Estou tentando descobrir se existe uma maneira de os usuários fazerem login em nosso servidor CAS Exchange 2019 OWA usando seu endereço de e-mail principal em vez de seu UPN. Por alguma razão, quando o Exchange foi configurado aqui pela primeira vez (antes da minha época), eles adotaram um formato diferente para o login do usuário. Nosso login (UPN) é apenas o nome do usuário (ou seja: test@contoso.com ), mas o endereço de e-mail é a inicial/sobrenome (ou seja: tuser@contoso.com ). Este NÃO é um problema de sufixo UPN, pois ambos os sufixos são iguais (ou seja: @contoso.com). Posso fazer login no OWA usando o UPN, mas não usando o endereço de e-mail. O Exchange permite isso?
Estamos executando o Exchange 2019 totalmente local. Nossa política de retenção padrão arquiva e-mails após dois anos no Arquivo Online do usuário (ela também limpa algumas pastas, como itens excluídos, rascunhos, etc.). Somos uma entidade governamental com alguns requisitos para garantir que todas as comunicações sejam mantidas durante 10 anos. Até agora, apenas deixamos o Exchange arquivar os e-mails e nunca nos preocupamos em excluir nada, para que os usuários tenham e-mails que remontam a décadas em seus arquivos. Escusado será dizer que o banco de dados de arquivo está ficando muito grande (não enorme - somos uma organização pequena) e eu gostaria de adicionar uma tag de retenção para remover e-mails do Arquivo Online com mais de 10 anos. Não existe uma tag que se aplique especificamente ao Arquivo Online e pelo que li, é porque deveria ser tratado apenas como uma extensão da Caixa de Entrada.
Como faço para remover itens apenas do Arquivo Online após a marca de 10 anos?
Atualização: tenho as tags "Arquivar após 2 anos" e "Excluir após 10 anos". No entanto, quando olho todos os meus e-mails, eles só dizem Excluir após 10 anos:
Temos emails enviados usando TLS de um servidor Web Windows 2012R2 (não associado ao domínio) em nossa DMZ para nosso servidor Exchange 2016 interno (também em execução no Windows 2012R2). Isso estava funcionando bem até cerca de um mês atrás, quando eles pararam de chegar (só percebemos agora porque os e-mails são muito raros). Forcei um email de teste e, quando olho os logs do protocolo de função de transporte, vejo o seguinte:
2020-06-24 11:02:33.524,
MAILSERVER\Client Frontend MAILSERVER,
0102030405060708,
6,
192.168.1.44:587,
192.168.2.3:64961,
*,
" CN=*.example.com CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB
0102030405060708090A0B0C0D0E0F10
0102030405060708090A0B0C0D0E0F1011121314
2020-03-17T19:00:00.000Z
2021-03-18T18:59:59.000Z
*.example.com;example.com",
Sending certificate Subject Issuer name Serial number Thumbprint Not before Not after Subject alternate names
2020-06-24 11:02:33.540,
MAILSERVER\Client Frontend MAILSERVER,
0102030405060708,
7,
192.168.1.44:587,
192.168.2.3:64961,
*,
,
TLS negotiation failed with error CertExpired
Você pode ver que as datas de validade do certificado são de 17 de março de 2020 a 18 de março de 2021.
O lado do cliente mostra o seguinte log de erros:
SERVER -> CLIENT: 220 mailserver.example.com Microsoft ESMTP MAIL Service ready at Wed, 24 Jun 2020 11:02:32 -0500
CLIENT -> SERVER: EHLO www.example.com
250-SIZE 36700160
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-AUTH GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250 CHUNKING
CLIENT -> SERVER: STARTTLS
SERVER -> CLIENT: 220 2.0.0 SMTP server ready
Connection failed. Error #2: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed [E:\...\class-smtp.php line 374]SMTP Error: Could not connect to SMTP host.
CLIENT -> SERVER: QUIT
SERVER -> CLIENT: SMTP ERROR: QUIT command failed: Connection: closedSMTP Error: Could not connect to SMTP host.
O log de eventos no servidor de correio mostra o seguinte evento:
A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 45.
- System
- Provider
[ Name] Schannel
[ Guid] {1F678132-5938-4686-9FDC-C8FF68F15C85}
EventID 36887
Version 0
Level 2
Task 0
Opcode 0
Keywords 0x8000000000000000
- TimeCreated
[ SystemTime] 2020-06-24 11:02:33.540386500
EventRecordID 417754
Correlation
- Execution
[ ProcessID] 484
[ ThreadID] 1552
Channel System
Computer mailserver.example.com
- Security
[ UserID] S-1-5-18
- EventData
AlertDesc 45
Mas, novamente, este evento indica apenas um certificado expirado.
Alguma ideia de por que o Exchange acha que o certificado expirou? Verifiquei a data/hora em ambas as máquinas e elas estão corretas ao segundo. Obrigado!
Eu tenho um servidor Web Windows Server 2012R2 não associado ao domínio que hospeda o Wordpress com o plug-in Easy WP SMTP em nossa DMZ. Ele deve enviar email para nosso servidor interno do Exchange 2016 para coisas como alertas, novas inscrições etc. Ele costumava usar SMTP não seguro na porta 25, mas estamos tentando configurá-lo para usar TLS na porta 587. Mas, Não consigo enviar porque o Exchange Server continua rejeitando a conexão:
2020-03-30T13:25:53.654Z,<Rcv Conn>,08D7D3F917D985E4,0,10.0.0.44:587,192.168.200.3:58156,+,,
2020-03-30T13:25:53.654Z,<Rcv Conn>,08D7D3F917D985E4,1,10.0.0.44:587,192.168.200.3:58156,>,"220 mail.domain.com Microsoft ESMTP MAIL Service ready at Mon, 30 Mar 2020 08:25:53 -0500",
2020-03-30T13:25:53.654Z,<Rcv Conn>,08D7D3F917D985E4,2,10.0.0.44:587,192.168.200.3:58156,<,EHLO www.domain.com,
2020-03-30T13:25:53.654Z,<Rcv Conn>,08D7D3F917D985E4,3,10.0.0.44:587,192.168.200.3:58156,>,250 mail.domain.com Hello [192.168.200.3] SIZE 36700160 PIPELINING DSN ENHANCEDSTATUSCODES STARTTLS AUTH GSSAPI NTLM 8BITMIME BINARYMIME CHUNKING,
2020-03-30T13:25:53.654Z,<Rcv Conn>,08D7D3F917D985E4,4,10.0.0.44:587,192.168.200.3:58156,<,STARTTLS,
2020-03-30T13:25:53.654Z,<Rcv Conn>,08D7D3F917D985E4,5,10.0.0.44:587,192.168.200.3:58156,>,220 2.0.0 SMTP server ready,
2020-03-30T13:25:53.654Z,<Rcv Conn>,08D7D3F917D985E4,6,10.0.0.44:587,192.168.200.3:58156,*," CN=*.domain.com CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB 4F8D1253CAE6C3AA06ED0310EAA39158 827CCAB98B7AC22709CBC1408C74CCED89060C98 2020-03-17T19:00:00.000Z 2021-03-18T18:59:59.000Z *.domain.com;domain.com",Sending certificate Subject Issuer name Serial number Thumbprint Not before Not after Subject alternate names
2020-03-30T13:26:08.998Z,<Rcv Conn>,08D7D3F917D985E4,7,10.0.0.44:587,192.168.200.3:58156,*,,TLS negotiation failed with error CertUnknown
2020-03-30T13:26:08.998Z,<Rcv Conn>,08D7D3F917D985E4,8,10.0.0.44:587,192.168.200.3:58156,-,,Local
O certificado está bom porque muitas outras conexões TLS no 587 funcionam sem problemas.
Estou tentando ativar o cache de gravação em um Smart Array P400, embora não haja backup de bateria. Temos um grande UPS em todo o edifício apoiado por um gerador, de modo que a probabilidade de perda de energia é mínima e o desempenho de gravação neste servidor host de VM é terrível. Instalei os drivers e o software HP VMware e usei o hpssacli para ativar o cache de gravação e o cache de gravação sem bateria:
/opt/hp/hpssacli/bin # ./hpssacli controller slot=1 show config detail
Smart Array P400 in Slot 1
Bus Interface: PCI
Slot: 1
Serial Number: PAFGK0P9VX029O
Cache Serial Number: PA82C0J9VX12T7
RAID 6 (ADG) Status: Disabled
Controller Status: OK
Hardware Revision: E
Firmware Version: 7.22
Rebuild Priority: Medium
Expand Priority: Medium
Surface Scan Delay: 15 secs
Surface Scan Mode: Idle
Wait for Cache Room: Disabled
Surface Analysis Inconsistency Notification: Disabled
Post Prompt Timeout: 0 secs
Cache Board Present: True
Cache Status: OK
Cache Ratio: 100% Read / 0% Write
Drive Write Cache: Enabled
Total Cache Size: 256 MB
Total Cache Memory Available: 208 MB
No-Battery Write Cache: Enabled
Battery/Capacitor Count: 0
SATA NCQ Supported: True
Number of Ports: 2 Internal only
Encryption Supported: False
Driver Version: 3.6.14
Driver Supports HP SSD Smart Path: False
Internal Drive Cage at Port 1I, Box 1, OK
Power Supply Status: Not Redundant
Serial Number:
Drive Bays: 4
Port: 1I
Box: 1
Location: Internal
Physical Drives
physicaldrive 1I:1:7 (port 1I:box 1:bay 7, SATA, 250 GB, OK, spare)
physicaldrive 1I:1:6 (port 1I:box 1:bay 6, SATA, 250 GB, OK)
physicaldrive 1I:1:5 (port 1I:box 1:bay 5, SATA, 250 GB, OK)
Internal Drive Cage at Port 2I, Box 1, OK
Power Supply Status: Not Redundant
Serial Number:
Drive Bays: 4
Port: 2I
Box: 1
Location: Internal
Physical Drives
physicaldrive 2I:1:4 (port 2I:box 1:bay 4, SATA, 250 GB, OK)
physicaldrive 2I:1:3 (port 2I:box 1:bay 3, SATA, 250 GB, OK)
physicaldrive 2I:1:2 (port 2I:box 1:bay 2, SATA, 250 GB, OK)
physicaldrive 2I:1:1 (port 2I:box 1:bay 1, SATA, 120 GB, OK)
Array: A
Interface Type: SATA
Unused Space: 0 MB
Status: OK
Array Type: Data
Logical Drive: 1
Size: 111.8 GB
Fault Tolerance: 0
Heads: 255
Sectors Per Track: 32
Cylinders: 28722
Strip Size: 128 KB
Full Stripe Size: 128 KB
Status: OK
Caching: Enabled
Unique Identifier: 600508B10010503956583032394F0009
Logical Drive Label: A0199599PAFGK0P9VX029O81A9
Drive Type: Data
LD Acceleration Method: Controller Cache
physicaldrive 2I:1:1
Port: 2I
Box: 1
Bay: 1
Status: OK
Drive Type: Data Drive
Interface Type: SATA
Size: 120 GB
Native Block Size: 512
Firmware Revision: HPG2
Serial Number: K647T8B25P5U
Model: ATA GJ0120CAGSP
SATA NCQ Capable: True
SATA NCQ Enabled: True
Current Temperature (C): 33
Maximum Temperature (C): 58
PHY Count: 1
PHY Transfer Rate: 1.5Gbps
Array: B
Interface Type: SATA
Unused Space: 0 MB
Status: OK
Array Type: Data
Spare Type: dedicated
Logical Drive: 2
Size: 931.4 GB
Fault Tolerance: 5
Heads: 255
Sectors Per Track: 32
Cylinders: 65535
Strip Size: 64 KB
Full Stripe Size: 256 KB
Status: OK
Caching: Enabled
Parity Initialization Status: Initialization Completed
Unique Identifier: 600508B10010503956583032394F000A
Logical Drive Label: A01986FDPAFGK0P9VX029O8FA7
Drive Type: Data
LD Acceleration Method: Controller Cache
physicaldrive 1I:1:5
Port: 1I
Box: 1
Bay: 5
Status: OK
Drive Type: Data Drive
Interface Type: SATA
Size: 250 GB
Native Block Size: 512
Firmware Revision: HPG2
Serial Number: K648TAC28P4N
Model: ATA GJ0250EAGSQ
SATA NCQ Capable: True
SATA NCQ Enabled: True
Current Temperature (C): 35
Maximum Temperature (C): 58
PHY Count: 1
PHY Transfer Rate: 1.5Gbps
physicaldrive 1I:1:6
Port: 1I
Box: 1
Bay: 6
Status: OK
Drive Type: Data Drive
Interface Type: SATA
Size: 250 GB
Native Block Size: 512
Firmware Revision: HPG2
Serial Number: K648T8C25MF2
Model: ATA GJ0250EAGSQ
SATA NCQ Capable: True
SATA NCQ Enabled: True
Current Temperature (C): 34
Maximum Temperature (C): 58
PHY Count: 1
PHY Transfer Rate: 1.5Gbps
physicaldrive 2I:1:2
Port: 2I
Box: 1
Bay: 2
Status: OK
Drive Type: Data Drive
Interface Type: SATA
Size: 250 GB
Native Block Size: 512
Firmware Revision: HPG2
Serial Number: K648T8C25MFW
Model: ATA GJ0250EAGSQ
SATA NCQ Capable: True
SATA NCQ Enabled: True
Current Temperature (C): 35
Maximum Temperature (C): 58
PHY Count: 1
PHY Transfer Rate: 1.5Gbps
physicaldrive 2I:1:3
Port: 2I
Box: 1
Bay: 3
Status: OK
Drive Type: Data Drive
Interface Type: SATA
Size: 250 GB
Native Block Size: 512
Firmware Revision: HPG2
Serial Number: K648T8B25M9W
Model: ATA GJ0250EAGSQ
SATA NCQ Capable: True
SATA NCQ Enabled: True
Current Temperature (C): 35
Maximum Temperature (C): 58
PHY Count: 1
PHY Transfer Rate: 1.5Gbps
physicaldrive 2I:1:4
Port: 2I
Box: 1
Bay: 4
Status: OK
Drive Type: Data Drive
Interface Type: SATA
Size: 250 GB
Native Block Size: 512
Firmware Revision: HPG2
Serial Number: K648T8C25ML9
Model: ATA GJ0250EAGSQ
SATA NCQ Capable: True
SATA NCQ Enabled: True
Current Temperature (C): 35
Maximum Temperature (C): 58
PHY Count: 1
PHY Transfer Rate: 1.5Gbps
physicaldrive 1I:1:7
Port: 1I
Box: 1
Bay: 7
Status: OK
Drive Type: Spare Drive
Interface Type: SATA
Size: 250 GB
Native Block Size: 512
Firmware Revision: HPG2
Serial Number: K648T8C25MK0
Model: ATA GJ0250EAGSQ
SATA NCQ Capable: True
SATA NCQ Enabled: True
Current Temperature (C): 31
Maximum Temperature (C): 57
PHY Count: 1
PHY Transfer Rate: 1.5Gbps
Mas como você pode ver, a taxa de cache é 0% para gravações. o que estou perdendo?
Estou tentando limpar meus compartilhamentos de arquivos do servidor em todos os meus servidores Windows Server 2012R2. Cerca de metade dos meus servidores têm um compartilhamento print$, embora não compartilhem nenhuma impressora (apenas 2 dos meus servidores compartilham impressoras legitimamente). Por que esse compartilhamento aparece em alguns, mas não em outros e como faço para desativá-lo sem desabilitar o compartilhamento de arquivos também? Todas as soluções que encontrei envolvem desabilitar o compartilhamento de arquivos e impressoras ou desabilitar todos os compartilhamentos administrativos (C$, D$, ADMIN$, etc.) - nenhum dos quais eu quero fazer.
Estou tendo um problema estranho que espero que alguém possa ajudar. Eu tenho um servidor Windows Server 2003SP2 de 32 bits mais antigo que não pode acessar nenhum compartilhamento em nosso controlador de domínio do Windows Server 2012R2 de 64 bits. O servidor 2003 pode acessar compartilhamentos em outros servidores 2012R2 bem, é apenas o único servidor com o qual ele tem problemas. Além disso, o servidor 2012R2 pode acessar compartilhamentos no servidor 2003. Não há firewall ou AV no servidor 2003, mas o servidor 2012R2 tem o firewall e o Symantec Endpoint Protection instalados nele. Nenhum outro cliente tem problemas para acessar o servidor 2012R2 (embora todas as outras máquinas que o acessem sejam Win10/Win2012R2).
Verifiquei o log de eventos em ambas as máquinas e não há mensagens. Se tento acessar um compartilhamento com o Windows Explorer, recebo o erro "O Windows não consegue localizar '\win2012R2\sharename'. Verifique a ortografia e tente novamente ou tente pesquisar o item clicando no botão Iniciar e, em seguida, clicando em pesquisar." Se eu tentar na linha de comando usando NET USE, recebo o erro "Ocorreu um erro de sistema 64. O nome de rede especificado não está mais disponível". Posso fazer ping no servidor 2012R2 a partir do servidor 2003. As pesquisas de DNS também funcionam bem.
Existe algum tipo de log de acesso SMB que eu possa examinar?
EDITAR:
Eu instalei o Wireshark e registrei o seguinte tráfego quando do servidor 2003 ao tentar conectar ao servidor 2012R2:
No. Time Source Destination Protocol Length Info
6361 79.400489000 2003srvr.domainname.lcl 2012r2srvr.domainname.lcl TCP 62 12575->netbios-ssn [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1
Frame 6361: 62 bytes on wire (496 bits), 62 bytes captured (496 bits) on interface 0
Ethernet II, Src: Vmware_9b:7e:e5 (ff:ff:ff:9b:7e:e5), Dst: 192.168.112.6 (ff:ff:ff:9b:08:04)
Internet Protocol Version 4, Src: 2003srvr.domainname.lcl (192.168.112.10), Dst: 2012r2srvr.domainname.lcl (192.168.112.6)
Transmission Control Protocol, Src Port: 12575 (12575), Dst Port: netbios-ssn (139), Seq: 0, Len: 0
No. Time Source Destination Protocol Length Info
6363 79.400812000 2012r2srvr.domainname.lcl 2003srvr.domainname.lcl TCP 62 netbios-ssn->12575 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 SACK_PERM=1
Frame 6363: 62 bytes on wire (496 bits), 62 bytes captured (496 bits) on interface 0
Ethernet II, Src: 192.168.112.6 (ff:ff:ff:9b:08:04), Dst: Vmware_9b:7e:e5 (ff:ff:ff:9b:7e:e5)
Internet Protocol Version 4, Src: 2012r2srvr.domainname.lcl (192.168.112.6), Dst: 2003srvr.domainname.lcl (192.168.112.10)
Transmission Control Protocol, Src Port: netbios-ssn (139), Dst Port: 12575 (12575), Seq: 0, Ack: 1, Len: 0
No. Time Source Destination Protocol Length Info
6364 79.400822000 2003srvr.domainname.lcl 2012r2srvr.domainname.lcl TCP 54 12575->netbios-ssn [ACK] Seq=1 Ack=1 Win=64240 Len=0
Frame 6364: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface 0
Ethernet II, Src: Vmware_9b:7e:e5 (ff:ff:ff:9b:7e:e5), Dst: 192.168.112.6 (ff:ff:ff:9b:08:04)
Internet Protocol Version 4, Src: 2003srvr.domainname.lcl (192.168.112.10), Dst: 2012r2srvr.domainname.lcl (192.168.112.6)
Transmission Control Protocol, Src Port: 12575 (12575), Dst Port: netbios-ssn (139), Seq: 1, Ack: 1, Len: 0
No. Time Source Destination Protocol Length Info
6366 79.400881000 2003srvr.domainname.lcl 2012r2srvr.domainname.lcl NBSS 126 Session request, to 2012R2SRVR<20> from 2003SRVR<00>
Frame 6366: 126 bytes on wire (1008 bits), 126 bytes captured (1008 bits) on interface 0
Ethernet II, Src: Vmware_9b:7e:e5 (ff:ff:ff:9b:7e:e5), Dst: 192.168.112.6 (ff:ff:ff:9b:08:04)
Internet Protocol Version 4, Src: 2003srvr.domainname.lcl (192.168.112.10), Dst: 2012r2srvr.domainname.lcl (192.168.112.6)
Transmission Control Protocol, Src Port: 12575 (12575), Dst Port: netbios-ssn (139), Seq: 1, Ack: 1, Len: 72
NetBIOS Session Service
No. Time Source Destination Protocol Length Info
6368 79.401133000 2012r2srvr.domainname.lcl 2003srvr.domainname.lcl NBSS 60 Positive session response
Frame 6368: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0
Ethernet II, Src: 192.168.112.6 (ff:ff:ff:9b:08:04), Dst: Vmware_9b:7e:e5 (ff:ff:ff:9b:7e:e5)
Internet Protocol Version 4, Src: 2012r2srvr.domainname.lcl (192.168.112.6), Dst: 2003srvr.domainname.lcl (192.168.112.10)
Transmission Control Protocol, Src Port: netbios-ssn (139), Dst Port: 12575 (12575), Seq: 1, Ack: 73, Len: 4
NetBIOS Session Service
No. Time Source Destination Protocol Length Info
6369 79.401226000 2003srvr.domainname.lcl 2012r2srvr.domainname.lcl SMB 191 Negotiate Protocol Request
Frame 6369: 191 bytes on wire (1528 bits), 191 bytes captured (1528 bits) on interface 0
Ethernet II, Src: Vmware_9b:7e:e5 (ff:ff:ff:9b:7e:e5), Dst: 192.168.112.6 (ff:ff:ff:9b:08:04)
Internet Protocol Version 4, Src: 2003srvr.domainname.lcl (192.168.112.10), Dst: 2012r2srvr.domainname.lcl (192.168.112.6)
Transmission Control Protocol, Src Port: 12575 (12575), Dst Port: netbios-ssn (139), Seq: 73, Ack: 5, Len: 137
NetBIOS Session Service
SMB (Server Message Block Protocol)
No. Time Source Destination Protocol Length Info
6371 79.401507000 2012r2srvr.domainname.lcl 2003srvr.domainname.lcl TCP 60 netbios-ssn->12575 [RST, ACK] Seq=5 Ack=210 Win=0 Len=0
Frame 6371: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0
Ethernet II, Src: 192.168.112.6 (ff:ff:ff:9b:08:04), Dst: Vmware_9b:7e:e5 (ff:ff:ff:9b:7e:e5)
Internet Protocol Version 4, Src: 2012r2srvr.domainname.lcl (192.168.112.6), Dst: 2003srvr.domainname.lcl (192.168.112.10)
Transmission Control Protocol, Src Port: netbios-ssn (139), Dst Port: 12575 (12575), Seq: 5, Ack: 210, Len: 0
Talvez alguém com mais conhecimento em SMB possa ajudar, mas parece que o servidor 2003 está fechando a conexão após tentar negociar o protocolo.
Temos uma instalação do SQL Server 2008R2 que estava enviando e-mail para nosso servidor Exchange 2010 agora desativado. Agora estamos executando um Exchange 2016 DAG com 2 hosts (mailserver1.example.com e mailserver2.example.com) com um ponteiro DNS chamado mail.example.com que faz referência a ambos os servidores. Portanto, quando desativamos o servidor antigo, mudamos de usar um nome de host real (severname.example.com) para mail.example.com. Ao fazermos isso, obtemos o seguinte erro:
The mail could not be sent to the recipients because of the mail server failure. (Sending Mail using Account 1 (2017-02-14T15:41:00). Exception Message: Cannot send mails to mail server. (The remote certificate is invalid according to the validation procedure.).
Se eu alterar a configuração de email do banco de dados para apontar para um servidor individual no DAG (mailserver1.example.com), tudo funcionará bem.
Usamos um certificado curinga (*.example.com) nos servidores de e-mail, então não tenho certeza se esse é o problema.
Gostaria de corrigir o problema para manter a resiliência. Alguém pode me dizer o que não gosta?
EDIT: Então, me aprofundei em quais certificados estão instalados/sendo usados:
Get-ExchangeCertificate -server mailserver2.example.com
Thumbprint Services Subject
---------- -------- -------
133914D76770DE347949C1FF771A64B7B6 IP..... CN=mailserver2.example.com
4D2582DA78719BCC1B1CB8F33B3FAC2E54 IP..S.. CN=mailserver2
B39C5DED40D1C926A1ABDA2CA5B30FE305 ....S.. CN=Microsoft Exchange Server Auth Certificate
AD3C61F290199AB908ECB976A0C8341351 ....... CN=WMSvc-mailserver2
E6F14092B221239F51A62420FD74F2FA63 IP.WS.. CN=mailserver2.example.com
D1215C7C1E5D674E7C204FCB776D60F93E ...WS.. CN=*.example.com, OU=PremiumSSL Wildcard, O=Example Company...
Get-ExchangeCertificate -server mailserver1.example.com
Thumbprint Services Subject
---------- -------- -------
4C560FF28A576F814DFAD198C81912C3BE IP..... CN=mailserver1.example.com
B39C5DED40D1C926A1A8DA2CA5B30FE305 ....S.. CN=Microsoft Exchange Server Auth Certificate
A29DA1FA4C800AB5EAD22B0BFA39D7BC5B IP..S.. CN=mailserver1
184B109C120633C33711E26C40F4FAFFC6 ....... CN=WMSvc-mailserver1
22C69182932BE55A2F01B20C10FADBE359 IP.WS.. CN=mailserver1.example.com
D1215C7C1E5D674E7C244FCB776D60F93E ...WS.. CN=*.example.com, OU=PremiumSSL Wildcard, O=Example Company...
Get-ExchangeCertificate -domainname example.com
Thumbprint Services Subject
---------- -------- -------
D1215C7C1E5D674E7C644FCB776D60F93E ...WS.. CN=*.example.com, OU=PremiumSSL Wildcard, O=Example Company...
Get-ExchangeCertificate -domainname mail.example.com
Thumbprint Services Subject
---------- -------- -------
D1215C7C1E5D674E7C20D9FF776D60F93E ...WS.. CN=*.example.com, OU=PremiumSSL Wildcard, O=Example Company...
Quando uso o OPENSSL (conforme a resposta 1 abaixo), recebo nosso certificado CA interno (CN=mailserver2.example.com) em vez do certificado curinga.
EDIT 2: Aqui está a saída do comando OpenSSL: openssl s_client -connect mailserver1.example.com:25 -starttls smtp
Loading 'screen' into random state - done
CONNECTED(000001F4)
depth=1 /DC=com/DC=example/CN=example-Issuing-CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/CN=mailserver1.example.com
i:/DC=com/DC=example/CN=example-Issuing-CA
1 s:/DC=com/DC=example/CN=example-Issuing-CA
i:/CN=example-Root-CA
---
Server certificate
-----BEGIN CERTIFICATE-----
< certificate info here >
-----END CERTIFICATE-----
subject=/CN=mailserver1.example.com
issuer=/DC=com/DC=example/CN=example-Issuing-CA
---
No client certificate CA names sent
---
SSL handshake has read 3875 bytes and written 485 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: < session ID >
Session-ID-ctx:
Master-Key: < master key >
Key-Arg : None
Start Time: 1487248994
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
250 XRDST
QUIT
DONE
Eu tenho o Exchange 2016 com pastas públicas em uma caixa de correio de pasta pública (ou seja: NÃO pastas públicas herdadas) e estou tentando obter as permissões de uma pasta pai e propagá-las para todas as pastas filhas. Preciso remover todas as permissões da pasta filho e apenas herdar as do pai. O "Aplicar alterações a esta pasta pública e todas as suas subpastas." não parece fazer nada com as permissões pré-existentes nas pastas filhas.
Temos um ADCS PKI de duas camadas e nossa CA intermediária tem o URL para o AIA terminando em (1) (ou seja: http://pki.example.com/certenroll/certificate(1).crt ), o que obviamente não existir. O modelo de URL nas propriedades de extensão da CA está correto, então acho que na última vez que o certificado foi emitido, já havia um arquivo com o mesmo nome, então foi adicionado (1) ao nome do arquivo. Como faço para "reemitir" o certificado para que o URL AIA seja atualizado?
Saída CertUtil -GetReg:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\example-Issuing-CA\CACertPublicationURLs:
CACertPublicationURLs REG_MULTI_SZ =
0: 1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt
CSURL_SERVERPUBLISH -- 1
1: 2:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11
CSURL_ADDTOCERTCDP -- 2
2: 2:http://pki.example.com/CertEnroll/%1_%3%4.crt
CSURL_ADDTOCERTCDP -- 2
CertUtil: -getreg command completed successfully.
Temos vários dispositivos que enviam e-mail por meio de nosso servidor Exchange 2010. Todos esses dispositivos são autenticados usando um usuário de domínio antes de enviar a mensagem e isso estava funcionando bem em 2010. Agora estamos migrando para o Exchange 2016 e estou tentando configurar o conector de recebimento para permitir a mesma coisa, mas não consigo fazer isso trabalhar. Aqui está a configuração do meu conector de recebimento:
[PS] C:\>Get-ReceiveConnector "EX2016\default frontend EX2016" | fl
RunspaceId : 68459e4b-3af8-411d-a616-7db360d20905
AuthMechanism : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
Banner :
BinaryMimeEnabled : True
Bindings : {[::]:25, 0.0.0.0:25}
ChunkingEnabled : True
DefaultDomain :
DeliveryStatusNotificationEnabled : True
EightBitMimeEnabled : True
SmtpUtf8Enabled : False
BareLinefeedRejectionEnabled : False
DomainSecureEnabled : True
EnhancedStatusCodesEnabled : True
LongAddressesEnabled : False
OrarEnabled : False
SuppressXAnonymousTls : False
ProxyEnabled : False
AdvertiseClientSettings : False
Fqdn : EX2016.example.com
ServiceDiscoveryFqdn :
TlsCertificateName :
Comment :
Enabled : True
ConnectionTimeout : 00:10:00
ConnectionInactivityTimeout : 00:05:00
MessageRateLimit : Unlimited
MessageRateSource : IPAddress
MaxInboundConnection : 5000
MaxInboundConnectionPerSource : 20
MaxInboundConnectionPercentagePerSource : 2
MaxHeaderSize : 256 KB (262,144 bytes)
MaxHopCount : 60
MaxLocalHopCount : 5
MaxLogonFailures : 3
MaxMessageSize : 25 MB (26,214,400 bytes)
MaxProtocolErrors : 5
MaxRecipientsPerMessage : 200
PermissionGroups : AnonymousUsers, ExchangeServers, ExchangeLegacyServers
PipeliningEnabled : True
ProtocolLoggingLevel : Verbose
RemoteIPRanges : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}
RequireEHLODomain : False
RequireTLS : False
EnableAuthGSSAPI : False
ExtendedProtectionPolicy : None
LiveCredentialEnabled : False
TlsDomainCapabilities : {}
Server : EX2016
TransportRole : FrontendTransport
RejectReservedTopLevelRecipientDomains : False
RejectReservedSecondLevelRecipientDomains : False
RejectSingleLabelRecipientDomains : False
SizeEnabled : Enabled
TarpitInterval : 00:00:05
MaxAcknowledgementDelay : 00:00:30
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
Name : Default Frontend EX2016
DistinguishedName : CN=Default Frontend EX2016,CN=SMTP Receive
Connectors,CN=Protocols,CN=EX2016,CN=Servers,CN=Exchange
Administrative Group (###########),CN=Administrative Groups,CN=Org
Unit,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=caymanport,
DC=com
Identity : EX2016\Default Frontend EX2016
ObjectCategory : example.com/Configuration/Schema/ms-Exch-Smtp-Receive-Connector
ObjectClass : {top, msExchSmtpReceiveConnector}
WhenChanged : 20/09/2016 8:21:49 AM
WhenCreated : 08/09/2016 8:02:11 AM
WhenChangedUTC : 20/09/2016 1:21:49 PM
WhenCreatedUTC : 08/09/2016 1:02:11 PM
OrganizationId :
Id : EX2016\Default Frontend EX2016
OriginatingServer : dc.example.com
IsValid : True
ObjectState : Unchanged
E este é o log SMTP de uma tentativa de conexão:
+,,
>,"220 EX2016.example.com Microsoft ESMTP MAIL Service ready at Tue, 20 Sep 2016 07:18:27 -0500",
<,EHLO printer.example.com,
>,250 EX2016.example.com Hello [172.16.113.55] SIZE 26214400 PIPELINING DSN ENHANCEDSTATUSCODES STARTTLS X-ANONYMOUSTLS AUTH NTLM X-EXPS GSSAPI NTLM 8BITMIME BINARYMIME CHUNKING XRDST,
<,AUTH NTLM,
>,334 <authentication response>,
>,334 <authentication response>,
*,,Inbound Negotiate failed because of LogonDenied
*,,User Name: NULL
*,Tarpit for '0.00:00:05' due to '535 5.7.3 Authentication unsuccessful',
>,535 5.7.3 Authentication unsuccessful,
-,,Remote(SocketError)
Acho que não devo usar um conector de retransmissão anônimo porque estou autenticando com um usuário/senha de domínio. O que estou fazendo errado?
Editar: devo observar que essas impressoras precisam ser capazes de enviar e-mails tanto externamente quanto internamente.
Existe alguma maneira de forçar a saída de um script do PowerShell v3 para a forma tabular? Meu script está gerando uma lista de serviços em formato linear, embora haja apenas 6 campos no objeto de saída (get-process gera 8 campos em formato tabular). Aqui está o meu código:
<#
.SYNOPSIS
Gets a list of services on a given computer that are supposed to automatically start but are not currently running.
.PARAMETER ComputerName
The computer name(s) to retrieve the info from.
.PARAMETER IgnoreList
The path and filename of a text file containing a list of service names to ignore. This file has to list actual service names and not display names. Defaults to "StoppedServices-Ignore.txt" in the current directory.
.PARAMETER StartServices
Optional switch that when specified will cause this function to attempt to start all of the services it finds stopped.
.EXAMPLE
Get-StoppedServices -ComputerName Computer01 -IgnoreList '.\IgnoredServices.txt' -StartServices
.EXAMPLE
Get-StoppedServices –ComputerName Computer01,Computer02,Computer03
.EXAMPLE
"Computer01" | Get-StoppedServices
.EXAMPLE
Get-StoppedServices –ComputerName (Get-Content ComputerList.txt)
.EXAMPLE
Get-Content ComputerList.txt | Get-StoppedServices -IgnoreList '.\IgnoredServices.txt' -StartServices
#>
Function Get-StoppedServices {
[CmdletBinding()]
param(
[Parameter(Position=0,Mandatory=$true,ValueFromPipeline=$true,ValueFromPipelineByPropertyName=$true)] [String[]]$ComputerName,
[string]$IgnoreList,
[switch]$StartServices
)
PROCESS {
# Load the list of services to ignore (if specified).
if ($IgnoreList) {
if (Test-Path $IgnoreList) {
$ignore = import-csv -header Service $IgnoreList
Write-Verbose "Ignoring the following services:"
Write-Verbose $ignore.ToString()
} else {
Write-Warning "Could not find ignore list $IgnoreList."
}
}
# Get a list of stopped services that are set to run automatically (ie: that should be running)
foreach ($c in $ComputerName) {
Write-Verbose "Getting services from $($c.Name)"
if (Test-Connection -ComputerName $c -Count 1 -Quiet) {
Try {
$serv += get-wmiobject -query "Select __Server,Name,DisplayName,State,StartMode,ExitCode,Status FROM Win32_Service WHERE StartMode='Auto' AND State!='Running'" -computername $c -erroraction stop
} catch {
Write-Warning "Could not get service list from $($c)"
}
}
}
# Create the resulting list of services by removing any that are in the ignore list.
$results = @()
foreach ($s in $serv) {
Write-Verbose "Checking if $($s.name) in ignore list."
if ($ignore -match $s.name) {
Write-Verbose " *Service in ignore list."
} else {
Write-Verbose " Service OK."
$obj = New-Object -typename PSObject
$obj | Add-Member -membertype NoteProperty -name ComputerName -value ($s.PSComputerName) -passthru |
Add-Member -membertype NoteProperty -name ServiceName -value ($s.Name) -passthru |
Add-Member -membertype NoteProperty -name DisplayName -value ($s.DisplayName) -passthru |
Add-Member -membertype NoteProperty -name Status -value ($s.Status) -passthru |
Add-Member -membertype NoteProperty -name State -value ($s.State) -passthru |
Add-Member -membertype NoteProperty -name ExitCode -value ($s.ExitCode)
$results += $obj
}
}
# Try and start each of the stopped services that hasn't been ignored.
if ($StartServices) {
foreach ($s in $results) {
Write-Verbose "Starting '$($s.DisplayName)' ($($s.name)) on '$($s.ComputerName)..."
Try {
Get-Service -Name $s.name -ComputerName $s.ComputerName -erroraction stop | Start-service -erroraction stop
} Catch {
Write-Warning "Could not start service $($s.name) on $($s.ComputerName)."
}
}
}
# Output the list of filtered services to the pipeline.
write-output $results
}
}
Estamos executando um servidor host autônomo VMware 5.5 (HP ProLiant) que não faz parte de um cluster ou mesmo de uma SAN com outros hosts. Ele tem vários patches que precisam ser aplicados a ele e estou me perguntando qual é a melhor maneira de fazer isso. Posso usar o Update Manager para preparar os patches para o host, mas preciso desligar todos os convidados para colocar o host no modo de manutenção para realmente aplicá-los. Obviamente, isso desliga o Update Manager. Eu poderia fazer o vMotion do host para outro servidor, mas, como eu disse, esse host não faz parte de uma SAN, portanto, levaria um bom tempo para copiar tudo e depois voltar quando as atualizações forem concluídas.
Existe uma maneira simples de aplicar os patches que foram testados quando o host estiver no modo de manutenção?
Usamos um firewall Palo Alto (e seu cliente GlobalProtect) para acesso VPN à nossa rede. O firewall usa LDAP para autenticar logins de VPN. Agora estou tentando configurar um ID de usuário para um consultor e quero que ele tenha acesso apenas a 1 servidor específico. Então, em seu perfil, configurei as estações de trabalho de logon para permitir acesso apenas a 1 servidor. Mas, com este conjunto, ele não pode VPN porque a autenticação falha. Existe alguma maneira de permitir autenticação LDAP e acesso a apenas 1 máquina?
Temos uma pasta pública para nosso grupo de RH. Originalmente, esta pasta tinha o endereço de e-mail hr@example.com e todos os e-mails enviados de fora da empresa iam para lá.
Foi então decidido que o grupo de RH não estava percebendo quando havia novos e-mails, então criei um grupo de distribuição a partir do console do Exchange 2010. Este grupo de distribuição incluía 2 usuários e a pasta acima. Para que esta alteração seja transparente para entidades externas, alterei o endereço de e-mail da pasta pública para hrfolder@example.com e tornei o endereço de e-mail do grupo de distribuição hr@example.com.
Mas, isso não parece estar funcionando. E-mails enviados de dentro da nossa empresa (via Outlook) para hr@example.com vão direto para a pasta pública e para nenhum outro lugar:
EventId Source Sender Recipients MessageSubject
------- ------ ------ ---------- --------------
RECEIVE STORE... CKrohn@example.com {HRFolder@example.com} Testing
DELIVER STORE... CKrohn@example.com {HRFolder@example.com} Testing
SUBMIT STORE... CKrohn@example.com {} Testing
Além de testar com os logs de rastreamento de mensagens, não tenho certeza de como depurar isso.
Eu tenho um problema muito estranho que espero que alguém possa me dar uma ideia de onde procurar. Eu tenho um novo switch gerenciado de camada 2 Netgear M4100-D10-POE que estamos instalando em um prédio remoto. Ele se conecta ao restante da rede por meio de um cabo CAT5 a um switch Cisco (temos alguns e onde ele se conecta não parece importar). Agora funciona bem e tudo, mas quando desligo este switch Netgear (ou desconecto-o da rede), recebo vários e-mails de vários serviços que indicam uma perda de conectividade de rede entre um par de outros switches Cisco (um Catalyst 3560 e um Catalyst 2960S). Esses switches são conectados entre si por meio de uma linha de fibra.
O estranho é que o switch Netgear não está conectado diretamente a nenhum dos dois switches que sofrem uma falha de link. Pode haver 1 ou 2 outros switches Cisco entre os dois. Também não vejo nenhuma mensagem de registro de porta de classificação para cima/para baixo em nenhum dos switches. Também sei que não é coincidência porque posso recriar o problema a qualquer momento apenas conectando e desconectando o switch Netgear.
Meu único palpite é que tem algo a ver com BGP, STP ou algum outro protocolo switch-to-switch, mas não sei como monitorar isso.
ATUALIZAÇÃO: Aqui estão os arquivos de configuração. O primeiro é o switch Netgear:
!Current Configuration:
!
!System Description "M4100-D10-POE ProSafe 10-port FastEthernet L2+ Intelligent Edge PoE Desktop Managed Switch, 10.0.1.28, B1.0.0.9"
!System Software Version "10.0.1.28"
!System Up Time "2 days 23 hrs 58 mins 15 secs"
!Additional Packages QOS,IPv6 Management,Routing
!Current SNTP Synchronized Time: Mar 9 19:09:41 2015 UTC
!
network protocol none
network parms 172.16.112.68 255.255.240.0 172.16.112.4
vlan database
vlan 3-10,200
vlan name 3 "VOIP_HD"
vlan name 4 "CAMERA"
vlan name 5 "WIFI_MGMT"
vlan name 6 "WIFI_GUEST"
vlan name 7 "WIFI_DATA"
vlan name 8 "SAN_SATA"
vlan name 9 "SAN_SAS"
vlan name 10 "DMZ"
vlan name 200 "AUTOVOIP"
exit
ip ssh server enable
ip ssh protocol 2
no ip telnet server enable
configure
sntp server "172.16.112.6"
sntp server "0.north-america.pool.ntp.org" 2
sntp server "1.north-america.pool.ntp.org" 3
time-range
ip domain name "caymanport.com"
ip name server 172.16.112.6 172.16.112.23 172.16.112.9
snmptrap "CIPAread" ipaddr 172.16.112.65
voice vlan
no green-mode energy-detect
line console
no transport input telnet
exit
line telnet
exit
line ssh
exit
snmp-server sysname "CDCParts1Switch"
snmp-server location "CDC Taylor Parts Container"
snmp-server contact "IT Manager"
!
no snmp-server community public
no snmp-server community private
auto-voip vlan 200
interface 0/7
vlan participation include 2-3
vlan tagging 2-3
exit
interface 0/8
vlan participation include 2-3
vlan tagging 2-3
exit
interface 0/9
vlan participation include 2-10
vlan tagging 1-10
exit
interface 0/10
vlan participation include 2-10
vlan tagging 1-10
exit
no isdp run
no isdp advertise-v2
exit
Agora o switch Cisco 3560 (CDCVOIPSwitch):
Current configuration : 19392 bytes
!
! Last configuration change at 11:31:57 EST Fri Mar 6 2015
! NVRAM config last updated at 15:35:31 EST Tue Mar 3 2015
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log datetime
service password-encryption
service sequence-numbers
!
hostname CDCVoipSwitch
!
boot-start-marker
boot-end-marker
!
aaa new-model
!
aaa session-id common
clock timezone EST -5
system mtu routing 1500
ip routing
ip domain-name caymanport.com
ip name-server 172.16.112.6
ip name-server 172.16.112.23
ip name-server 172.16.112.9
!
mls qos map cos-dscp 0 8 16 26 32 46 48 56
mls qos srr-queue input bandwidth 90 10
mls qos srr-queue input threshold 1 8 16
mls qos srr-queue input threshold 2 34 66
mls qos srr-queue input buffers 67 33
mls qos srr-queue input cos-map queue 1 threshold 2 1
mls qos srr-queue input cos-map queue 1 threshold 3 0
mls qos srr-queue input cos-map queue 2 threshold 1 2
mls qos srr-queue input cos-map queue 2 threshold 2 4 6 7
mls qos srr-queue input cos-map queue 2 threshold 3 3 5
mls qos srr-queue input dscp-map queue 1 threshold 2 9 10 11 12 13 14 15
mls qos srr-queue input dscp-map queue 1 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue input dscp-map queue 1 threshold 3 32
mls qos srr-queue input dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
mls qos srr-queue input dscp-map queue 2 threshold 2 33 34 35 36 37 38 39 48
mls qos srr-queue input dscp-map queue 2 threshold 2 49 50 51 52 53 54 55 56
mls qos srr-queue input dscp-map queue 2 threshold 2 57 58 59 60 61 62 63
mls qos srr-queue input dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
mls qos srr-queue input dscp-map queue 2 threshold 3 40 41 42 43 44 45 46 47
mls qos srr-queue output cos-map queue 1 threshold 3 5
mls qos srr-queue output cos-map queue 2 threshold 3 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 2 4
mls qos srr-queue output cos-map queue 4 threshold 2 1
mls qos srr-queue output cos-map queue 4 threshold 3 0
mls qos srr-queue output dscp-map queue 1 threshold 3 40 41 42 43 44 45 46 47
mls qos srr-queue output dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 3 threshold 3 32 33 34 35 36 37 38 39
mls qos srr-queue output dscp-map queue 4 threshold 1 8
mls qos srr-queue output dscp-map queue 4 threshold 2 9 10 11 12 13 14 15
mls qos srr-queue output dscp-map queue 4 threshold 3 0 1 2 3 4 5 6 7
mls qos queue-set output 1 threshold 1 138 138 92 138
mls qos queue-set output 1 threshold 2 138 138 92 400
mls qos queue-set output 1 threshold 3 36 77 100 318
mls qos queue-set output 1 threshold 4 20 50 67 400
mls qos queue-set output 2 threshold 1 149 149 100 149
mls qos queue-set output 2 threshold 2 118 118 100 235
mls qos queue-set output 2 threshold 3 41 68 100 272
mls qos queue-set output 2 threshold 4 42 72 100 242
mls qos queue-set output 1 buffers 10 10 26 54
mls qos queue-set output 2 buffers 16 6 17 61
mls qos
!
crypto pki trustpoint HTTPS_SS_CERT_KEYPAIR
enrollment selfsigned
serial-number
revocation-check none
rsakeypair HTTPS_SS_CERT_KEYPAIR
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
interface FastEthernet0/1
switchport mode access
switchport voice vlan 2
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
macro description cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/2
switchport mode access
switchport voice vlan 2
spanning-tree portfast
!
interface FastEthernet0/3
description vip5312-3752
switchport mode access
switchport voice vlan 2
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
macro description cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/4
switchport mode access
switchport voice vlan 2
spanning-tree portfast
!
interface FastEthernet0/5
description vip5330-3757
switchport mode access
switchport voice vlan 2
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
macro description cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/6
switchport mode access
switchport voice vlan 2
spanning-tree portfast
!
interface FastEthernet0/7
description vip5330-3756
switchport mode access
switchport voice vlan 2
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
macro description cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/8
description vip5312-3759
switchport mode access
switchport voice vlan 2
spanning-tree portfast
!
interface FastEthernet0/9
description vip5330-3755
switchport mode access
switchport voice vlan 2
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
macro description cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/10
switchport mode access
switchport voice vlan 2
spanning-tree portfast
!
interface FastEthernet0/11
description vip5312-3758
switchport mode access
switchport voice vlan 2
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
macro description cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/12
switchport mode access
switchport voice vlan 2
spanning-tree portfast
!
interface FastEthernet0/13
description vip5330-3754
switchport mode access
switchport voice vlan 2
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
macro description cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/14
switchport mode access
switchport voice vlan 2
spanning-tree portfast
!
interface FastEthernet0/15
description vip5312-3732
switchport mode access
switchport voice vlan 2
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
macro description cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/16
description camCDCNetRm
switchport mode access
switchport voice vlan 2
spanning-tree portfast
!
interface FastEthernet0/17
description vip5312-3751
switchport mode access
switchport voice vlan 2
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
macro description cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/18
description vip5312-3760
switchport mode access
switchport voice vlan 2
spanning-tree portfast
!
interface FastEthernet0/19
description vip5312-3750
switchport mode access
switchport voice vlan 2
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
macro description cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/20
switchport mode access
switchport voice vlan 2
spanning-tree portfast
!
interface FastEthernet0/21
description vip5312-3761
switchport mode access
switchport voice vlan 2
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
macro description cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/22
switchport mode access
switchport voice vlan 2
spanning-tree portfast
!
interface FastEthernet0/23
description vip5312-3762
switchport mode access
switchport voice vlan 2
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
macro description cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/24
switchport mode access
switchport voice vlan 2
spanning-tree portfast
!
interface FastEthernet0/25
description vip5312-3763
switchport mode access
switchport voice vlan 2
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
macro description cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/26
switchport mode access
switchport voice vlan 2
spanning-tree portfast
!
interface FastEthernet0/27
description vip5312-3764
switchport mode access
switchport voice vlan 2
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
macro description cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/28
description AP.Ware.Out.Corner
switchport trunk encapsulation dot1q
switchport trunk native vlan 5
switchport mode trunk
switchport voice vlan 2
spanning-tree portfast
!
interface FastEthernet0/29
description vip5312-3765
switchport mode access
switchport voice vlan 2
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
macro description cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/30
description AP.Ware.Out.Center
switchport trunk encapsulation dot1q
switchport trunk native vlan 5
switchport mode trunk
switchport voice vlan 2
spanning-tree portfast
!
interface FastEthernet0/31
description vip5312-3766
switchport mode access
switchport voice vlan 2
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
macro description cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/32
description WLC Port 2 (VL06)
switchport access vlan 6
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/33
description WLC Port 3 (VL07)
switchport access vlan 7
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/34
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/35
description vip5312-3753
switchport mode access
switchport voice vlan 2
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
macro description cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/36
description AP.Mech
switchport trunk encapsulation dot1q
switchport trunk native vlan 5
switchport mode trunk
spanning-tree portfast
!
interface FastEthernet0/37
description vip5312-3610
switchport mode access
switchport voice vlan 2
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
macro description cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/38
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/39
description WLC Port 4
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/40
description WLC Port 1 (VL05)
switchport trunk encapsulation dot1q
switchport trunk native vlan 5
switchport mode trunk
spanning-tree portfast
!
interface FastEthernet0/41
description AP.Warehouse02
switchport trunk encapsulation dot1q
switchport trunk native vlan 5
switchport mode trunk
switchport voice vlan 2
spanning-tree portfast
!
interface FastEthernet0/42
description AP.Warehouse03
switchport trunk encapsulation dot1q
switchport trunk native vlan 5
switchport mode trunk
switchport voice vlan 2
spanning-tree portfast
!
interface FastEthernet0/43
description AP.Warehouse01
switchport trunk encapsulation dot1q
switchport trunk native vlan 5
switchport mode trunk
switchport voice vlan 2
spanning-tree portfast
!
interface FastEthernet0/44
description AP.CDC.Dwnstairs
switchport trunk encapsulation dot1q
switchport trunk native vlan 5
switchport mode trunk
switchport voice vlan 2
spanning-tree portfast
!
interface FastEthernet0/45
description AP.CDC.Upstairs
switchport trunk encapsulation dot1q
switchport trunk native vlan 5
switchport mode trunk
switchport voice vlan 2
spanning-tree portfast
!
interface FastEthernet0/46
description AP.CDCGuard
switchport trunk encapsulation dot1q
switchport trunk native vlan 5
switchport mode trunk
switchport voice vlan 2
spanning-tree portfast
!
interface FastEthernet0/47
description CDC-3300
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/48
spanning-tree portfast
!
interface GigabitEthernet0/1
description HDServerSwitch SM-
switchport trunk encapsulation dot1q
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
queue-set 2
mls qos trust cos
auto qos voip trust
macro description cisco-switch
spanning-tree link-type point-to-point
!
interface GigabitEthernet0/2
description BillingVoipSwitch
switchport trunk encapsulation dot1q
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
queue-set 2
mls qos trust cos
auto qos voip trust
macro description cisco-switch
spanning-tree link-type point-to-point
!
interface GigabitEthernet0/3
description CDCDelivSwitch MM Fiber
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/4
description CDCSwitch MM Fiber
switchport trunk encapsulation dot1q
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
queue-set 2
mls qos trust cos
auto qos voip trust
macro description cisco-switch
spanning-tree link-type point-to-point
!
interface Vlan1
ip address 172.16.116.2 255.255.240.0
!
interface Vlan2
ip address 172.16.129.4 255.255.255.0
!
interface Vlan3
ip address 172.16.130.4 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.112.1
ip http server
ip http secure-server
!
line con 0
line vty 0 4
length 0
transport input ssh
line vty 5 15
transport input ssh
!
ntp clock-period 36029198
ntp server 172.16.112.6 key 0 prefer
ntp server 169.229.70.95 key 0 prefer
end
E a seguir o switch 2960 (HDServerSwitch):
Current configuration : 7496 bytes
!
! Last configuration change at 15:32:04 UTC Mon Apr 7 2014 by admin
! NVRAM config last updated at 15:35:13 UTC Tue Mar 3 2015
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname HDServerSwitch
!
boot-start-marker
boot-end-marker
!
aaa new-model
!
aaa session-id common
clock timezone UTC -5 0
!
ip domain-name caymanport.com
ip name-server 172.16.112.6
ip name-server 172.16.112.23
ip name-server 172.16.112.9
udld aggressive
!
mls qos srr-queue output cos-map queue 1 threshold 3 5
mls qos srr-queue output cos-map queue 2 threshold 3 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 2 4
mls qos srr-queue output cos-map queue 4 threshold 2 1
mls qos srr-queue output cos-map queue 4 threshold 3 0
mls qos
!
crypto pki trustpoint TP-self-signed-1538847872
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1538847872
revocation-check none
rsakeypair TP-self-signed-1538847872
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree extend system-id
!
errdisable recovery cause link-flap
errdisable recovery interval 60
!
vlan internal allocation policy ascending
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
macro global description cisco-global
!
interface Port-channel1
description RumPoint LACP Team
spanning-tree portfast
!
interface FastEthernet0
no ip address
!
interface GigabitEthernet0/1
description VsxHD01-4
switchport mode trunk
spanning-tree portfast
!
interface GigabitEthernet0/2
description VsxHD02-6
switchport mode trunk
spanning-tree portfast
!
interface GigabitEthernet0/3
description VsxHD01-5
switchport mode trunk
spanning-tree portfast
!
interface GigabitEthernet0/4
description VsxHD02-0
switchport mode trunk
spanning-tree portfast
!
interface GigabitEthernet0/5
description VsxHD01-3
switchport mode trunk
spanning-tree portfast
!
interface GigabitEthernet0/6
description VsxHD02-5
switchport mode trunk
spanning-tree portfast
!
interface GigabitEthernet0/7
description VsxHD01-2
switchport mode trunk
spanning-tree portfast
!
interface GigabitEthernet0/8
description VsxHD02-4
switchport mode trunk
spanning-tree portfast
!
interface GigabitEthernet0/9
description RumPoint-1
spanning-tree portfast
channel-protocol lacp
!
interface GigabitEthernet0/10
description VsxHD02-3 (VL10)
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/11
description RumPoint-2
spanning-tree portfast
!
interface GigabitEthernet0/12
description VsxHD02-7 (VL10)
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/13
spanning-tree portfast
!
interface GigabitEthernet0/14
description VsxHD02-1
switchport mode trunk
spanning-tree portfast
!
interface GigabitEthernet0/15
spanning-tree portfast
!
interface GigabitEthernet0/16
description VsxHD02-2
switchport mode trunk
spanning-tree portfast
!
interface GigabitEthernet0/17
spanning-tree portfast
!
interface GigabitEthernet0/18
description VsxHD02ILO
switchport mode trunk
spanning-tree portfast
!
interface GigabitEthernet0/19
spanning-tree portfast
!
interface GigabitEthernet0/20
spanning-tree portfast
!
interface GigabitEthernet0/21
spanning-tree portfast
!
interface GigabitEthernet0/22
spanning-tree portfast
!
interface GigabitEthernet0/23
spanning-tree portfast
!
interface GigabitEthernet0/24
description KVMHD
spanning-tree portfast
!
interface GigabitEthernet0/25
description CDCVoipSwitch SM-F
switchport mode trunk
mls qos trust cos
macro description cisco-switch
spanning-tree link-type point-to-point
spanning-tree guard none
!
interface GigabitEthernet0/26
description HDSwitch CAT5
switchport mode trunk
shutdown
mls qos trust cos
macro description cisco-switch
spanning-tree link-type point-to-point
!
interface Vlan1
ip address 172.16.112.57 255.255.240.0
!
interface Vlan10
ip address 172.16.200.57 255.255.255.0
!
ip default-gateway 172.16.112.1
ip http server
ip http secure-server
!
logging esm config
logging history size 500
logging history informational
!
line con 0
line vty 0 4
transport input ssh
line vty 5 15
transport input ssh
!
ntp server 172.16.112.6 prefer
ntp server 169.229.70.95 prefer
end
Você pode ver a topologia da rede aqui: http://imgur.com/1CvaqUt
The Netgear switch is connected to CDCSwitch port 30 right now (although it was connected to BillingSwitch at one point). Here is the config for that port:
interface FastEthernet0/30
description CDCParts1Switch
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree link-type point-to-point
!
It is the link between CDCVOIPSwitch and HDServerSwitch that's going down.