甜蜜的T007之家

 

由于我要去大连找工作了，BLOG更新暂时停止一段时间
等我工作找到了或者有条件可以上网了，我会继续更新我的BLOG。在这里谢谢大家两个多月来对本BLOG的支持，感谢大家！！！

场景四：某单域环境中有两台DC（dc1和dc2），DNS服务在第一台DC（dc1）上运行。某一天，dc1被强行移走并且次系统再也不会联机
场景五，对活动目录执行远程恢复

场景1：在单域环境中只有一台DC情况下，由于某一用户被误删除，或由于某种原因造成活动目录无法正常工作，进行非权威恢复
场景2：在单域环境中有两台DC的情况下，一台DC意外坏掉（连操作系统都无法进入了），进行活动目录重建（重新安装操作系统+dcpromo提升域控制器+重新复制）

场景三：在单域环境中有两台DC的情况下（dc1，dc2），误删除dc1上的用户kitty，现需将kitty还原回来，执行权威恢复[/img]..

1个礼拜没更新BLOG拉，在这里向博友们道歉拉。最近沈阳热的要死人拉，坐在电脑前的时间也少拉，家里没空调，被风扇吹我还过敏。前几天还中暑拉，希望大家能够谅解。不过以后我会增加更新量，而且再引入一些实际的..

R1配置:
R1#conf t
R1(config)#int f0/0
R1(config-if)#no shutdown
R1(config-if)#int f0/0.2
R1(config-subif)#encapsulation dot1q 2
R1(config-subif)#ip address 192.168.2.254 255.255.255.0
R1(config-subif)#no shutdown
R1(config-subif)#exit
R1(config)#int f0/0.3
R1(config-subif)#encapsulation dot1q 3
R1(config-subif)#ip address 192.168.3.254 255.255.255.0
R1(config-subif)#no shutdown
R1(config-subif)#exit
R1(config)#int s1/0
R1(config-if)#ip address 1.1.1.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#end
R1#conf t
R1(config)#router ospf 1
R1(config-router)#network 192.168.2.0 0.0.0.255 area 0
R1(config-router)#network 192.168.3.0 0.0.0.255 are 0
R1(config-router)#network 1.1.1.0 0.0.0.255 area 0
R1(config-router)#end
 
R2配置:
R2#conf t
R2(config)#int s0/0
R2(config-if)#ip address 1.1.1.2 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#clock rate 64000
R2(config-if)#exit
R2(config)#int s0/1
R2(config-if)#ip address 2.1.1.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#clock rate 64000
R2(config-if)#end
R2#conf t
R2(config)#router ospf 2
R2(config-router)#network 2.1.1.0 0.0.0.255 area 0
R2(config-router)#network 1.1.1.0 0.0.0.255 area 0
R2(config-router)#end
 
R3配置:
R3#conf t
R3(config)#int s1/0
R3(config-if)#ip address 2.1.1.2 255.255.255.0
R3(config-if)#no shutdown
R3(config)#int f0/0
R3(config-if)#no shutdown
R3(config-if)#int f0/0.2
R3(config-subif)#encapsulation dot1q 2
R3(config-subif)#ip address 172.16.2.254 255.255.255.0
R3(config-subif)#no shutdown
R3(config-subif)#exit
R3(config)#int f0/0.3
R3(config-subif)#encapsulation dot1q 3
R3(config-subif)#ip address 172.16.3.254 255.255.255.0
R3(config-subif)#no shutdown
R3(config-subif)#end
R3(config)#router ospf 3
R3(config-router)#network 172.16.2.0 0.0.0.255 area 0
R3(config-router)#network 172.16.3.0 0.0.0.255 area 0
R3(config-router)#network 2.1.1.0 0.0.0.255 area 0
R3(config-router)#end
查看路由表：
R1#show ip route
Gateway of last resort is not set
     1.0.0.0/24 is subnetted, 1 subnets
C       1.1.1.0 is directly connected, Serial1/0
     2.0.0.0/24 is subnetted, 1 subnets
O       2.1.1.0 [110/128] via 1.1.1.2, 00:03:37, Serial1/0
     172.16.0.0/24 is subnetted, 2 subnets
O       172.16.2.0 [110/129] via 1.1.1.2, 00:03:37, Serial1/0
O       172.16.3.0 [110/129] via 1.1.1.2, 00:03:37, Serial1/0
C    192.168.2.0/24 is directly connected, FastEthernet0/0.2
C    192.168.3.0/24 is directly connected, FastEthernet0/0.3
 
R2#show ip route
Gateway of last resort is not set
     1.0.0.0/24 is subnetted, 1 subnets
C       1.1.1.0 is directly connected, Serial0/0
     2.0.0.0/24 is subnetted, 1 subnets
C       2.1.1.0 is directly connected, Serial0/1
     172.16.0.0/24 is subnetted, 2 subnets
O       172.16.2.0 [110/65] via 2.1.1.2, 00:03:37, Serial0/1
O       172.16.3.0 [110/65] via 2.1.1.2, 00:03:37, Serial0/1
O    192.168.2.0/24 [110/65] via 1.1.1.1, 00:03:37, Serial0/0
O    192.168.3.0/24 [110/65] via 1.1.1.1, 00:03:37, Serial0/0
 
R3#show ip route
Gateway of last resort is not set
     1.0.0.0/24 is subnetted, 1 subnets
O       1.1.1.0 [110/128] via 2.1.1.1, 00:03:43, Serial1/0
     2.0.0.0/24 is subnetted, 1 subnets
C       2.1.1.0 is directly connected, Serial1/0
     172.16.0.0/24 is subnetted, 2 subnets
C       172.16.2.0 is directly connected, FastEthernet0/0.2
C       172.16.3.0 is directly connected, FastEthernet0/0.3
O    192.168.2.0/24 [110/129] via 2.1.1.1, 00:03:43, Serial1/0
O    192.168.3.0/24 [110/129] via 2.1.1.1, 00:03:43, Serial1/0
 
SW1配置:
SW1#vlan database
SW1(vlan)#vlan 2
SW1(vlan)#vlan 3
SW1(vlan)#exit
SW1#conf t
SW1(config)#int f0/15
SW1(config-if)#switchport mode trunk
SW1(config-if)#switchport trunk encapsulation dot1q
SW1(config-if)#exit
SW1(config)#int f0/2
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 2
SW1(config-if)#exit
SW1(config)#int f0/3
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 3
SW1(config-if)#end
 
SW2配置:
SW2#vlan database
SW2(vlan)#vlan 2
SW2(vlan)#vlan 3
SW2(vlan)#exit
SW2#conf t
SW2(config)#int f0/15
SW2(config-if)#switchport mode trunk
SW2(config-if)#switchport trunk encapsulation dot1q
SW2(config-if)#exit
SW2(config)#int f0/2
SW2(config-if)#switchport access vlan 2
SW2(config-if)#exit
SW2(config)#int f0/3
SW2(config-if)#switchport mode access
SW2(config-if)#switchport access vlan 3
SW2(config-if)#end
 
验证：
PC1:
PC1#ping 192.168.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 188/246/300 ms
PC1#ping 172.16.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 408/487/528 ms
PC1#ping 172.16.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 384/441/492 ms
 
PC3:
PC3#ping 172.16.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 168/258/348 ms
PC3#ping 192.168.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 348/400/452 ms
PC3#ping 192.168.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 312/396/516 ms
 [/img]..

 

首先应先确认远程DHCP服务器的Telnet已经被启用
打开命令提示符cmd
c:\telnet 192.168.2.1     -----------远程DHCP服务器IP地址
输入用户名密码登陆
netsh

netsh>dhcp ..

1 配置静态NAT
R1配置：
(1)设置内部接口地址
R1(config)#int f0/0
R1(config-if)#ip address 192.168.1.254 255.255.255.0
R1(config-if)#no shutdown
(2)设置外部接口地址
R1(config)#int s1/0
R1(config-if)#ip address 1.1.1.1 255.255.255.252
R1(config-if)#no shutdown
(3)在内部局部和内部全局地址之间建立静态地址转换
R1(config)#ip nat inside source static 192.168.1.1 172.16.1.1
R1(config)#ip nat inside source static 192.168.1.2 172.16.1.2
(4)在内部接口和外部接口上启用NAT
R1(config)#int f0/0
R1(config-if)#ip nat inside
R1(config-if)#exit
R1(config)#int s1/0
R1(config-if)#ip nat outside
(5)启用默认路由
R1(config)#ip route 0.0.0.0 0.0.0.0 1.1.1.2
R2配置：
R2>en
R2#conf t
R2(config)#int s1/1
R2(config-if)#ip address 1.1.1.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#int f0/0
R2(config-if)#ip address 2.2.2.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#ip route 0.0.0.0 0.0.0.0 1.1.1.1
(6)验证
PC1:
PC1#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 168/254/336 ms
R1:
R1#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 172.16.1.1:7      192.168.1.1:7      2.2.2.2:7          2.2.2.2:7
--- 172.16.1.1         192.168.1.1        ---                ---
--- 172.16.1.2         192.168.1.2        ---                ---
当PC1对PC3执行了PING命令之后，我们在R1上show ip nat translations后可以发现已经成功执行了NAT转换
内部局部地址192.168.1.1到达路由器后执行NAT转换，转换成内部全局地址172.16.1.1。在PC3看来，与自己通信的是172.16.1.1。
R1#debug ip nat
IP NAT debugging is on
R1#
*Mar  1 01:13:06.659: NAT*: s=192.168.1.2->172.16.1.2, d=2.2.2.2 [25]
*Mar  1 01:13:06.803: NAT*: s=2.2.2.2, d=172.16.1.2->192.168.1.2 [25]
*Mar  1 01:13:06.995: NAT*: s=192.168.1.2->172.16.1.2, d=2.2.2.2 [26]
*Mar  1 01:13:07.163: NAT*: s=2.2.2.2, d=172.16.1.2->192.168.1.2 [26]
*Mar  1 01:13:07.235: NAT*: s=192.168.1.2->172.16.1.2, d=2.2.2.2 [27]
*Mar  1 01:13:07.395: NAT*: s=2.2.2.2, d=172.16.1.2->192.168.1.2 [27]
*Mar  1 01:13:07.443: NAT*: s=192.168.1.2->172.16.1.2, d=2.2.2.2 [28]
*Mar  1 01:13:07.575: NAT*: s=2.2.2.2, d=172.16.1.2->192.168.1.2 [28]
*Mar  1 01:13:07.603: NAT*: s=192.168.1.2->172.16.1.2, d=2.2.2.2 [29]
*Mar  1 01:13:07.735: NAT*: s=2.2.2.2, d=172.16.1.2->192.168.1.2 [29]
当PC2对PC3执行PING命令之后，我在R1上运行dubug ip nat后，可以看到更加详细的转换。源地址192.168.2.2到达路由器之后转换成172.16.1.2与PC3 2.2.2.2进行通信。
2 配置动态NAT
配置之前，下将任务1中配置的静态NAT删除掉
R1:
R1(config)#no ip nat inside source static 192.168.1.1 172.16.1.1
R1(config)#no ip nat inside source static 192.168.1.2 172.16.1.2
R1(config)#int f0/0
R1(config-if)#no ip nat inside
R1(config-if)#exit
R1(config)#int s1/0
R1(config-if)#no ip nat outside
(1)设置内部接口地址
R1(config)#int f0/0
R1(config-if)#ip address 192.168.1.254 255.255.255.0
R1(config-if)#no shutdown
(2)设置外部接口地址
R1(config)#int s1/0
R1(config-if)#ip address 1.1.1.1 255.255.255.252
R1(config-if)#no shutdown
(3)定义内部网络中允许访问外部网络的访问控制列表
R1(config)#access-list 1 permit 192.168.1.0 0.0.0.255
(4)定义合法IP地址池
R1(config)#ip nat pool test1 10.0.0.1 10.0.0.3 netmask 255.255.255.0
(5)实现网络地址转换
R1(config)#ip nat inside source list 1 pool test1
(6)在内部和外部接口启用NAT
R1(config)#int f0/0
R1(config-if)#ip nat inside
R1(config-if)#exit
R1(config)#int s1/0
R1(config-if)#ip nat outside
(7)验证:
PC1:
PC1#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 264/298/332 ms
PC2:
PC2#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 228/280/384 ms
R1:
R1#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 10.0.0.1:10       192.168.1.1:10     2.2.2.2:10         2.2.2.2:10
--- 10.0.0.1           192.168.1.1        ---                ---
icmp 10.0.0.2:7        192.168.1.2:7      2.2.2.2:7          2.2.2.2:7
--- 10.0.0.2           192.168.1.2        ---                ---
3 配置PAT
  一 提供内部全局地址为：10.10.10.10/24
R1#conf t
R1(config)#no ip nat inside source list 1 pool test1       
R1(config)#no access-list 1         
R1(config)#no ip nat pool test1                   
R1(config)#int f0/0
R1(config-if)#no ip nat inside
R1(config)#int s1/0
R1(config-if)#no ip nat outside
R1(config-if)#end
(1)设置内部接口地址
R1(config)#int f0/0
R1(config-if)#ip address 192.168.1.254 255.255.255.0
R1(config-if)#no shutdown
(2)设置外部接口地址
R1(config)#int s1/0
R1(config-if)#ip address 1.1.1.1 255.255.255.252
R1(config-if)#no shutdown
(3)定义内部网络中允许访问外部网络的访问控制列表
R1(config)#access-list 1 permit 192.168.1.0 0.0.0.255
(4)定义合法IP地址池
R1(config)#ip nat pool test2 10.10.10.10 10.10.10.10 netmask 255.255.255.0
(5)设置复用动态IP地址转换
R1(config)#ip nat inside source list 1 pool test2 overload
(6)在内部和外部端口上启用NAT
R1(config)#int s1/0
R1(config-if)#ip nat outside
R1(config-if)#exit
R1(config)#int f0/0
R1(config-if)#ip nat inside
(7)验证：
PC1:
PC1#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 140/289/500 ms
PC2:
PC2#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 144/270/492 ms
R1:
R1#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 10.10.10.10:11    192.168.1.1:11     2.2.2.2:11         2.2.2.2:11
icmp 10.10.10.10:8     192.168.1.2:8      2.2.2.2:8          2.2.2.2:8
可见，局域网内部的IP地址都复用了内部全局地址10.10.10.10
   二 复用路由器外部接口地址
R1:
R1#conf t
R1(config)#no ip nat inside source list 1 pool test2
R1(config)#no access-list 1
R1(config)#no ip nat pool test2
R1(config)#int f0/0
R1(config-if)#no ip nat inside
R1(config-if)#exit
R1(config)#int s1/0
R1(config-if)#no ip nat outside
R1(config-if)#end
(1)设置内部接口地址
R1(config)#int f0/0
R1(config-if)#ip address 192.168.1.254 255.255.255.0
R1(config-if)#no shutdown
(2)设置外部接口地址
R1(config)#int s1/0
R1(config-if)#ip address 1.1.1.1 255.255.255.252
R1(config-if)#no shutdown
(3)定义内部网络中允许访问外部网络的访问控制列表
R1(config)#access-list 2 permit 192.168.1.0 0.0.0.255
(4)由于使用外部接口地址，所以不用再定义IP地址池了
(5)设置复用动态IP地址转换
R1(config)#ip nat inside source list 2 interface s1/0 overload
(6)在内部和外部端口上启用NAT
R1(config)#int f0/0
R1(config-if)#ip nat inside
R1(config-if)#exit
R1(config)#int s1/0
R1(config-if)#ip nat outside
(7)验证
PC1:
PC1#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 232/316/424 ms
PC2:
PC2#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 240/297/356 ms
R1:
R1#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 1.1.1.1:13        192.168.1.1:13     2.2.2.2:13         2.2.2.2:13
icmp 1.1.1.1:9         192.168.1.2:9      2.2.2.2:9          2.2.2.2:9
可见，局域网内部的IP地址都复用了路由器外部接口地址1.1.1.1
 [/img]..