AD에서 무슨 변경사항이 발생했는지 찾는 방법
???? : How do I find out what changes are going on in my Active Directory?
???(Herbert)???. ??? ?? AD ???? ?? ???? ????.
- ? ? AD ?????? ??? ?? 3??? 500MB? ??????
- ??? ????? ??????? AD ??? ?? ????, ??? ?? ?????
?? ? ??? AD ????? ??? ??? ? ? ????. ??? ?? ?? ??? ??? ? ????.
312403 Distributed Link Tracking on Windows-based domain controllers
https://support.microsoft.com/default.aspx?scid=kb;EN-US;312403
318774 Removing duplicate and unwanted proxy addresses in Exchange
https://support.microsoft.com/default.aspx?scid=kb;EN-US;318774
940262 The Active Directory database size increases unexpectedly because a Windows Server 2003-based DNS server inappropriately creates several SerialNo objects
https://support.microsoft.com/default.aspx?scid=kb;EN-US;940262
??? ??? ????, ??? AD ???????? ??? ???? ??? ???. ?? Active Directory? USN(Update Sequence Number)? ? ????? ?????. USN? 64?? ???? ??? ????? ???? ????. DC? GUID? USN? ??? ???? ??????? ????? ??? ? ????. USN? ?? ????? ??? ???? ? ?? ?????. ??? ???? GC ????? ?????, ?? USN? ??? ?? ? ? ????.
? DC? ???????? ??? ??? ?? ???? ??? USN? ??? ? ????. ? AD ??(ADAM? LDS ??)? RootDSE ??? "highestCommittedUSN"??? ??? ??? ????. LDP??? ??? ???.
...
12> supportedLDAPPolicies: MaxPoolThreads; MaxDatagramRecv; MaxReceiveBuffer; InitRecvTimeout; MaxConnections; MaxConnIdleTime; MaxPageSize; MaxQueryDuration; MaxTempTableSize; MaxResultSetSize; MaxNotificationPerConn; MaxValRange;
1> highestCommittedUSN: 175389104;
4> supportedSASLMechanisms: GSSAPI; GSS-SPNEGO; EXTERNAL; DIGEST-MD5;
...
? ??? ????, LDAP ??? ???? ?? ??? ??? ??? ??? ? ????. ?? ??, LDIFDE? ???? RootDSE?? ? ? ?? "highestCommittedUSN"??? 10000? ???.
Ldifde /d dc=contoso,dc=com /s contoso-DC1 /r "(usnchanged>=175379104)" /f domain-NC-last-10000-080919.txt
? ??? ??? ????? ??? ??? ??? ??? ????. ?? ??? AD? ?? ??? ??? ???? ?? ??? ???, ??? ???? ????. ??? ??(?? ??? whenCreated ??)? ?? ???, ?? ??? ?????? ?? ?? ???. ??, ??? ?? DC? ?? ??? ?? ?? ???.
??? ?? ????? ??? DC? ????? ???? ???? ?? DC???, ??? ??? ?? DC????. ? ??? ?? ??, ??? ?? ??? ?????? ?????.
repadmin /showobjmeta <DC name> <Object-DN>
??? ??? ?? ??? ?????.
Loc.USN Originating DC Org.USN Org.Time/Date Ver Attribute
======= =============== ========= =============
...
175389437 HQ\contoso-DC1 175389437 2008-09-16 18:12:46 2 name
...
?? ??? ??? ?? USN ??, ?? ???? ??? ???? ?? originating DC ??? time-stamp? ????, ??? ??? ??? ?????. ??? ??? ???, ??? ????? ???? ? ??? ??? ??? ????. ??? ???? ? ? ?? ????? ? ? ?? ????. (Windows Server 2003 ???? ?? ?? ? ??)
Type Attribute Last Mod Time Originating DC Loc.USN Org.USN Ver Distinguished Name
============================================================================
ABSENT member 2008-09-19 15:14:01 HQ\contoso-DC1 175384020 175384020 2 CN=test-user1,OU=Test-OU,DC=contoso,DC=com
PRESENT member 2008-09-16 18:22:29 HQ\contoso-DC1 175379684 175379684 1 CN=test-user2,OU=Test-OU,DC=contoso,DC=com
?? : USN? ?? ?? ???? ?? ?? ??? ? ????.
??? "ABSENT"? ?? ?? ??? ??? ?? ?? ?? ??? ?????. "ABSENT"? ??? ??? ????, tombstone ??? ??? ? ????. ??? ???????? tombstone ???? ?????. ??? ?? ?? ? ?? ???? ???? ?? ?????, ? ??? ?? ????? ???? ?? ?????.
Attributes that can contain lots of data deserve special attention.
??? ???? ?? ? ?? ??? ??? ??? ????.
This often applies to attributes containing binary values, including the security descriptor for AD or Exchange, or attributes containing certificates.
??? ?? ??? ??? ?????, AD ?? Exchange? ?? ??? ?????, ???? ???? ??? ?????.
?????, LDIFDE? "ntSecurityDescriptor"? ??? ???? ?? ?????. ?? ??? ??? ?? ???? ?? ?? ??? ??? ????? ?? ???? ?????, ?? ??? ?? ???. ??? ??? ??? ????? ?????? ??????. ?? ?? "ntSecurityDescriptor"? DSACLS? ???? ????? ?? ?? ????? ???? ?? ??? ? ????.
Windows Server 2003 ?? ?? ???? ???? ?? ??? "ntSecurityDescriptor"? ???? ??? ?????? ??? ?? ??? ?? ????. ??? ?? ???? ??? ???.
??? ?? ????, ???? ??? ??? originating DC? ??? ????? ??? ?? ??? ?????. ?? ??? ???? ???, ? ??? ?? ????? ???? ?? ? ??? ?? ??? ????? ?? ??? ? ????. ??? ACL ????? ??? ?? ??? ?? ??? ??? ??? ?? ??? ??? ? ????. ?? ???? ?????.
296490 How to modify the filtered properties of an object
https://support.microsoft.com/default.aspx?scid=kb;EN-US;296490
??? ???? ?? ?? ??? ??? ??? ??? ????
???? ?? ??? LDIFDE ????? ???? ??? ? ??? ???? ???? ????. ??? ??????? ??? ??? ?????? ??? ? ???, ????? ? ? ??? ? ????. ?? ??? ?? ???? ???? ?? ????? ??? ? ????.
??? ForestDnsZones? DomainDnsZones? ???? DNS ???, ??? GC? ??, ??? ????? ???? ? ?? ?? ????? ????. ????, ?? ???? admins? ??? ??? ?? ?? ?????. ??? ?? GC ??? ??? ??? ? ????.
Ldifde /d "" /s contoso-DC1 /t 3268 /r "(usnchanged>=175379104)" /f GC-last-10000-080919.txt
?? : ? ??? GC? ??? ??? ???? ???? ?? ?????.
??? ?????, ??? ??? ???? ??? ????, ?? ????? ?? ???? ??? ????. ??? ??? tombstone ??? ?????? ??? ??? ????, ??? ??? ?? ???? ?????. LDIFDE? ??? ?? "/x" ??? ?? ??? ??? ??? ? ????.
Ldifde /d dc=contoso,dc=com /s contoso-DC1 /x /r "(usnchanged>=175379104)" /f domain-NC-last-10000-deleted-080919.txt
tombstones? ??? ??? ??? ???, ???? ???? ???? ?????? ??? ??? ????? ??? ???? ????? ???? ???. ??? ??? ?? ????? ????? Tombstone ??? ????? ?? ???? ????. ??? ??? ????? ?? ???? ??? ?, ? ?? ??? TSL? Active Directory ???? ?? ? ??? ? ? ????.
AD ????? ?? ??? ??? ???? ????. ???? ?? ???? ????.
- Herbert Mauerer