inter site packet size (bytes):Replicator maximum concurrent read threads:Replicator operation backlog limit:
Replicator thread op priority threshold:Replicator intra site RPC handle lifetime (sees):
Replicator inter site RPC handle lifetime (sees):Replicator RPC handle expiry check interval (sees):
KCC
Repl topology update delay (sees):Repl topology update period (sees):KCC site generator fail-over (minutes):KCC site generator renewal interval (minutes):KCC site generator renewal interval (minutes):CriticalLinkFailuresAllowed:MaxFailureTimeForCrtticalLink (sec):NofiCriticalLinkFailuresAllowed:MaxFailureTimeForNonCriticalLink (sec):IntersiteFailuresAllowed:MaxFailureTimeForlntersiteLink (sec):KCC connection failures:IntersiteFailuresAllowed:IntersiteFailuresAllowed:
, - Active Directory . - . , - .
-. . - -. , . . . , , - . , -. , .
-
Active Directory 233
(Access Denied)
:
, , -, Active Directory Sites and Services;
.
The following error occurredduring the attempt to synchronize the domain controllers: Replicationaccess was denied*. , , , - , . , - . - . - - . Enterprise Admins, . - , , ActiveDirectory Sites and Services , (, Enterprise Admins ). - , - .
, - 1265: The attempt to establish a replication link with parameters.... failed with the following status: Access is denied*. - repadmin /showreps .
, - , repadmin/showreps , , Access denied error*
. -, , , , Active Directory.
- . Windows NT Windows 2000.
-
234 __ Active Directory:
.
1. (Key Distribution Center), - Kerberos, , - - . .
.
) :
net stop kdc
, (disabled), .
) kdc , klist /purge ( Windows 2000 Resource Kit).
) :
netdom resetpwd //:
-
Active Directory 235
) kde
net start kdc
2. repadmin /kcc repadmin /sync 1265 , - - .
) :
repadmin /add
-
236 Active Directory:
. , - (Event ID 1265) .
) , kdc.
.
) KDC Kerberos.
) ( -, ). :
repadmin /sync cn=schema,cn=configuration,
) , - .
) , - .
) , kdc.
(Target account name is incorrect) - . , Active Directory Sitesand Services Replication monitor Logon Failure: The target account name is incorrect. - NTDS Replication,Event ID 1645:
The Directory Service received a failure while trying to perform anauthenticated RPC call to another Domain Controller. The failure isthat the desired Service Principal Name (SPN) is not registered on thetarget server. The server being contacted is afb720fd-38c7-4505-aa9f-b658ca124773._.msdcs.mycorp, ru. The SPN being used is
E3514235-4B06-11D1-AB04-OOC04FC2DCD2/afb720fd-38c7-4505-aa9f-b658ca124773/mycorp.ruiwycorp.ru.
Please verify that the names of the target server and domain arecorrect.
Please also verify that the SPN is registered on the computer accountobject for the target server on the KDC servicing the request. If thetarget server has been recently promoted, it will be necessary forknowledge of this computer's identity to replicate to the KDC beforethis computer can be authenticated.
-
Active Directory 237
NTDS , Event 1265:
The attempt to establish a replication link with parametersPartition:
CN=Configuration,DC=MyDomain,DC=net Source DSA DN: CN=NTDS
Settings,CN=HyServer,CN=Servers,CN=Default-First-Site-Name, CN=Sites,CN=Configuration,DC=MyDomain,DC=com
Source DSA Address: 5e5abf03-e902-48e2-a326-41977dee176d. jnsdcs.mycorp.ru
Inter-site Transport (if any): failed with the following status:Logon
Failure; The target account name is incorrect. The record data is the
status code. This operation will be retried.
:
+ (Services Principle Name SPN) ;
crustedDo-main (TDO), System.
trustedDomain
, TDO System, Active Directory Users and Computers - , -, msk.mycorp.ru. Trus-ted Domain.
5* Acl-ive Directory Users and Computers
^Active Directory Users and Computers
1 mycorp.ruSI- _2J Builhn:+1 UJ Compeers Domain Controllers
Vj LostundFound
v*i - Testri; IE) Users
d
L H3 D Fi-Canf IguraHon
^Rle Replication Service(VjfileLinks
UJlPSecLnty
03 Meetings
dfs Configuration
FR5 Settings
flelinkTr ckirigContainer
^J Policies Containerand IA5 Servers Access Chech Contariet
RFC 5ervkei
its Container
TDO
-
Active Directory:
, , - .
) , , Active Directors- Domains and Trusts, - PDC .
) Trusts, - , . - . . , - - * (shortcut).
) . , - . - , .
) :
NETDOM TRUST . /1:./UserD:administrator /PasswordD:* /UserO:administrator /PasswordO:*/Reset /TwoWay
UserD UserO - .
) , -.
) , -. .
SPN
) IP , - . ping GUID, . - 720^1-387-4505-9?-5812477._15.. .
) ADSIEdk. , , .
ADSIEdit : .
) servicePrincipalName. ,
-
Active Directory 239
GUID. , 3514235-4B06-llDl-AB04-OOC04FC2DCD2/afb720fd-38c7-4505-aa9f-b658cal24773/mycorp.ru.
) , Remove. Edit Attribute . - Add.
) Edit Attribute *@. Add.
) - servicePrincipalName.
.
, :
GUID;
+ servicePrincipalName .
.
RPC (RPC Server Not Available)
. - :
;
+ .
- 125: The attempt to establish a replicationlink with parameters .... failed with the following status: The RPC Server isunavailable*.
, , - , repadmin /showreps .
- ping. ' GUID. - , .
ping 19c9dbc3-d5d2-47cc-94e3-5135adfc4bcb._msdcs.mycorp.ru
Pinging mid1.msk.mycorp.ru [10.1.2.2] with 32 bytes of data:
Request timed out.
9-2005
-
240 Active Directory:
Request timed out.Request timed out.Request timed out.
DNS (ONS Lookup failure) . Active Director)' -. - - . - 1265:The attempt to establish a replication link with parameters .... failed withthe following status: DNS lookup failure.
, , - repadmin /showreps .
DNS - , DNS? Active Directory*. .
ping GUID . , - _rnsdcs, . nsloo-kup , DNS . , - . , - DNS.
, :
net stop dns clientnet start dns client
, , - DNS - .
, , , . , -, IP . , - . ipconfig /flushdns. - , CNAME DNS, -. , . , - .
(Directory service too busy) - NTDS Replication Event ID=1083:
-
Active Directory
"Replication warning: The directory is busy. It couldn't update objectCN=ROOT2,CN=Servers,CN=Default-First-Site-Name, CN=Sites, CN=ConfIguration,DC=mycorp, OC=ru with changes made by directory afb720fd-38c7-4505-aa9f-b658ca124773._msdcs.mycorp.ru. Will try again later."
, -, GUID .
Active Directory- - .
.
) ping GUID IP . :
ping afb720fd-38c7-4505-aa9f-b658ca124773,jnsdcs.mycorp.ru
) Ldp, - hind .
) . - , .
On:CM=ROOT2,CN=3 canoniralName: mvccrp.iii/Co(ifiquralion/!!itea/SiteA/SErv(T4/ROOT2;l>cn:FWOI2:
?'> otijectClass: lop: reiver;I > name; ROOT?;
-
242 Active Directory:
( ), - Ldp . - Delete DN -. .
, , .
, - . - . .
.
repadmin /sync cn=configuration,
repadmin /sync
}', 1083. .
SP2 , Event ID 8438 The directory service istoo busy to complete the replication operation at this time. .
( LDAP 82)
Active Directory*, . , . NTUS =125: Theattempt to establish a replication link with parameters ... failed with thefollowing status: There is a time difference between the client and server.
-
jctive Directory 243
- . PDC . .
, -, :
net time \\__ /set
Access denied, , .
, . , .
- ID=1084 Replicationfailed with an internal error ID, :
Replication error: The directory replication agent (DRA) couldn'tupdate object CN="8f03823f-410c-4483-86cc-B820b4f2103fDEL:66aab46a-2693-4825-928f-05f6cd12c4e6",CN=DeletedObjects,CN=Configuration,DC=mycorp,DC=ru (GUID66aab46a-2693-4825-928f-05f6cd12c4e6) on this system with changeswhich have been received from source server 62d85225-76bf-4b46-b929-25a1bb295f51._msdcs.mycorp.ru. An error occurred during theapplication of the changes to the directory database on this system.
, , , Active Directory , , , . , . SP2. , SP2 .
- , ntdsutil (. *).
-
244 Active Directory:
.
1) GUID -. 66aab46a-2693-4825-928f-05f6cdl2c4e6, .
2) Ldp . bind .
3) Delete, DN .
4) , . - 1084 , . 1-3-
(No more end-point)
repadmin/showreps. .
TCP - . netscat. TCP,
, RFC DirectoryReplication Service . , DNS - IP.
49
. , . repadmin /sync. , repad-min /showreps . - . , , .
,
repadmin /showreps , , .
Active Directory (replication has been pre-empted
, - . - .
-
Active Directory 245
Replication posted, waiting
, - . , - .
Last attempt @ ... was not successful
, , - , , . , , , .
, - , -. , - DRA Pending Repli-cation Synchronizations.
Active Direc-tory . - . - , . , -, - , ; , .
, SP2, SP2 .
- . , . AdvancedTroubleshooting [3], [6]. , .
-
- . , , . , , , .
Windows 2000 ActiveDirectory , . : ActiveDirectory ; - Active Directory. !
, , , - , .
, Windows NT, , , - . , - Windows 2000, : . Windows 9^/NT, - Windows 2000/XP. Windows
-
248 Activej)ireclory:
2000. , . , , - Windows 2000, . Microsoft, , , -, Windows, - . .
, Windows NT 4.0 config.pol ntconfig.pol, - NETLOGON. - -, . ; HKEY_CURRENT_USER (HKCU) HKEYJLO-CAL_MACHINE (HKLM) ,
- , ActiveDirectory. (). : SYSVOL ActiveDirectory. : . Active Directory.
, . , - : * , - , . , . Windows 2000 Windows XP Pro, .
, - %systemroot%\5ystern3 2 \grouppolicy. - -? , , , LSDOU. - :
(L);
(S):
-
249
+ (D);
(OU).
, . , , -, . , . - . , , . . , - , : , - , . .
, - . , , . Windows2000/ - . .
, , - HKLM \Software\Microsoft\Winctows NT\CurrentVer-sion\Wmlogon\Gpextensions. , - .
, , : , . . scecli.dll, .
-
250 Active Directory:
: . , . , , , , .
, :
Software settings Software Instal lation
[ , WindowsInstaller - . Windows Scripting Host (WSH) HKLM
-Software settings , -Softwarc Installation Windows Installer, -
, Internet Explorer
Windows Settings Security settingsWindows Settings Scripts
AdministrativeTemplates
Windows Settings Internet ExplorerMaintenanceWindows Settings Folder Redirection
Windows Settings Security settingsWindows Settings Remote InstallationServicesWindows Settings Scripts
AdministrativeTemplates
, Desktop,My Documents Startup, , ,
. Windows Scripting Host (WSH) HKCU
, - .
-
- .
, - . , ActiveDirectory SYSVQL , Active Directory, - (Group Policy Container GPC). - (Group PolicyTemplate - ).
CN=Policies,CN=System,
-
252 Active Directory:
, GUID, . , -, GUID, - dispalyName. , , GUID {6AC1786C-Ol6F-llD2-945F-OOC04fB9S4F9} - Default domain controllers policy. gPCFileSysPath: )' . - 1:1, . . , - .
, gPCFileSysPath \\.\51\.\18\{6AC1786C-Ol6F-llD2-945F-OOC04fB984F9}. . , GUID , .
, - . - . , - , .
- , . - .
SYSVOL , . - .
, ... , , , Active Directory , - Active Directory, SYSVOL -, NTFRS. - , - , , , - , .
display-Name gPCFileSysPath, :
gPCFunctionaH Version Group Policy,
. . .
-
253
gPCMachineExtensionsName GUID ,
gPCUserExtensionsName GUID -,
versionNumber . - , gpt.ini , , -
.
, : Active Directory - SYSVOL. Machine User, , , - , , , Class Store. -. -, Packages, packageRegistration - . -, Class Store HKEY_CLASSES_ROOT, Active Direc-tory. , - -. Class Store -, -, .
. (. . GUID ), :
Adm , -. .adm
Machine , , -
User , , -
Gpt.ini
Machine User R , .
-
254 Active Directory:
, , - :
Applications
Documents &Settings
-
Microsoft - Security ConfigurationEditor, IE Admin, RIS
-. .aas. , INI, . - FoIderStatus - . SID = . :
[FoIderStatus]Application Data=11Desktop=11My Documents=11My Pictures=2Start Menu=0Proorams=2Startup=2[Application Data]s-1-1-0=\\fzhub\personal\Xusername>l\Application data[Desktop]s-1-1-u=\\fzhub\personal\*username)!\Desktop[ Documents]s-1-1-0=\\fzhub\personal\Kusername*\HyDocuments[My Pictures][Start Menu]s-1-1-0=\\fzhub\personal\*username*\Start Menu[Programs][Startup], . , SecurityEditor \Windows NT\Secedit. - gpttmpLinf , - . :[Unicode]Unicode^yes[System Access]
. . .
-
255
Scripts
-
- -/ /- - - , - -
MinimumPasswordAge = MaximumPasswordAge = 42MifiimumPasswordLength = 0PasswordComplexity = 0PasswordHistrySize = 1Lockout Bad Co Lint = 0HequireLogonToChangePassword = 0ForceLogoffWhenHourExpire = 0ClearTextPassword = 0[Kerberoa Policy]MaxTicketAge = 10HaxflenewAge = 7MaxServiceAge = 600MaxClockSkew = 5TicketValidateClient = 1[Version]signature="$CHICAGQ$"Revislon=1
scripts.ini. , -, -, ,
, User Machine Regist-ry.pol. , Administ-rative Templates . , Adm. , , Adm, .
ActiveDirectory ( version Number), gpt.ini. .
, AD Replica-tion Monitor, - Show Group policy object status. - , :
-
256 Active Directory:
1 lJ- Pnliry Obfe
Time flestndenDelaut Dorian Connotois Policy
{124(16D -11D 2-945-
-
257
. 1, 65 536! , - 1 (Computer), 10 (User), 65 546. - - 65 536.
. , , version-Number INTEGER. 16 - , . .
, DLL. - . . - , , -, , . - , .
GUID:
GUID DLL.
Windows XP - Internet Explorer EFS
IP
GUID
{3610cda5-77cf-lld2-8dc5-OOcG4fa31a66)(35378EAC-683F-11D2-A89A-OOC04FBBCFA2}{25537BA6-77A8-11D2-9B6C-OOOOF8080861}{42B5FAAE-6536-lld2-AF5A-OOOOF87571E3}(42603 1-47-485 2-hOca-ac3d37bfcb39(
{827D319E-6EAC-11D2-A4EA-OOC04F79F83A){A2E30F80-D7DE-1 ld2-BBDE-OOC04F86AE3B){B1BE8D72-6EAC-1 1D2-A4EA-OOC04F79F83A}{c6dc 5466-785;i- 1 1 d2-84dO-04167}{e437hclc-aa7d- 1 Id2-a382-0(ic04r991e27}
DLL
dskquota.dll
userenv.dll
fdeploy.dll
gptext.dll
Hptext.dll
scecli.dll
iedkcs.dll
scecli.dll
appmgmts.dll
gptext.UU
-
258 Active Directory:
, - . - . - , , - .
Qi.-sb.-ed
Bas~proee;ifi(j Kress a slow network
PTOESSS ev&n a| ife Eiioup | have
.1
(Allow pro-cessing across a slow network connection). , . , , , , . , ;, .
- :
( );
.
. : ? , , , ( )
-
259
? , , - . , - .
-. - . , , -. .
, - ! . . , - - , .
? , , ? :
1. , 0 , - ();
2. , 4 , - (t2);
3. D=t2-tl;
4. , D D;
5. D: D=D/3;
6. =(4 * 1000/D ' 8)/1024 (/).
Group policy slow linkdetection . , , 500 /. , - 4,294,967,200 /. , - , . - , .
. - ; - , . - ;
-
260 Active Directory:
. , - . - , . - : - . , , My Documents . -- , - . - , (Tdeploy.dll). - , , - , , .
.
( ) ( )
90 + (-)
90 + (-)
5
(7 -45 ) +(0-24) (7 -45 ) +(0-24) (7 -45 ) +(0-24)
-
261
, . - 30 . , - . -, .
. -, , - . - , . - . , - - . - (Disable background refresh of Group Policy). - .
, . : - , . - . . , ,, , . - , , - . . , - , .
-, , , . - , .
, , -, . , - , , , - . , - .
(Process even if the Group Policy Objectshave not changed). , , .
-
262 Active Directory:
- .
DllName
ProcessGroup-Policy
ProcessGroup-PolicyEx
NoMachinePoHcy
NoUserPoHcy
NoSlowLink
NoBackgroimd-Policy
NoGPOList-Changes
PerUserLocaJ-Settings
RequiresSuc-cessful Registry
E liable Asynchro-nousProcessing
-
t
, - , - , , - , - , - - , - , - , , - , -
, - - - - , - - - - Windows XP0 ( ) ,1 0 ( ) ,1 0 ( ) ,1 0 ( ) ,1 0 ( ) ,1
0 ( ) ,1
0 ( ) ,1
0 ( ) ( ),1
-
263
, . , , - : . :
;
+ ;
+ ;
.
, , , - , :
Domain Admins;
+ Administrators;
Enterprise Admins;
Group Policy Creators.
LSDOU, , : , - , - . , , , . - , -. Windows 2000 - :
+ ;
+ ;
+ ;
.
, - . , . , - . ,
-
/v ".w. DiuKtniy )?;1',-.'
, - .
.
1. . , -
2. , - , , , .
3. , , .
, - , . , , . , , , -,
- . , , . , , - , .
-
265
, .
. , .- , - . 100% , , - , . . , , - , (No override)., , . -, - .
, . - , , - , .
, , - , , -. , - , .
-
266 Active Directory:
, Windows Explorer. , .
. , , -, . , , , - . .
(loop-back processing). . UGP. - U . , S, CGP, , . , CGP. U - S. :
+ CGP;
UGP.
-
267
- : .
CGP - UGR , , UGP My Documents , CGP , - . CGP UGP, CGP,. . , .
UGP - - , .
, . - . - .
, , . , - My Documents , , - .
, . , - . , -, . , . -, -. . , - , - . -, - - . - )' -, .
, , . . , -, . -
-
Active Directory:
, , . - , -, .
. : , Active Director)', . , Read, Write, Full Control, Apply Group Policy. Read Apply . , , .
Read , , . , . :
,
Create Delete Apply
Full All child All child GroupControl Read Write objects objects Policy
Authenticated Users / /Creator ownersDomain Admins / / / /Enterprise Admins / / / /SYSTEM / / / /
, Authenticated Users, - , . - , , , Authenticated Users, , , .
. , . , , . -, , Domain Admins. Apply Group Policy , .
Enterprise Admins . - Domain Admins, , -, , .
-
269
Creator Owners. To, - , . , -, , - :
+ ( ) , ;
, , ;
.
, , - -. . - Active Directory', .
, , . , - .
-, Authenticated Users ., ' , , - - . Authenticated Users - Apply Group Policy, - . , .
-, . - .
-, Deny., , - , . :
Authenticated Users , ;
+ , ;
- (Deny Apply Group Policy) - .
-
270 Active Directory:
, - . ! . Deny - .
- , . .
- (. ' Active Directory*), - .
, , , - Deny.
, FAZAM 2000 FullArmor. - - .
, , ( , ). , . , . HKLM\Soft-ware\Microsot't\Windows\CurrentVersion\Group Policy\History, - HKCU\Software\Microsoft\Windows\Cur-rentVersion\G.roup Policy\History.
GUID - . - , 1, ..., . , 0 , 1 , 2 . . - , , - , 1 . .
-
271
DlspIayName DSPath
Active Directory. , Active Director)'
FileSysPath . UNC- SYSVOL %SystemRoot%\System32\GroupPolicy
GPOLink :0 ;1 ();2 ;3 ;4
GPOName . Local Group Policy. GUID
Iparam . - (, )
Options , . -, , -
Version ,
, , - . ,
10-2005
-
272 Active Directory:
, - . , , - , .
? , , - , .
, ActiveDirectory, SYSVOL, . , , - -. , , - . , - .
, Group Policy. Active Directory Users and Computers. ;. , , -, . , Group Policy , .
-
273
- , - PDC. , .
. . - - . - . , , - .
, . ? , , - . - , . - , -, , PDC - ? , -, - Active Directory (. - Active Directory*). -, -, , PDC - . , .
. , , - Active Directory. -. , ?
, , Active Directory. : - , , GroupPolicy, New .., ! , . , . -, _-___, , , , .
. , - Active Directory? , .
. , - , ,
-
274 Active Directory:
? . - , , ' New , Add - All.
f DelaJl Domain Conlrdieti Policy
I Default Domain Polcy
I Time Reduction
: . Active Directory. , , . , .
. , - . , - , -:
;
.
: , - Active Directory . , , , - .
, -. , -
-
275
Administrators, Enterprise Admins, Domain Admins,Group Policy Creator Owners. :
EnterpriseAdminsDomainAdmins
, ,
Administrators
Group PolicyCreator Owners
, , - OITI AD, , - ! [ ; . ; , ( )
. , - . . -, : -, !
, Group Policy CreatorOwners (GPCO). -. . . - GPCO. - . - ! Administrators Domain Admins ( Enterprise Admins - ; , ). -, , , .
, -, . GPCO. ! GPCO , -. , . GPCO .
, GPCO -, .
-
276 Active Directory:
- . - . , - , - .
, : - Active Directory GUID - SYSVOL , . Active Direc-tory , , -, , - , .
,
Full Control , , Read Group PolicyWrite Create all child objects Delete all child objects
,
Full Control , , Modify , , Read & Execute List folder contentsReadWrite , ,
, , -. .
- . Active Directory.
-
277
Active Directory
, - Active Directory, . ?
-, gpLink. , . , - Read Write .
-, , - , gpOptions. - Read Write .
. - . Active Directory Users and Compu-ters. , , ADSIEdit Ldp.
nattonot Control Wizard
Pel million iSelect the permissions you want lo delegate
ecific
V/nle countrytode0 Read cPl.nkQWilegPLmk
EJ Write gPOptiais|P Read Managed By
:
* Software settings ( );
Windows Settings ( Windows);
Administrative Templates ( ).
-
278 Active Directory:
, . - , Group Policy.
, - . , - Microsoft Installer. MSI- -. , . - . , Microsoft Office, setup.exe, MSI-: data 1 msowc. - , - Web.
, .
. . - . }7 UNC. , , , - , . , . , , . , , .
, . : -, -. . . , , , , -, , .
, .
, . , -, W2KIVANOV.
-
279
. ? ?
*ie loop* ot
? ?
, - ? .
, ?
, , . , - . - .
Microsoft Installer -, . - MST , - . , - , .
-
280 Activjjirectory:
, . - - . , - .
- Active Directory, , , -. , . , .
,
, - :
;
;
+ , -, .
, , . , ,
Windows , , Windows Scripting Host, . , 1\\1\{ }\-chine\Scripts Startup Shutdown.
, ( ), , . , - ( ) -, ,
-
2!
, :
, :
Run logon scripts synchronously
Run startup scripts asynchronous!}'
Run startup scripts visible
Run shutdown scripts visible
Maximum wait time for GroupPolicy scripts
-
, , - 581\\8. , . - .
Windows : . - -
-
282 Active Directory:
. . :
;
;
;
+ ;
;
;
;
;
IPSecurity.
:
;
;
Kerberos.
. . ( , - . [1]).
Store passwords under reversible encryption ( ) . -for aJl users in domain .
- :
Enforce password . . history ,
.
Maximum password age. , . I 999
Minimum password age , , : 1 999
. cied. .
-
283
Minimum password lengthPasswords must meet , complexity requirements .
, : ; ;; ,
User must logon tochange password,
. - * -, .
Account lockout threshold
Account locout duration Reset lockout count after
Kerberos Kerberos ( Kerberos . [1], [3]).
Kerberos
Maximum lifetime foruser ticketMaximum lifetime forservice ticket
Maximum lifetime foruser ticket renewal
Maximum tolerance forcomputer clocksynchronization
TGT. - . 10 . . 10 , , - , . . 7 . , 5
. . .
-
Active Directory:
Enforce user logonrestrictions
(Enabled), , , , , , - , . , ,
:
;
;
, - . - Security. , .
_
Audit Account Logonevents
Audit AccountManagement
Audit Directory ServiceAccessAudit Logon EventsAudit Object Access
Audit Policy ChangeAudit Privilege UseAudit Process Tracking
Audit System Events
. .
. . , .
-. -, . - . - , .
-
285
Access this computerfrom the networkAct as part of theoperating system
Add workstationsto domain
Back up files anddirectoriesBypass traverse checking
Change the system time
Create a pagefileCreate a token object
Create permanentshared objectsDebug programsDeny access to thiscomputer from thenetworkDeny logon as a batchjobDeny logon as a service
Deny logon locallyEnable computer anduser accounts to betrusted for delegation
Force shutdown froma remote systemGenerate security auditsIncrease quotasIncrease schedulingpriorityLoad and unloaddevice drivers
. . , . - 10 - , . - - , - -. ,
. , - - .
. . .
-
286 Active Directory:
Lock pages in memoryLog on as a batch job
Log on as a service
Log on locallyManage auditing andsecurity logModify firmwareenvironment valuesProfile single processProfile systemperformanceRemove computer fromdocking station
Replace a process leveltokenRestore files anddirectoriesShut down the systemSynchronize directoryservice dataTake ownership of filesor other objects
. . firmware. Intei . - :
-, . , , , -. .
Additional restrictions foranonymous connectionsAllow server operators toschedule tasks (domaincontrollers only)Allow system to be shutdown without havingto log onAllowed to ejectremovable NTFS mediaAmount of idle timerequired beforedisconnecting session
- ServerOperators - - . , NTFS ,
. , .
-
287
Audit the access of globalsystem objectsAudit use of Backup andRestore privilegeAutomatically log off userswhen logon time expires
Automatically log off userswhen logon time expires (local)
Clear virtual memory pagefilewhen system shuts downDigitally sign clientcommunication (always)Digitally sign clientcommunication (when possible)Digitally sign servercommunication (always)Digitally sign servercommunication (when possible)Disable CTRL+ALT+DELrequirement for logon
Do not display last user namein logon screen
LAN Manager AuthenticationLevel
Message text for usersattempting to log onMessage title for usersattempting to log onNumber of previous logonsto cache (in case domaincontroller is not available)Prevent system maintenanceof computer account password
Prevent users from installingprinter driversPrompt user to changepassword before expiration
- - - . -. Windows XP Windows 2000 . SP1 Windows XP CTRL+ALT+DEL - . - , - LAN Manager. He NTLM - Windows 9x NTLM v.2 - Windows NT- , , - . 50 7 . Users - , -
. . .
-
28 Active Directory:
Recovery Console: Allowautomatic administrative logonRecovery Console: Allow floppycopy and access to all drivesand all folders
Rename administrator accountRename guest accountRestrict CD-ROM access tolocally logged-on user only
Restrict floppy access to locallyloggcd-on user only
Secure channel: Digitallyencrypt or sign secure channeldata (always)
Secure channel: Digitallyencrypt secure channel data(when possible)
Secure channel: Digitally signsecure channel data(when possible)
Secure channel: Require strong(Windows 2000 or later)session key
- - :AlJowWiidCards - ;AllowAllPaths ;AllowRemovableMedia - , ;NoCopyPrompt Administrator Guest CD.,, CD . - , CD . , CD , < . , . - , . , , , - - - . , - , - , - (Windows 2000 ). -
. . .
-
289
Secure system partition(for RISC platforms only)Send unencrypted passwordto connect to third-partySMB serversShut down system immediatelyif unable to log security auditsSmart card removal behavior
Strengthen default permissionsof global system objects(e.g. Symbolic Links)
Unsigned driver installationbehavior
Unsigned non-driverinstallation behavior
RISC- - SMB- , SAMBA , - - - [' . :No Action ;Lock Workstation ;Force Logoff , ( DOS, -) . - -, - , . ;Silently succeed ;Warn but allow installation , ;Do not allow installation , , -, -
. . - .
- . - , , . , , -
-
290 Active Directory:
. 4 . - :
;
+ ; 365 ;
.
Maximum Log size forAppiication LogMaximum Log Size forSecurity LogMaximum Log Size forSystem LogRestrict Guest access toApplication LogRestrict Guest access toSecurity LogRestrict Guest access toSystem LogRetain ApplicationLog forRetain Security Log for
Retain System Log for
Retention method forApplication LogRetention method forSecurity LogRetention method forSystem LogShutdown system whensecurity audit log is full
, 512 , 512 , 512
, , ,
Windows :
:
;
, - ;
, ; .
-
_ 291
. Enterprise Admins , , .
- , .
- , . - , . - , Enterprise Admins, .
Windows :
. Computer Management Services. - , . :
+ Automatic ();
Manual ();
Disabled ()
, , . ;
Full control ( );
Read ( );
Start, Stop and Pause (, );
Write ( );
Delete ()
Windows :
-. :
Inherit () , , - ;
-
292 Active Directory:
+ Overwrite () , , - ;
Ignore () .
, , , .
Windows :
- , , . , :
Inherit () , , -.
Overwrite () , , .
Ignore () - .
Windows :
, ( . [3]):
Automatic Certificate Request Settings ,
, -, .
Trusted Root , Certification Authorities ,
-. , - . -
. . .
-
293
Enterprise Trust - , , -
Encrypted Data EFS.Recovery Agents
. , - , -
Windows : IPSecurity IPSecurity , - . Active Directory, , - IPSecurity - . , , . , - , -, .
IPSec , - , , . ^
IPSecurity
Secure server (require security) , - - IPSec
Server (Request security) , - no IPSec, - ,
Client (Respond only) . - - ,
, , -, , Secure Server. Server, . , , Client, -
-
294 Active Directory:
, .
IPSec
.ADM, - , , . HKEY_LOCAL_MACHINE.
, , , . ' , - .
- Windows 2000, :
SP2 ;
;
Windows XP.
-
295
WindowsNet Meeting
Internet Explorer
Task Scheduler
Terminal Services
Windows Installer
Windows Messenger
User profiles
Scripts
Logon
Disk Quotas
Net Logon
Group PolicyRemote Assistance
System Restore .
, - - , Internet Explorer - . - , . ( . [!}) Windows Installer, , -, , - - ./ WindowsMessenger
: , - , . . , - . - , . - . - Windows XF, - , - , - NctLogon. -, , Windows.Net Server (. ) - Windows XP - Windows XP
. . .
-
296 Active Directory:
Error Reporting
Windows File Protection
Remote Procedure Call
Windows Time Service
DNS client
Offline files
Network connections
Windows XP' -. , - , - RPC. Windows XP Windows .Net Server
DNS. ,
-
297
, . - , .
+ , , .
, Active Directory. , - , . - , .
. -. - . , - , .
- Active Directory, , - , .
Add a program from CD-ROM or floppy disk
To add a program from a CD-ROM or floppy disk, click CD or Floppy.
To add new Windows Featur^ device drivers, and system updatesover the Internet, click Windows Update,
A
-
298 Active Directory:
, , - , :
+ ;
> , ;
, , - .
-: , , .
Windows : Internet Explorer InternetExplorer Authorization Kit (IEA.K) - Internet Explorer ^ -. .
Internet Explorer
Browser title . -
Internet Explorer Outlook Express. - Microsoft Internet Explorer provided by "Outlook Express provided by*. , InternetExplorer
Animated Bitmaps , - ! Internet Explorer
Custom Logo ,
Browser Toolbar buttons - -
Connection settings ,
,
Automatic Browser Configuration .INS -Proxi settings , -
. , .
-
User Agent String
URLFavourites and Links
Important URLs
ChannelsSecurity zones andcontent ratingsAuthenticodc settings
Programms
, . ,Mozilla 4.0 (compatible; MSIE 5.0; Windows NT; )
, , -
- (, . .) , -
- , , -
Windows :
, , Windows Scripting Host, - . , 51\.\-Ucies\{GUID }\5\51 Logon Logoff.
. , Run logon scripts synchronously, - . . , - .
, , - 51\.\5118. , . .
, . , - -.
-
300 Active Directory:
Windows : - Enterprise Trust. - , , - . - .
Windows : - -! RIS. - :
Allow ;
+ Don't care , ,, , , - ;
+ Deny .
:
- , - ;
+ - ' ;
- :
- .
Windows : :
My Documents ( My Pictures);
Application Data;
Start Menu:
Desktop.
-
301
My Documents , - ( , -!), .
Application Data - Documents and settings\HMH . -. , Microsoft Word - Templates, \Wbrd\Templates Application Data. , , , .
Start Menu Documents and settings\HMH - Start, . - Start . - , , .
Desktop - Documents and settings\HMH - , . Start, ' . - .
, . - ? . . - .
, , - , . . . , , , , - .
. - , .
-
302 Active Directory:
. , , .
.
. %username%, \\root 1\users\%username%\My Documents. - , - .
+ , - , .
0
l-t JjjranS (he jtej t^ckrave rigH;
- ftjfieji Removal -
!' Leave *e & irs (he toeMibft when poBcj1
.
. /, - . ,
4 .
4 -, ,
-
303
, - .
My Pictures, My Documents, - , .
ADM, - , ,
4 . - HKEY_CURRENTJJSER.
. - , . , - .
- Windows 2000, :
SP2 ;
;
Windows XP.
WindowsNet Meeting -
- - Net Meeting, ,
Internet Explorer Internet Explorer .
Windows Explorer . Windows 2000/Windows. , Windows 2000 Windows XP: 'Folder Options Tools; File Windows Explorer; Map Network Drive
Disconnect Network Drive*; Search Windows Explorer; - ;
. . .
11-2005
-
Active Directory:
Manage - ;
;
;
;
; Hardware; DFS;
;
; Computers Near Me*
My Network Places; Entire Network My Network
Places;
;
;
.
- Windows XP: Security; -; ;
; ; Shared Documents My Computer; ; . , File Open. - . - - . -
. . .
Microsoft ManagementConsole
Task Scheduler
-
305
Terminal Services
Windows Installer
Windows Messenger
Windows Update
Windows Media Flayer
Start
Active Desktop
Active Directory
Add/Remove Programs
Display
Printers
Regional and LanguageOptions
Offline Files
Network Connections
- . Windows XP/Windows .Net Server - Windows Installer/ WindowsMessenger . Windows XP - Windows XP - Start . , , - , - , -, Active Desktop - Active Directory: , - Network Neigborhood . Windows XP - -/ / - Web, / ActiveDirectory DFS
- . , - NetworkConnections: -, , - . .
. cied. .
-
306 Active Directory:
User profiles
Scripts
Ctr+AH+Dd Options
Logon
Group Policy
Power Management
-, . , - . , Windows 2000 Windows XP:
;+ 2000 ; ; , ;+ ;
; ; ; -. Windows XP: ;
Windows;
; ,
, - - , - Ctrl+Alt+Del - , (. ) -
Active Directory - , . ) -. .
-
307
, , . , - . . . ActiveDirectory . , , . , - . -, ?
, .
1 -. ( ), , - , - , , .
, . ( , ), - , - , :
, -;
;
-;
- .
+ . ; - , - , .
. , - : - , .
, , ,
-
Active Directory:
- . !
, - Active Directory, , , .
, .
, Windows NT - . . . , . . , -, - , , , -. , - [1]. - Windows 9x Windows NT, - .
. , -. . -, , -, , , , . .
? ! Active Directory - . : , . .
, . - . , , , -, . , , - . . - , - . - , - , , - .
. .
-
309
? .
1. - Active Directory?
2. - ?
3. : ?
4- , , ?
5. , - ?
, , , Active Director)' , - . . , .
, }' , - Windows NT 4.0 Active Directory . .
, Active Directory , Active Directory? - ?
, - Windows NT, - . -
: ? - , . , ? - , ?
-
310 Active Directory;
ActiveDirectory:
^
Active Directory
, - , -- , , , - ,
:
Msk-Acct;
+ Msk-Sales;
+ Nsk-Acct;
Nsk-Sales;
East-Acct;
East-Sales,
Windows NT - . .
, , . , : .
. - , , - . , . .
-
311
, , , . , - - . . , - .
, . , , . . - , . , .
.
, . , . ?
- , . , . , . - , , .
-
312 Active Directory:
. - . , - , - ? ( - ), 90% . , . - , . - , - 90% , , 10%. ,
/
/ -/
, - . , - . , , , , . , , - : , - .
. , , . .
-
313
Active Directory? ?
: ?
, , ?
, ?
, Active Directory -
- , - , - , - - - , . , - . , , 10
.
msk.mycorp.ru siberia.mycorp.ru
-
314 Active Directory:
Active Director}'*,, , . -? ! msk Siberia . -, , -, , . - , - . , .
.
msk.mycofp.ru
\1 5
mycorp.ru. - . - -. 1. mycorp.ru .
, msk Siberia . mycorp.ru, -
-
_1 315
. -, : - , . . , - , -: , * . - ( 26) - .
msk.mycorp'.ru. - . , . , - , . , - .
siberia.mycorp.ru. - , . . : -. ! 5 , - .
, . , . - , , . -. , , . , - , , .
, . -, . , , - .
, , . , -, . , -
-
316 Active rjirectory:
. *: - , , - , , - .
, , Active Director)7 , , .
- . . :
GPRESULT - ;
GPOTOOL ;
+ ADDIAG , , - ;
SECEDIT -;
FAZAM2000 , - -.
GPRESULT
, , , . :
+ /v ;
/s -; ;
/ ;
+ / .
, , , , , .
. , , . , ,
-
317
. /v. -, Gpresult /s.
, , /v.
:
Microsoft (R) Windows (R) 2000 Operating System Group Policy Result toolCopyright (C) Microsoft Corp. 1981-1999
Created on 13Operating System Information:Operating System Type: ProfessionalOperating System Version: 5.0.2195Terminal Server Mode: Not supported
Created on ( ...)- - 13? Windows 2000. - , . Windows XP.
Terminal Server Mode. Win-dows .
, . :
User Group Policy results for:CN=u2,OU=test,DC=mycorp,DC=ru
Domain Name: MYCORPDomain Type: Windows 2000Site Name: Default-First-Site-Name
Roaming profile: (None)Local profile: C:\Documents and Settings\u2The user is a member of the following security groups:
MYCORP\Domain Users
\EveryoneBUILTIN\Users\LOCALNT AUTHORITY\INTERACTIVENT AUTHORITY\Authenticated Users
The user has the following security privileges;
Bypass traverse checkingShut down the systemRemove computer from docking station
-
Active Directory:
, , . . , . , :
;
(- , - );
.
, - . , , , .
Last time Group Policy was applied: 13 Group Policy was applied from:
ROOTt.mycorp.ru
, . , US.
; , - , . . .