我试图找出用户是否可以使用其主电子邮件地址而不是 UPN 登录我们的 Exchange 2019 CAS 服务器 OWA。由于某种原因,当首次在这里设置 Exchange 时(在我之前),它们采用了不同的用户登录格式。我们的登录名 (UPN) 只是用户的名字(即:[email protected]),但电子邮件地址是名字首字母/姓氏(即:[email protected])。这不是 UPN 后缀问题,因为两个后缀相同(即:@contoso.com)。我可以使用 UPN 登录 OWA,但不能使用电子邮件地址。Exchange允许这样做吗?
我们完全在本地运行 Exchange 2019。我们的默认保留策略会在两年后将电子邮件存档到用户的在线存档(它还会清除一些文件夹,例如已删除的项目、草稿等)。我们是一个政府实体,有一些要求确保所有通信信息保存 10 年。到目前为止,我们只是让 Exchange 存档电子邮件,并且从未费心删除任何内容,因此用户的存档中可以保留几十年前的电子邮件。不用说,存档数据库变得相当大(不是很大 - 我们是一个小组织),我想添加一个保留标签来删除在线存档中超过 10 年的电子邮件。根据我的阅读,没有专门适用于在线档案的标签,这是因为它应该被视为收件箱的扩展。
如何在 10 年后从在线档案中删除项目?
更新:我有“2 年后存档”和“10 年后删除”标签。然而,当我查看所有电子邮件时,他们只说 10 年后删除:
我们使用 TLS 从我们 DMZ 中的 Windows 2012R2(未加入域)Web 服务器发送到我们的内部 Exchange 2016 服务器(也在 Windows 2012R2 上运行)。直到大约一个月前,当他们停止通过时,这一直运行良好(我们现在才注意到它,因为电子邮件非常罕见)。我强制通过测试邮件,当我查看传输角色协议日志时,我看到以下内容:
2020-06-24 11:02:33.524,
MAILSERVER\Client Frontend MAILSERVER,
0102030405060708,
6,
192.168.1.44:587,
192.168.2.3:64961,
*,
" CN=*.example.com CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB
0102030405060708090A0B0C0D0E0F10
0102030405060708090A0B0C0D0E0F1011121314
2020-03-17T19:00:00.000Z
2021-03-18T18:59:59.000Z
*.example.com;example.com",
Sending certificate Subject Issuer name Serial number Thumbprint Not before Not after Subject alternate names
2020-06-24 11:02:33.540,
MAILSERVER\Client Frontend MAILSERVER,
0102030405060708,
7,
192.168.1.44:587,
192.168.2.3:64961,
*,
,
TLS negotiation failed with error CertExpired
可以看到证书的有效期为 2020 年 3 月 17 日至 2021 年 3 月 18 日。
客户端显示以下错误日志:
SERVER -> CLIENT: 220 mailserver.example.com Microsoft ESMTP MAIL Service ready at Wed, 24 Jun 2020 11:02:32 -0500
CLIENT -> SERVER: EHLO www.example.com
250-SIZE 36700160
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-AUTH GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250 CHUNKING
CLIENT -> SERVER: STARTTLS
SERVER -> CLIENT: 220 2.0.0 SMTP server ready
Connection failed. Error #2: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed [E:\...\class-smtp.php line 374]SMTP Error: Could not connect to SMTP host.
CLIENT -> SERVER: QUIT
SERVER -> CLIENT: SMTP ERROR: QUIT command failed: Connection: closedSMTP Error: Could not connect to SMTP host.
邮件服务器上的事件日志显示以下事件:
A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 45.
- System
- Provider
[ Name] Schannel
[ Guid] {1F678132-5938-4686-9FDC-C8FF68F15C85}
EventID 36887
Version 0
Level 2
Task 0
Opcode 0
Keywords 0x8000000000000000
- TimeCreated
[ SystemTime] 2020-06-24 11:02:33.540386500
EventRecordID 417754
Correlation
- Execution
[ ProcessID] 484
[ ThreadID] 1552
Channel System
Computer mailserver.example.com
- Security
[ UserID] S-1-5-18
- EventData
AlertDesc 45
但是,同样,这个事件只是表明一个过期的证书。
关于为什么 Exchange 认为证书已过期的任何想法?我已经检查了两台机器上的日期/时间,它们对第二台机器都是正确的。谢谢!
我有一个未加入域的 Windows Server 2012R2 Web 服务器,它在我们的 DMZ 中使用 Easy WP SMTP 插件托管 Wordpress。它应该向我们的内部 Exchange 2016 服务器发送电子邮件以获取警报、新注册等信息。它曾经在端口 25 上使用不安全的 SMTP,但我们正在尝试将其配置为在端口 587 上使用 TLS。但是,由于 Exchange Server 不断拒绝连接,我无法发送它:
2020-03-30T13:25:53.654Z,<Rcv Conn>,08D7D3F917D985E4,0,10.0.0.44:587,192.168.200.3:58156,+,,
2020-03-30T13:25:53.654Z,<Rcv Conn>,08D7D3F917D985E4,1,10.0.0.44:587,192.168.200.3:58156,>,"220 mail.domain.com Microsoft ESMTP MAIL Service ready at Mon, 30 Mar 2020 08:25:53 -0500",
2020-03-30T13:25:53.654Z,<Rcv Conn>,08D7D3F917D985E4,2,10.0.0.44:587,192.168.200.3:58156,<,EHLO www.domain.com,
2020-03-30T13:25:53.654Z,<Rcv Conn>,08D7D3F917D985E4,3,10.0.0.44:587,192.168.200.3:58156,>,250 mail.domain.com Hello [192.168.200.3] SIZE 36700160 PIPELINING DSN ENHANCEDSTATUSCODES STARTTLS AUTH GSSAPI NTLM 8BITMIME BINARYMIME CHUNKING,
2020-03-30T13:25:53.654Z,<Rcv Conn>,08D7D3F917D985E4,4,10.0.0.44:587,192.168.200.3:58156,<,STARTTLS,
2020-03-30T13:25:53.654Z,<Rcv Conn>,08D7D3F917D985E4,5,10.0.0.44:587,192.168.200.3:58156,>,220 2.0.0 SMTP server ready,
2020-03-30T13:25:53.654Z,<Rcv Conn>,08D7D3F917D985E4,6,10.0.0.44:587,192.168.200.3:58156,*," CN=*.domain.com CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB 4F8D1253CAE6C3AA06ED0310EAA39158 827CCAB98B7AC22709CBC1408C74CCED89060C98 2020-03-17T19:00:00.000Z 2021-03-18T18:59:59.000Z *.domain.com;domain.com",Sending certificate Subject Issuer name Serial number Thumbprint Not before Not after Subject alternate names
2020-03-30T13:26:08.998Z,<Rcv Conn>,08D7D3F917D985E4,7,10.0.0.44:587,192.168.200.3:58156,*,,TLS negotiation failed with error CertUnknown
2020-03-30T13:26:08.998Z,<Rcv Conn>,08D7D3F917D985E4,8,10.0.0.44:587,192.168.200.3:58156,-,,Local
该证书很好,因为 587 上的许多其他 TLS 连接都可以正常工作。
即使没有备用电池,我也在尝试在 Smart Array P400 上启用写入缓存。我们有一个由发电机支持的大型建筑范围的 UPS,因此断电的可能性很小,并且此 VM 主机服务器上的写入性能很糟糕。我已经安装了 HP VMware 驱动程序和软件,并使用 hpssacli 打开了写入缓存和无电池写入缓存:
/opt/hp/hpssacli/bin # ./hpssacli controller slot=1 show config detail
Smart Array P400 in Slot 1
Bus Interface: PCI
Slot: 1
Serial Number: PAFGK0P9VX029O
Cache Serial Number: PA82C0J9VX12T7
RAID 6 (ADG) Status: Disabled
Controller Status: OK
Hardware Revision: E
Firmware Version: 7.22
Rebuild Priority: Medium
Expand Priority: Medium
Surface Scan Delay: 15 secs
Surface Scan Mode: Idle
Wait for Cache Room: Disabled
Surface Analysis Inconsistency Notification: Disabled
Post Prompt Timeout: 0 secs
Cache Board Present: True
Cache Status: OK
Cache Ratio: 100% Read / 0% Write
Drive Write Cache: Enabled
Total Cache Size: 256 MB
Total Cache Memory Available: 208 MB
No-Battery Write Cache: Enabled
Battery/Capacitor Count: 0
SATA NCQ Supported: True
Number of Ports: 2 Internal only
Encryption Supported: False
Driver Version: 3.6.14
Driver Supports HP SSD Smart Path: False
Internal Drive Cage at Port 1I, Box 1, OK
Power Supply Status: Not Redundant
Serial Number:
Drive Bays: 4
Port: 1I
Box: 1
Location: Internal
Physical Drives
physicaldrive 1I:1:7 (port 1I:box 1:bay 7, SATA, 250 GB, OK, spare)
physicaldrive 1I:1:6 (port 1I:box 1:bay 6, SATA, 250 GB, OK)
physicaldrive 1I:1:5 (port 1I:box 1:bay 5, SATA, 250 GB, OK)
Internal Drive Cage at Port 2I, Box 1, OK
Power Supply Status: Not Redundant
Serial Number:
Drive Bays: 4
Port: 2I
Box: 1
Location: Internal
Physical Drives
physicaldrive 2I:1:4 (port 2I:box 1:bay 4, SATA, 250 GB, OK)
physicaldrive 2I:1:3 (port 2I:box 1:bay 3, SATA, 250 GB, OK)
physicaldrive 2I:1:2 (port 2I:box 1:bay 2, SATA, 250 GB, OK)
physicaldrive 2I:1:1 (port 2I:box 1:bay 1, SATA, 120 GB, OK)
Array: A
Interface Type: SATA
Unused Space: 0 MB
Status: OK
Array Type: Data
Logical Drive: 1
Size: 111.8 GB
Fault Tolerance: 0
Heads: 255
Sectors Per Track: 32
Cylinders: 28722
Strip Size: 128 KB
Full Stripe Size: 128 KB
Status: OK
Caching: Enabled
Unique Identifier: 600508B10010503956583032394F0009
Logical Drive Label: A0199599PAFGK0P9VX029O81A9
Drive Type: Data
LD Acceleration Method: Controller Cache
physicaldrive 2I:1:1
Port: 2I
Box: 1
Bay: 1
Status: OK
Drive Type: Data Drive
Interface Type: SATA
Size: 120 GB
Native Block Size: 512
Firmware Revision: HPG2
Serial Number: K647T8B25P5U
Model: ATA GJ0120CAGSP
SATA NCQ Capable: True
SATA NCQ Enabled: True
Current Temperature (C): 33
Maximum Temperature (C): 58
PHY Count: 1
PHY Transfer Rate: 1.5Gbps
Array: B
Interface Type: SATA
Unused Space: 0 MB
Status: OK
Array Type: Data
Spare Type: dedicated
Logical Drive: 2
Size: 931.4 GB
Fault Tolerance: 5
Heads: 255
Sectors Per Track: 32
Cylinders: 65535
Strip Size: 64 KB
Full Stripe Size: 256 KB
Status: OK
Caching: Enabled
Parity Initialization Status: Initialization Completed
Unique Identifier: 600508B10010503956583032394F000A
Logical Drive Label: A01986FDPAFGK0P9VX029O8FA7
Drive Type: Data
LD Acceleration Method: Controller Cache
physicaldrive 1I:1:5
Port: 1I
Box: 1
Bay: 5
Status: OK
Drive Type: Data Drive
Interface Type: SATA
Size: 250 GB
Native Block Size: 512
Firmware Revision: HPG2
Serial Number: K648TAC28P4N
Model: ATA GJ0250EAGSQ
SATA NCQ Capable: True
SATA NCQ Enabled: True
Current Temperature (C): 35
Maximum Temperature (C): 58
PHY Count: 1
PHY Transfer Rate: 1.5Gbps
physicaldrive 1I:1:6
Port: 1I
Box: 1
Bay: 6
Status: OK
Drive Type: Data Drive
Interface Type: SATA
Size: 250 GB
Native Block Size: 512
Firmware Revision: HPG2
Serial Number: K648T8C25MF2
Model: ATA GJ0250EAGSQ
SATA NCQ Capable: True
SATA NCQ Enabled: True
Current Temperature (C): 34
Maximum Temperature (C): 58
PHY Count: 1
PHY Transfer Rate: 1.5Gbps
physicaldrive 2I:1:2
Port: 2I
Box: 1
Bay: 2
Status: OK
Drive Type: Data Drive
Interface Type: SATA
Size: 250 GB
Native Block Size: 512
Firmware Revision: HPG2
Serial Number: K648T8C25MFW
Model: ATA GJ0250EAGSQ
SATA NCQ Capable: True
SATA NCQ Enabled: True
Current Temperature (C): 35
Maximum Temperature (C): 58
PHY Count: 1
PHY Transfer Rate: 1.5Gbps
physicaldrive 2I:1:3
Port: 2I
Box: 1
Bay: 3
Status: OK
Drive Type: Data Drive
Interface Type: SATA
Size: 250 GB
Native Block Size: 512
Firmware Revision: HPG2
Serial Number: K648T8B25M9W
Model: ATA GJ0250EAGSQ
SATA NCQ Capable: True
SATA NCQ Enabled: True
Current Temperature (C): 35
Maximum Temperature (C): 58
PHY Count: 1
PHY Transfer Rate: 1.5Gbps
physicaldrive 2I:1:4
Port: 2I
Box: 1
Bay: 4
Status: OK
Drive Type: Data Drive
Interface Type: SATA
Size: 250 GB
Native Block Size: 512
Firmware Revision: HPG2
Serial Number: K648T8C25ML9
Model: ATA GJ0250EAGSQ
SATA NCQ Capable: True
SATA NCQ Enabled: True
Current Temperature (C): 35
Maximum Temperature (C): 58
PHY Count: 1
PHY Transfer Rate: 1.5Gbps
physicaldrive 1I:1:7
Port: 1I
Box: 1
Bay: 7
Status: OK
Drive Type: Spare Drive
Interface Type: SATA
Size: 250 GB
Native Block Size: 512
Firmware Revision: HPG2
Serial Number: K648T8C25MK0
Model: ATA GJ0250EAGSQ
SATA NCQ Capable: True
SATA NCQ Enabled: True
Current Temperature (C): 31
Maximum Temperature (C): 57
PHY Count: 1
PHY Transfer Rate: 1.5Gbps
但正如您所见,写入的缓存比率为 0%。我错过了什么?
我正在尝试清理所有 Windows Server 2012R2 服务器上的服务器文件共享。我大约一半的服务器有一个 print$ 共享,即使它们不共享任何打印机(我的只有 2 台服务器合法共享打印机)。为什么此共享出现在某些而不是其他共享上,我如何在不禁用文件共享的情况下禁用它?我找到的所有解决方案都涉及禁用文件和打印机共享或禁用所有管理员共享(C$、D$、ADMIN$ 等)——我都不想这样做。
我有一个奇怪的问题,希望有人能帮助解决。我有一台较旧的 32 位 Windows Server 2003SP2 服务器,它无法访问我们的 64 位 Windows Server 2012R2 域控制器上的任何共享。2003 服务器可以正常访问其他 2012R2 服务器上的共享,它只是它有问题的一台服务器。此外,2012R2 服务器可以正常访问 2003 服务器上的共享。2003 服务器上没有防火墙或 AV,但 2012R2 服务器上同时安装了防火墙和 Symantec Endpoint Protection。没有其他客户端访问 2012R2 服务器有问题(尽管所有其他访问它的机器都是 Win10/Win2012R2)。
我检查了两台机器上的事件日志,没有任何消息。如果我尝试使用 Windows 资源管理器访问共享,我会收到错误消息“Windows 找不到 '\win2012R2\sharename'。请检查拼写并重试,或尝试通过单击开始按钮然后单击搜索来搜索该项目。” 如果我从命令行使用 NET USE 尝试,我会收到错误“发生系统错误 64。指定的网络名称不再可用”。我可以从 2003 服务器正常 ping 2012R2 服务器。DNS 查找也可以正常工作。
我可以查看某种 SMB 访问记录吗?
编辑:
我安装了 Wireshark 并在尝试连接到 2012R2 服务器时从 2003 服务器记录了以下流量:
No. Time Source Destination Protocol Length Info
6361 79.400489000 2003srvr.domainname.lcl 2012r2srvr.domainname.lcl TCP 62 12575->netbios-ssn [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1
Frame 6361: 62 bytes on wire (496 bits), 62 bytes captured (496 bits) on interface 0
Ethernet II, Src: Vmware_9b:7e:e5 (ff:ff:ff:9b:7e:e5), Dst: 192.168.112.6 (ff:ff:ff:9b:08:04)
Internet Protocol Version 4, Src: 2003srvr.domainname.lcl (192.168.112.10), Dst: 2012r2srvr.domainname.lcl (192.168.112.6)
Transmission Control Protocol, Src Port: 12575 (12575), Dst Port: netbios-ssn (139), Seq: 0, Len: 0
No. Time Source Destination Protocol Length Info
6363 79.400812000 2012r2srvr.domainname.lcl 2003srvr.domainname.lcl TCP 62 netbios-ssn->12575 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 SACK_PERM=1
Frame 6363: 62 bytes on wire (496 bits), 62 bytes captured (496 bits) on interface 0
Ethernet II, Src: 192.168.112.6 (ff:ff:ff:9b:08:04), Dst: Vmware_9b:7e:e5 (ff:ff:ff:9b:7e:e5)
Internet Protocol Version 4, Src: 2012r2srvr.domainname.lcl (192.168.112.6), Dst: 2003srvr.domainname.lcl (192.168.112.10)
Transmission Control Protocol, Src Port: netbios-ssn (139), Dst Port: 12575 (12575), Seq: 0, Ack: 1, Len: 0
No. Time Source Destination Protocol Length Info
6364 79.400822000 2003srvr.domainname.lcl 2012r2srvr.domainname.lcl TCP 54 12575->netbios-ssn [ACK] Seq=1 Ack=1 Win=64240 Len=0
Frame 6364: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface 0
Ethernet II, Src: Vmware_9b:7e:e5 (ff:ff:ff:9b:7e:e5), Dst: 192.168.112.6 (ff:ff:ff:9b:08:04)
Internet Protocol Version 4, Src: 2003srvr.domainname.lcl (192.168.112.10), Dst: 2012r2srvr.domainname.lcl (192.168.112.6)
Transmission Control Protocol, Src Port: 12575 (12575), Dst Port: netbios-ssn (139), Seq: 1, Ack: 1, Len: 0
No. Time Source Destination Protocol Length Info
6366 79.400881000 2003srvr.domainname.lcl 2012r2srvr.domainname.lcl NBSS 126 Session request, to 2012R2SRVR<20> from 2003SRVR<00>
Frame 6366: 126 bytes on wire (1008 bits), 126 bytes captured (1008 bits) on interface 0
Ethernet II, Src: Vmware_9b:7e:e5 (ff:ff:ff:9b:7e:e5), Dst: 192.168.112.6 (ff:ff:ff:9b:08:04)
Internet Protocol Version 4, Src: 2003srvr.domainname.lcl (192.168.112.10), Dst: 2012r2srvr.domainname.lcl (192.168.112.6)
Transmission Control Protocol, Src Port: 12575 (12575), Dst Port: netbios-ssn (139), Seq: 1, Ack: 1, Len: 72
NetBIOS Session Service
No. Time Source Destination Protocol Length Info
6368 79.401133000 2012r2srvr.domainname.lcl 2003srvr.domainname.lcl NBSS 60 Positive session response
Frame 6368: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0
Ethernet II, Src: 192.168.112.6 (ff:ff:ff:9b:08:04), Dst: Vmware_9b:7e:e5 (ff:ff:ff:9b:7e:e5)
Internet Protocol Version 4, Src: 2012r2srvr.domainname.lcl (192.168.112.6), Dst: 2003srvr.domainname.lcl (192.168.112.10)
Transmission Control Protocol, Src Port: netbios-ssn (139), Dst Port: 12575 (12575), Seq: 1, Ack: 73, Len: 4
NetBIOS Session Service
No. Time Source Destination Protocol Length Info
6369 79.401226000 2003srvr.domainname.lcl 2012r2srvr.domainname.lcl SMB 191 Negotiate Protocol Request
Frame 6369: 191 bytes on wire (1528 bits), 191 bytes captured (1528 bits) on interface 0
Ethernet II, Src: Vmware_9b:7e:e5 (ff:ff:ff:9b:7e:e5), Dst: 192.168.112.6 (ff:ff:ff:9b:08:04)
Internet Protocol Version 4, Src: 2003srvr.domainname.lcl (192.168.112.10), Dst: 2012r2srvr.domainname.lcl (192.168.112.6)
Transmission Control Protocol, Src Port: 12575 (12575), Dst Port: netbios-ssn (139), Seq: 73, Ack: 5, Len: 137
NetBIOS Session Service
SMB (Server Message Block Protocol)
No. Time Source Destination Protocol Length Info
6371 79.401507000 2012r2srvr.domainname.lcl 2003srvr.domainname.lcl TCP 60 netbios-ssn->12575 [RST, ACK] Seq=5 Ack=210 Win=0 Len=0
Frame 6371: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0
Ethernet II, Src: 192.168.112.6 (ff:ff:ff:9b:08:04), Dst: Vmware_9b:7e:e5 (ff:ff:ff:9b:7e:e5)
Internet Protocol Version 4, Src: 2012r2srvr.domainname.lcl (192.168.112.6), Dst: 2003srvr.domainname.lcl (192.168.112.10)
Transmission Control Protocol, Src Port: netbios-ssn (139), Dst Port: 12575 (12575), Seq: 5, Ack: 210, Len: 0
也许具有更多 SMB 知识的人可以提供帮助,但看起来 2003 服务器在尝试协商协议后正在关闭连接。
我们有一个 SQL Server 2008R2 安装,它正在向我们现已退役的 Exchange 2010 服务器发送电子邮件。我们现在正在运行一个 Exchange 2016 DAG,其中包含 2 个主机(mailserver1.example.com 和 mailserver2.example.com),其中一个名为 mail.example.com 的 DNS 指针引用了这两个服务器。因此,当我们关闭旧服务器时,我们从使用实际主机名 (severname.example.com) 更改为 mail.example.com。当我们这样做时,我们得到以下错误:
The mail could not be sent to the recipients because of the mail server failure. (Sending Mail using Account 1 (2017-02-14T15:41:00). Exception Message: Cannot send mails to mail server. (The remote certificate is invalid according to the validation procedure.).
如果我将数据库邮件配置更改为指向 DAG 中的单个服务器(mailserver1.example.com),那么一切正常。
我们在邮件服务器上使用通配符证书 (*.example.com),所以我不确定这是否是问题所在。
我想解决这个问题,以便我保持弹性。谁能告诉我它不喜欢什么?
编辑:所以我深入研究了安装/正在使用的证书:
Get-ExchangeCertificate -server mailserver2.example.com
Thumbprint Services Subject
---------- -------- -------
133914D76770DE347949C1FF771A64B7B6 IP..... CN=mailserver2.example.com
4D2582DA78719BCC1B1CB8F33B3FAC2E54 IP..S.. CN=mailserver2
B39C5DED40D1C926A1ABDA2CA5B30FE305 ....S.. CN=Microsoft Exchange Server Auth Certificate
AD3C61F290199AB908ECB976A0C8341351 ....... CN=WMSvc-mailserver2
E6F14092B221239F51A62420FD74F2FA63 IP.WS.. CN=mailserver2.example.com
D1215C7C1E5D674E7C204FCB776D60F93E ...WS.. CN=*.example.com, OU=PremiumSSL Wildcard, O=Example Company...
Get-ExchangeCertificate -server mailserver1.example.com
Thumbprint Services Subject
---------- -------- -------
4C560FF28A576F814DFAD198C81912C3BE IP..... CN=mailserver1.example.com
B39C5DED40D1C926A1A8DA2CA5B30FE305 ....S.. CN=Microsoft Exchange Server Auth Certificate
A29DA1FA4C800AB5EAD22B0BFA39D7BC5B IP..S.. CN=mailserver1
184B109C120633C33711E26C40F4FAFFC6 ....... CN=WMSvc-mailserver1
22C69182932BE55A2F01B20C10FADBE359 IP.WS.. CN=mailserver1.example.com
D1215C7C1E5D674E7C244FCB776D60F93E ...WS.. CN=*.example.com, OU=PremiumSSL Wildcard, O=Example Company...
Get-ExchangeCertificate -domainname example.com
Thumbprint Services Subject
---------- -------- -------
D1215C7C1E5D674E7C644FCB776D60F93E ...WS.. CN=*.example.com, OU=PremiumSSL Wildcard, O=Example Company...
Get-ExchangeCertificate -domainname mail.example.com
Thumbprint Services Subject
---------- -------- -------
D1215C7C1E5D674E7C20D9FF776D60F93E ...WS.. CN=*.example.com, OU=PremiumSSL Wildcard, O=Example Company...
当我使用 OPENSSL(根据下面的答案 1)时,我得到的是我们的内部 CA 证书(CN=mailserver2.example.com)而不是通配符证书。
编辑 2:这是 OpenSSL 命令的输出: openssl s_client -connect mailserver1.example.com:25 -starttls smtp
Loading 'screen' into random state - done
CONNECTED(000001F4)
depth=1 /DC=com/DC=example/CN=example-Issuing-CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/CN=mailserver1.example.com
i:/DC=com/DC=example/CN=example-Issuing-CA
1 s:/DC=com/DC=example/CN=example-Issuing-CA
i:/CN=example-Root-CA
---
Server certificate
-----BEGIN CERTIFICATE-----
< certificate info here >
-----END CERTIFICATE-----
subject=/CN=mailserver1.example.com
issuer=/DC=com/DC=example/CN=example-Issuing-CA
---
No client certificate CA names sent
---
SSL handshake has read 3875 bytes and written 485 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: < session ID >
Session-ID-ctx:
Master-Key: < master key >
Key-Arg : None
Start Time: 1487248994
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
250 XRDST
QUIT
DONE
我在公用文件夹邮箱中有带有公用文件夹的 Exchange 2016(即:不是旧的公用文件夹),我正在尝试从父文件夹获取权限并将它们传播到所有子文件夹。我需要删除所有子文件夹权限,只从父文件夹继承。“将更改应用到此公用文件夹及其所有子文件夹”。似乎对子文件夹的预先存在的权限没有做任何事情。
我们有一个两层的 ADCS PKI,我们的中间 CA 的 AIA 的 URL 以 (1) 结尾(即:http://pki.example.com/certenroll/certificate(1).crt)当然不是存在。CA 扩展属性中的 URL 模板是正确的,所以我认为上次颁发证书时已经有一个同名的文件,所以它在文件名中添加了 (1)。如何“重新颁发”证书以更新 AIA URL?
CertUtil -GetReg 输出:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\example-Issuing-CA\CACertPublicationURLs:
CACertPublicationURLs REG_MULTI_SZ =
0: 1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt
CSURL_SERVERPUBLISH -- 1
1: 2:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11
CSURL_ADDTOCERTCDP -- 2
2: 2:http://pki.example.com/CertEnroll/%1_%3%4.crt
CSURL_ADDTOCERTCDP -- 2
CertUtil: -getreg command completed successfully.
我们有许多设备通过我们的 Exchange 2010 服务器发送电子邮件。这些设备都在发送消息之前使用域用户进行身份验证,这在 2010 年运行良好。我们现在正在迁移到 Exchange 2016,我正在尝试将接收连接器配置为允许相同的事情,但我无法得到它工作。这是我的接收连接器的配置:
[PS] C:\>Get-ReceiveConnector "EX2016\default frontend EX2016" | fl
RunspaceId : 68459e4b-3af8-411d-a616-7db360d20905
AuthMechanism : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
Banner :
BinaryMimeEnabled : True
Bindings : {[::]:25, 0.0.0.0:25}
ChunkingEnabled : True
DefaultDomain :
DeliveryStatusNotificationEnabled : True
EightBitMimeEnabled : True
SmtpUtf8Enabled : False
BareLinefeedRejectionEnabled : False
DomainSecureEnabled : True
EnhancedStatusCodesEnabled : True
LongAddressesEnabled : False
OrarEnabled : False
SuppressXAnonymousTls : False
ProxyEnabled : False
AdvertiseClientSettings : False
Fqdn : EX2016.example.com
ServiceDiscoveryFqdn :
TlsCertificateName :
Comment :
Enabled : True
ConnectionTimeout : 00:10:00
ConnectionInactivityTimeout : 00:05:00
MessageRateLimit : Unlimited
MessageRateSource : IPAddress
MaxInboundConnection : 5000
MaxInboundConnectionPerSource : 20
MaxInboundConnectionPercentagePerSource : 2
MaxHeaderSize : 256 KB (262,144 bytes)
MaxHopCount : 60
MaxLocalHopCount : 5
MaxLogonFailures : 3
MaxMessageSize : 25 MB (26,214,400 bytes)
MaxProtocolErrors : 5
MaxRecipientsPerMessage : 200
PermissionGroups : AnonymousUsers, ExchangeServers, ExchangeLegacyServers
PipeliningEnabled : True
ProtocolLoggingLevel : Verbose
RemoteIPRanges : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}
RequireEHLODomain : False
RequireTLS : False
EnableAuthGSSAPI : False
ExtendedProtectionPolicy : None
LiveCredentialEnabled : False
TlsDomainCapabilities : {}
Server : EX2016
TransportRole : FrontendTransport
RejectReservedTopLevelRecipientDomains : False
RejectReservedSecondLevelRecipientDomains : False
RejectSingleLabelRecipientDomains : False
SizeEnabled : Enabled
TarpitInterval : 00:00:05
MaxAcknowledgementDelay : 00:00:30
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
Name : Default Frontend EX2016
DistinguishedName : CN=Default Frontend EX2016,CN=SMTP Receive
Connectors,CN=Protocols,CN=EX2016,CN=Servers,CN=Exchange
Administrative Group (###########),CN=Administrative Groups,CN=Org
Unit,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=caymanport,
DC=com
Identity : EX2016\Default Frontend EX2016
ObjectCategory : example.com/Configuration/Schema/ms-Exch-Smtp-Receive-Connector
ObjectClass : {top, msExchSmtpReceiveConnector}
WhenChanged : 20/09/2016 8:21:49 AM
WhenCreated : 08/09/2016 8:02:11 AM
WhenChangedUTC : 20/09/2016 1:21:49 PM
WhenCreatedUTC : 08/09/2016 1:02:11 PM
OrganizationId :
Id : EX2016\Default Frontend EX2016
OriginatingServer : dc.example.com
IsValid : True
ObjectState : Unchanged
这是连接尝试的 SMTP 日志:
+,,
>,"220 EX2016.example.com Microsoft ESMTP MAIL Service ready at Tue, 20 Sep 2016 07:18:27 -0500",
<,EHLO printer.example.com,
>,250 EX2016.example.com Hello [172.16.113.55] SIZE 26214400 PIPELINING DSN ENHANCEDSTATUSCODES STARTTLS X-ANONYMOUSTLS AUTH NTLM X-EXPS GSSAPI NTLM 8BITMIME BINARYMIME CHUNKING XRDST,
<,AUTH NTLM,
>,334 <authentication response>,
>,334 <authentication response>,
*,,Inbound Negotiate failed because of LogonDenied
*,,User Name: NULL
*,Tarpit for '0.00:00:05' due to '535 5.7.3 Authentication unsuccessful',
>,535 5.7.3 Authentication unsuccessful,
-,,Remote(SocketError)
我认为我不应该使用匿名中继连接器,因为我正在使用域用户/密码进行身份验证。我究竟做错了什么?
编辑:我应该注意,这些打印机需要能够在外部和内部发送电子邮件。
是否有强制将 PowerShell v3 脚本的输出转换为表格形式?我的脚本以线性形式输出服务列表,即使输出对象中只有 6 个字段(get-process 以表格形式输出 8 个字段)。这是我的代码:
<#
.SYNOPSIS
Gets a list of services on a given computer that are supposed to automatically start but are not currently running.
.PARAMETER ComputerName
The computer name(s) to retrieve the info from.
.PARAMETER IgnoreList
The path and filename of a text file containing a list of service names to ignore. This file has to list actual service names and not display names. Defaults to "StoppedServices-Ignore.txt" in the current directory.
.PARAMETER StartServices
Optional switch that when specified will cause this function to attempt to start all of the services it finds stopped.
.EXAMPLE
Get-StoppedServices -ComputerName Computer01 -IgnoreList '.\IgnoredServices.txt' -StartServices
.EXAMPLE
Get-StoppedServices –ComputerName Computer01,Computer02,Computer03
.EXAMPLE
"Computer01" | Get-StoppedServices
.EXAMPLE
Get-StoppedServices –ComputerName (Get-Content ComputerList.txt)
.EXAMPLE
Get-Content ComputerList.txt | Get-StoppedServices -IgnoreList '.\IgnoredServices.txt' -StartServices
#>
Function Get-StoppedServices {
[CmdletBinding()]
param(
[Parameter(Position=0,Mandatory=$true,ValueFromPipeline=$true,ValueFromPipelineByPropertyName=$true)] [String[]]$ComputerName,
[string]$IgnoreList,
[switch]$StartServices
)
PROCESS {
# Load the list of services to ignore (if specified).
if ($IgnoreList) {
if (Test-Path $IgnoreList) {
$ignore = import-csv -header Service $IgnoreList
Write-Verbose "Ignoring the following services:"
Write-Verbose $ignore.ToString()
} else {
Write-Warning "Could not find ignore list $IgnoreList."
}
}
# Get a list of stopped services that are set to run automatically (ie: that should be running)
foreach ($c in $ComputerName) {
Write-Verbose "Getting services from $($c.Name)"
if (Test-Connection -ComputerName $c -Count 1 -Quiet) {
Try {
$serv += get-wmiobject -query "Select __Server,Name,DisplayName,State,StartMode,ExitCode,Status FROM Win32_Service WHERE StartMode='Auto' AND State!='Running'" -computername $c -erroraction stop
} catch {
Write-Warning "Could not get service list from $($c)"
}
}
}
# Create the resulting list of services by removing any that are in the ignore list.
$results = @()
foreach ($s in $serv) {
Write-Verbose "Checking if $($s.name) in ignore list."
if ($ignore -match $s.name) {
Write-Verbose " *Service in ignore list."
} else {
Write-Verbose " Service OK."
$obj = New-Object -typename PSObject
$obj | Add-Member -membertype NoteProperty -name ComputerName -value ($s.PSComputerName) -passthru |
Add-Member -membertype NoteProperty -name ServiceName -value ($s.Name) -passthru |
Add-Member -membertype NoteProperty -name DisplayName -value ($s.DisplayName) -passthru |
Add-Member -membertype NoteProperty -name Status -value ($s.Status) -passthru |
Add-Member -membertype NoteProperty -name State -value ($s.State) -passthru |
Add-Member -membertype NoteProperty -name ExitCode -value ($s.ExitCode)
$results += $obj
}
}
# Try and start each of the stopped services that hasn't been ignored.
if ($StartServices) {
foreach ($s in $results) {
Write-Verbose "Starting '$($s.DisplayName)' ($($s.name)) on '$($s.ComputerName)..."
Try {
Get-Service -Name $s.name -ComputerName $s.ComputerName -erroraction stop | Start-service -erroraction stop
} Catch {
Write-Warning "Could not start service $($s.name) on $($s.ComputerName)."
}
}
}
# Output the list of filtered services to the pipeline.
write-output $results
}
}
我们正在运行一个独立的 VMware 5.5 主机服务器 (HP ProLiant),它不属于集群,甚至不属于其他主机的 SAN。它有许多需要应用的补丁,我想知道最好的方法是什么。我可以使用更新管理器将补丁暂存到主机,但随后我需要关闭所有来宾,以便将主机置于维护模式以实际应用它们。显然这会关闭更新管理器。我可以将主机 vMotion 移动到另一台服务器,但正如我所说,这台主机不是 SAN 的一部分,因此需要相当长的时间来复制所有内容,然后在更新完成后再次复制回来。
一旦主机处于维护模式,是否有一种简单的方法可以应用已暂存的补丁?
我们使用 Palo Alto 防火墙(及其 GlobalProtect 客户端)对我们的网络进行 VPN 访问。防火墙使用 LDAP 来验证 VPN 登录。我现在正在尝试为顾问设置用户 ID,并且我希望他只能访问 1 个特定服务器。因此,在他的个人资料中,我将登录工作站设置为仅允许访问 1 台服务器。但是,有了这一套,他就不能 VPN,因为身份验证失败。无论如何允许LDAP身份验证和访问只有一台机器?
我们的人力资源组有一个公共文件夹。最初此文件夹的电子邮件地址为 [email protected],所有从公司外部发送的电子邮件都放在这里。
然后决定 HR 组没有注意到有新电子邮件,因此我从 Exchange 2010 控制台创建了一个通讯组。此通讯组包括 2 个用户和上面的文件夹。为了使此更改对外部实体透明,我将公用文件夹的电子邮件地址更改为 [email protected],并将通讯组的电子邮件地址设为 [email protected]。
但是,这似乎不起作用。从我们公司内部(通过 Outlook)发送到 [email protected] 的电子邮件直接进入公共文件夹,没有其他地方:
EventId Source Sender Recipients MessageSubject
------- ------ ------ ---------- --------------
RECEIVE STORE... [email protected] {[email protected]} Testing
DELIVER STORE... [email protected] {[email protected]} Testing
SUBMIT STORE... [email protected] {} Testing
除了使用消息跟踪日志进行测试外,我不确定如何调试它。
我有一个非常奇怪的问题,我希望有人能给我一个关于在哪里看的想法。我有一个新的 Netgear M4100-D10-POE 第 2 层托管交换机,我们正在远程建筑物中安装它。它通过 CAT5 电缆连接到外部网络的其余部分到 Cisco 交换机(我们有几个,它连接的位置似乎并不重要)。现在它工作正常,但当我关闭这个 Netgear 交换机(或从网络上拔下它)时,我收到一堆来自各种服务的电子邮件,表明一对其他 Cisco 交换机(Catalyst 3560 和催化剂 2960S)。这些交换机通过光纤线相互连接。
奇怪的是,Netgear 交换机没有直接连接到遭受链路故障的两台交换机中的任何一台。两者之间可能有 1 或 2 个其他 Cisco 交换机。我也没有在任一交换机上看到任何排序端口向上/向下日志消息。我也知道这不是巧合,因为我可以随时通过插拔 Netgear 交换机来重现问题。
我唯一的猜测是它与 BGP、STP 或其他一些交换机到交换机协议有关,但我不知道如何监控它。
更新:这是配置文件。首先是网件交换机:
!Current Configuration:
!
!System Description "M4100-D10-POE ProSafe 10-port FastEthernet L2+ Intelligent Edge PoE Desktop Managed Switch, 10.0.1.28, B1.0.0.9"
!System Software Version "10.0.1.28"
!System Up Time "2 days 23 hrs 58 mins 15 secs"
!Additional Packages QOS,IPv6 Management,Routing
!Current SNTP Synchronized Time: Mar 9 19:09:41 2015 UTC
!
network protocol none
network parms 172.16.112.68 255.255.240.0 172.16.112.4
vlan database
vlan 3-10,200
vlan name 3 "VOIP_HD"
vlan name 4 "CAMERA"
vlan name 5 "WIFI_MGMT"
vlan name 6 "WIFI_GUEST"
vlan name 7 "WIFI_DATA"
vlan name 8 "SAN_SATA"
vlan name 9 "SAN_SAS"
vlan name 10 "DMZ"
vlan name 200 "AUTOVOIP"
exit
ip ssh server enable
ip ssh protocol 2
no ip telnet server enable
configure
sntp server "172.16.112.6"
sntp server "0.north-america.pool.ntp.org" 2
sntp server "1.north-america.pool.ntp.org" 3
time-range
ip domain name "caymanport.com"
ip name server 172.16.112.6 172.16.112.23 172.16.112.9
snmptrap "CIPAread" ipaddr 172.16.112.65
voice vlan
no green-mode energy-detect
line console
no transport input telnet
exit
line telnet
exit
line ssh
exit
snmp-server sysname "CDCParts1Switch"
snmp-server location "CDC Taylor Parts Container"
snmp-server contact "IT Manager"
!
no snmp-server community public
no snmp-server community private
auto-voip vlan 200
interface 0/7
vlan participation include 2-3
vlan tagging 2-3
exit
interface 0/8
vlan participation include 2-3
vlan tagging 2-3
exit
interface 0/9
vlan participation include 2-10
vlan tagging 1-10
exit
interface 0/10
vlan participation include 2-10
vlan tagging 1-10
exit
no isdp run
no isdp advertise-v2
exit
现在的 Cisco 3560 交换机(CDCVOIPSwitch):
Current configuration : 19392 bytes
!
! Last configuration change at 11:31:57 EST Fri Mar 6 2015
! NVRAM config last updated at 15:35:31 EST Tue Mar 3 2015
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log datetime
service password-encryption
service sequence-numbers
!
hostname CDCVoipSwitch
!
boot-start-marker
boot-end-marker
!
aaa new-model
!
aaa session-id common
clock timezone EST -5
system mtu routing 1500
ip routing
ip domain-name caymanport.com
ip name-server 172.16.112.6
ip name-server 172.16.112.23
ip name-server 172.16.112.9
!
mls qos map cos-dscp 0 8 16 26 32 46 48 56
mls qos srr-queue input bandwidth 90 10
mls qos srr-queue input threshold 1 8 16
mls qos srr-queue input threshold 2 34 66
mls qos srr-queue input buffers 67 33
mls qos srr-queue input cos-map queue 1 threshold 2 1
mls qos srr-queue input cos-map queue 1 threshold 3 0
mls qos srr-queue input cos-map queue 2 threshold 1 2
mls qos srr-queue input cos-map queue 2 threshold 2 4 6 7
mls qos srr-queue input cos-map queue 2 threshold 3 3 5
mls qos srr-queue input dscp-map queue 1 threshold 2 9 10 11 12 13 14 15
mls qos srr-queue input dscp-map queue 1 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue input dscp-map queue 1 threshold 3 32
mls qos srr-queue input dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
mls qos srr-queue input dscp-map queue 2 threshold 2 33 34 35 36 37 38 39 48
mls qos srr-queue input dscp-map queue 2 threshold 2 49 50 51 52 53 54 55 56
mls qos srr-queue input dscp-map queue 2 threshold 2 57 58 59 60 61 62 63
mls qos srr-queue input dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
mls qos srr-queue input dscp-map queue 2 threshold 3 40 41 42 43 44 45 46 47
mls qos srr-queue output cos-map queue 1 threshold 3 5
mls qos srr-queue output cos-map queue 2 threshold 3 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 2 4
mls qos srr-queue output cos-map queue 4 threshold 2 1
mls qos srr-queue output cos-map queue 4 threshold 3 0
mls qos srr-queue output dscp-map queue 1 threshold 3 40 41 42 43 44 45 46 47
mls qos srr-queue output dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 3 threshold 3 32 33 34 35 36 37 38 39
mls qos srr-queue output dscp-map queue 4 threshold 1 8
mls qos srr-queue output dscp-map queue 4 threshold 2 9 10 11 12 13 14 15
mls qos srr-queue output dscp-map queue 4 threshold 3 0 1 2 3 4 5 6 7
mls qos queue-set output 1 threshold 1 138 138 92 138
mls qos queue-set output 1 threshold 2 138 138 92 400
mls qos queue-set output 1 threshold 3 36 77 100 318
mls qos queue-set output 1 threshold 4 20 50 67 400
mls qos queue-set output 2 threshold 1 149 149 100 149
mls qos queue-set output 2 threshold 2 118 118 100 235
mls qos queue-set output 2 threshold 3 41 68 100 272
mls qos queue-set output 2 threshold 4 42 72 100 242
mls qos queue-set output 1 buffers 10 10 26 54
mls qos queue-set output 2 buffers 16 6 17 61
mls qos
!
crypto pki trustpoint HTTPS_SS_CERT_KEYPAIR
enrollment selfsigned
serial-number
revocation-check none
rsakeypair HTTPS_SS_CERT_KEYPAIR
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
interface FastEthernet0/1
switchport mode access
switchport voice vlan 2
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
macro description cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/2
switchport mode access
switchport voice vlan 2
spanning-tree portfast
!
interface FastEthernet0/3
description vip5312-3752
switchport mode access
switchport voice vlan 2
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
macro description cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/4
switchport mode access
switchport voice vlan 2
spanning-tree portfast
!
interface FastEthernet0/5
description vip5330-3757
switchport mode access
switchport voice vlan 2
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
macro description cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/6
switchport mode access
switchport voice vlan 2
spanning-tree portfast
!
interface FastEthernet0/7
description vip5330-3756
switchport mode access
switchport voice vlan 2
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
macro description cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/8
description vip5312-3759
switchport mode access
switchport voice vlan 2
spanning-tree portfast
!
interface FastEthernet0/9
description vip5330-3755
switchport mode access
switchport voice vlan 2
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
macro description cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/10
switchport mode access
switchport voice vlan 2
spanning-tree portfast
!
interface FastEthernet0/11
description vip5312-3758
switchport mode access
switchport voice vlan 2
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
macro description cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/12
switchport mode access
switchport voice vlan 2
spanning-tree portfast
!
interface FastEthernet0/13
description vip5330-3754
switchport mode access
switchport voice vlan 2
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
macro description cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/14
switchport mode access
switchport voice vlan 2
spanning-tree portfast
!
interface FastEthernet0/15
description vip5312-3732
switchport mode access
switchport voice vlan 2
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
macro description cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/16
description camCDCNetRm
switchport mode access
switchport voice vlan 2
spanning-tree portfast
!
interface FastEthernet0/17
description vip5312-3751
switchport mode access
switchport voice vlan 2
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
macro description cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/18
description vip5312-3760
switchport mode access
switchport voice vlan 2
spanning-tree portfast
!
interface FastEthernet0/19
description vip5312-3750
switchport mode access
switchport voice vlan 2
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
macro description cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/20
switchport mode access
switchport voice vlan 2
spanning-tree portfast
!
interface FastEthernet0/21
description vip5312-3761
switchport mode access
switchport voice vlan 2
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
macro description cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/22
switchport mode access
switchport voice vlan 2
spanning-tree portfast
!
interface FastEthernet0/23
description vip5312-3762
switchport mode access
switchport voice vlan 2
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
macro description cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/24
switchport mode access
switchport voice vlan 2
spanning-tree portfast
!
interface FastEthernet0/25
description vip5312-3763
switchport mode access
switchport voice vlan 2
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
macro description cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/26
switchport mode access
switchport voice vlan 2
spanning-tree portfast
!
interface FastEthernet0/27
description vip5312-3764
switchport mode access
switchport voice vlan 2
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
macro description cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/28
description AP.Ware.Out.Corner
switchport trunk encapsulation dot1q
switchport trunk native vlan 5
switchport mode trunk
switchport voice vlan 2
spanning-tree portfast
!
interface FastEthernet0/29
description vip5312-3765
switchport mode access
switchport voice vlan 2
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
macro description cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/30
description AP.Ware.Out.Center
switchport trunk encapsulation dot1q
switchport trunk native vlan 5
switchport mode trunk
switchport voice vlan 2
spanning-tree portfast
!
interface FastEthernet0/31
description vip5312-3766
switchport mode access
switchport voice vlan 2
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
macro description cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/32
description WLC Port 2 (VL06)
switchport access vlan 6
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/33
description WLC Port 3 (VL07)
switchport access vlan 7
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/34
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/35
description vip5312-3753
switchport mode access
switchport voice vlan 2
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
macro description cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/36
description AP.Mech
switchport trunk encapsulation dot1q
switchport trunk native vlan 5
switchport mode trunk
spanning-tree portfast
!
interface FastEthernet0/37
description vip5312-3610
switchport mode access
switchport voice vlan 2
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
macro description cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/38
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/39
description WLC Port 4
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/40
description WLC Port 1 (VL05)
switchport trunk encapsulation dot1q
switchport trunk native vlan 5
switchport mode trunk
spanning-tree portfast
!
interface FastEthernet0/41
description AP.Warehouse02
switchport trunk encapsulation dot1q
switchport trunk native vlan 5
switchport mode trunk
switchport voice vlan 2
spanning-tree portfast
!
interface FastEthernet0/42
description AP.Warehouse03
switchport trunk encapsulation dot1q
switchport trunk native vlan 5
switchport mode trunk
switchport voice vlan 2
spanning-tree portfast
!
interface FastEthernet0/43
description AP.Warehouse01
switchport trunk encapsulation dot1q
switchport trunk native vlan 5
switchport mode trunk
switchport voice vlan 2
spanning-tree portfast
!
interface FastEthernet0/44
description AP.CDC.Dwnstairs
switchport trunk encapsulation dot1q
switchport trunk native vlan 5
switchport mode trunk
switchport voice vlan 2
spanning-tree portfast
!
interface FastEthernet0/45
description AP.CDC.Upstairs
switchport trunk encapsulation dot1q
switchport trunk native vlan 5
switchport mode trunk
switchport voice vlan 2
spanning-tree portfast
!
interface FastEthernet0/46
description AP.CDCGuard
switchport trunk encapsulation dot1q
switchport trunk native vlan 5
switchport mode trunk
switchport voice vlan 2
spanning-tree portfast
!
interface FastEthernet0/47
description CDC-3300
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/48
spanning-tree portfast
!
interface GigabitEthernet0/1
description HDServerSwitch SM-
switchport trunk encapsulation dot1q
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
queue-set 2
mls qos trust cos
auto qos voip trust
macro description cisco-switch
spanning-tree link-type point-to-point
!
interface GigabitEthernet0/2
description BillingVoipSwitch
switchport trunk encapsulation dot1q
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
queue-set 2
mls qos trust cos
auto qos voip trust
macro description cisco-switch
spanning-tree link-type point-to-point
!
interface GigabitEthernet0/3
description CDCDelivSwitch MM Fiber
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/4
description CDCSwitch MM Fiber
switchport trunk encapsulation dot1q
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
queue-set 2
mls qos trust cos
auto qos voip trust
macro description cisco-switch
spanning-tree link-type point-to-point
!
interface Vlan1
ip address 172.16.116.2 255.255.240.0
!
interface Vlan2
ip address 172.16.129.4 255.255.255.0
!
interface Vlan3
ip address 172.16.130.4 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.112.1
ip http server
ip http secure-server
!
line con 0
line vty 0 4
length 0
transport input ssh
line vty 5 15
transport input ssh
!
ntp clock-period 36029198
ntp server 172.16.112.6 key 0 prefer
ntp server 169.229.70.95 key 0 prefer
end
接下来是 2960 交换机(HDServerSwitch):
Current configuration : 7496 bytes
!
! Last configuration change at 15:32:04 UTC Mon Apr 7 2014 by admin
! NVRAM config last updated at 15:35:13 UTC Tue Mar 3 2015
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname HDServerSwitch
!
boot-start-marker
boot-end-marker
!
aaa new-model
!
aaa session-id common
clock timezone UTC -5 0
!
ip domain-name caymanport.com
ip name-server 172.16.112.6
ip name-server 172.16.112.23
ip name-server 172.16.112.9
udld aggressive
!
mls qos srr-queue output cos-map queue 1 threshold 3 5
mls qos srr-queue output cos-map queue 2 threshold 3 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 2 4
mls qos srr-queue output cos-map queue 4 threshold 2 1
mls qos srr-queue output cos-map queue 4 threshold 3 0
mls qos
!
crypto pki trustpoint TP-self-signed-1538847872
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1538847872
revocation-check none
rsakeypair TP-self-signed-1538847872
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree extend system-id
!
errdisable recovery cause link-flap
errdisable recovery interval 60
!
vlan internal allocation policy ascending
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
macro global description cisco-global
!
interface Port-channel1
description RumPoint LACP Team
spanning-tree portfast
!
interface FastEthernet0
no ip address
!
interface GigabitEthernet0/1
description VsxHD01-4
switchport mode trunk
spanning-tree portfast
!
interface GigabitEthernet0/2
description VsxHD02-6
switchport mode trunk
spanning-tree portfast
!
interface GigabitEthernet0/3
description VsxHD01-5
switchport mode trunk
spanning-tree portfast
!
interface GigabitEthernet0/4
description VsxHD02-0
switchport mode trunk
spanning-tree portfast
!
interface GigabitEthernet0/5
description VsxHD01-3
switchport mode trunk
spanning-tree portfast
!
interface GigabitEthernet0/6
description VsxHD02-5
switchport mode trunk
spanning-tree portfast
!
interface GigabitEthernet0/7
description VsxHD01-2
switchport mode trunk
spanning-tree portfast
!
interface GigabitEthernet0/8
description VsxHD02-4
switchport mode trunk
spanning-tree portfast
!
interface GigabitEthernet0/9
description RumPoint-1
spanning-tree portfast
channel-protocol lacp
!
interface GigabitEthernet0/10
description VsxHD02-3 (VL10)
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/11
description RumPoint-2
spanning-tree portfast
!
interface GigabitEthernet0/12
description VsxHD02-7 (VL10)
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/13
spanning-tree portfast
!
interface GigabitEthernet0/14
description VsxHD02-1
switchport mode trunk
spanning-tree portfast
!
interface GigabitEthernet0/15
spanning-tree portfast
!
interface GigabitEthernet0/16
description VsxHD02-2
switchport mode trunk
spanning-tree portfast
!
interface GigabitEthernet0/17
spanning-tree portfast
!
interface GigabitEthernet0/18
description VsxHD02ILO
switchport mode trunk
spanning-tree portfast
!
interface GigabitEthernet0/19
spanning-tree portfast
!
interface GigabitEthernet0/20
spanning-tree portfast
!
interface GigabitEthernet0/21
spanning-tree portfast
!
interface GigabitEthernet0/22
spanning-tree portfast
!
interface GigabitEthernet0/23
spanning-tree portfast
!
interface GigabitEthernet0/24
description KVMHD
spanning-tree portfast
!
interface GigabitEthernet0/25
description CDCVoipSwitch SM-F
switchport mode trunk
mls qos trust cos
macro description cisco-switch
spanning-tree link-type point-to-point
spanning-tree guard none
!
interface GigabitEthernet0/26
description HDSwitch CAT5
switchport mode trunk
shutdown
mls qos trust cos
macro description cisco-switch
spanning-tree link-type point-to-point
!
interface Vlan1
ip address 172.16.112.57 255.255.240.0
!
interface Vlan10
ip address 172.16.200.57 255.255.255.0
!
ip default-gateway 172.16.112.1
ip http server
ip http secure-server
!
logging esm config
logging history size 500
logging history informational
!
line con 0
line vty 0 4
transport input ssh
line vty 5 15
transport input ssh
!
ntp server 172.16.112.6 prefer
ntp server 169.229.70.95 prefer
end
您可以在此处查看网络的拓扑:http: //imgur.com/1CvaqUt
The Netgear switch is connected to CDCSwitch port 30 right now (although it was connected to BillingSwitch at one point). Here is the config for that port:
interface FastEthernet0/30
description CDCParts1Switch
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree link-type point-to-point
!
It is the link between CDCVOIPSwitch and HDServerSwitch that's going down.