Add-DAAppServer
Add-DAAppServer
Adds a new application server security group to the DirectAccess (DA) deployment, adds an application servers to an application server security group that is already part of the DirectAccess deployment, and adds or updates application server Group Policy Object (GPO) in a domain.
구문
Parameter Set: AppServerSGGpo
Add-DAAppServer [-CimSession <CimSession[]> ] [-ComputerName <String> ] [-GpoName <String[]> ] [-InformationAction <System.Management.Automation.ActionPreference> {SilentlyContinue | Stop | Continue | Inquire | Ignore | Suspend} ] [-InformationVariable <System.String> ] [-PassThru] [-SecurityGroupNameList <String[]> ] [-ThrottleLimit <Int32> ] [-Confirm] [-WhatIf] [ <CommonParameters>] [ <WorkflowParameters>]
Parameter Set: AppServerToSGGpo
Add-DAAppServer [-Name] <String[]> [-SecurityGroupName] <String> [-CimSession <CimSession[]> ] [-ComputerName <String> ] [-GpoName <String[]> ] [-InformationAction <System.Management.Automation.ActionPreference> {SilentlyContinue | Stop | Continue | Inquire | Ignore | Suspend} ] [-InformationVariable <System.String> ] [-PassThru] [-ThrottleLimit <Int32> ] [-Confirm] [-WhatIf] [ <CommonParameters>] [ <WorkflowParameters>]
자세한 설명
The Add-DAAppServer cmdlet adds a new application server security group to the DirectAccess (DA) deployment, adds an application servers to an application server security group that is already part of the DirectAccess deployment, and adds or updates application server Group Policy Object (GPO) in a domain. This cmdlet is not applicable when DA is deployed only for the management of remote clients.
The application server security group and GPO parameters are treated as independent entities. The basic paradigm is that a user can create application server GPOs independent of the SGs and the domains where these SGs exist. Every SG that is added to the DA deployment is added in all application server GPOs currently present. Hence, all GPOs always contain all SGs even if all the corresponding domains are not represented in all the SGs. There will never be a scenario where an SG is present only in some of the GPOs. If this happens, then it means that the configuration is in a bad state.
With this paradigm there is still a need to parse the SG to add independent application servers in an SG because every application server has a unique end-to-end IPsec policy in all client and application server GPOs.
The following additional capabilities of the application server cmdlets justify their need though AD cmdlets are already available for the addition of SGs and GPOs.
-- When an SG is added it is added in all GPOs. Additionally, if the user does not have permissions to edit a GPO the SG is not added to any of the GPOs. When using the AD cmdlet user would have to carefully ensure that it is run for each of the domains and it is difficult to handle the case where the user does not have permissions on some domains.
-- When a GPO is added all SGs are added in the GPO and application server specific policies are created. The cmdlet takes care of the conditions where the GPO is created if not already present. If the GPO is already present then it is merely edited.
The App Server configuration is a global configuration and is applicable to all DA servers in the enterprise deployment even when there is multi-site enterprise deployment.
Following are additional behavioral notes for this cmdlet.
-- If the user adds an SG without specifying a domain or GPO, then by default an application server GPO is created in the DA server's domain. If the user specifies a GPO name or domain name, then the GPO is created only in that domain.
-- Adding an application server GPO alone without any application server SGs is permitted operation. When adding a GPO the admin can either specify the name of the GPO and the domain to which it belongs or the domain name alone. If only a domain is specified, then the GPO is created with a default name.
-- If nested SGs are specified, then the cmdlet recursively parses all SGs so that all servers are retrieved and policies can be created or removed accordingly. However, the cmdlet does not refer to the domain to which an application server belongs. Hence it is the responsibility of the user to ensure that application server GPOs are created in every supported domain by explicitly adding GPOs in that domain.
-- When adding a new app server GPO if it is already present in the domain then it is merely configured with the SGs,IPsec policies and other settings. If it is not present then it is created first.
-- If user tries to re-add a GPO by either re-adding a domain or specifying the same GPO name for the domain again then no changes are made.
- If the user tries to add a GPO with a new name in a domain that already contains an app server GPO, then no action is taken but a non-terminating error is displayed. If this cmdlet finds that no action can be taken based on the parameters passed, then it will return a terminating error.
-- When adding SGs if the user does not have the permissions to configure even one app server GPO among the many that might be present then the cmdlet terminates the processing of the entire list of SGs specified. However, it still processes any GPOs that the user might have specified to add.
-- When adding GPOs if the user does not have the permissions to create or configure one of the specified GPOs then the cmdlet still proceeds with the processing of the remaining GPOs in the list.
-- Each new application server GPO that is added is configured with the end-to-end authentication and IPsec traffic protection settings. These settings are common to all GPOs. The default values assigned by this cmdlet for end-to-end authentication is E2EAuthOnlyToAppServer and IPsec traffic protection is Disabled The default setting is Enabled. If the user wishes to change these values, then use the Set-DAAppServerConnection cmdlet.
매개 변수
-CimSession<CimSession[]>
원격 세션이나 원격 컴퓨터에서 cmdlet을 실행합니다. 컴퓨터 이름이나 New-CimSession 또는 Get-CimSession cmdlet의 출력과 같은 세션 개체를 입력하세요. 기본값은 로컬 컴퓨터 상의 현재 세션입니다.
별칭 |
Session |
필수 여부 |
false |
위치 |
named |
기본값 |
none |
파이프라인 입력 허용 여부 |
false |
와일드카드 문자 허용 여부 |
false |
-ComputerName<String>
Specifies the IPv4 or IPv6 address, or host name, of the computer on which the remote access server computer specific tasks should be run.
별칭 |
Cn |
필수 여부 |
false |
위치 |
named |
기본값 |
none |
파이프라인 입력 허용 여부 |
false |
와일드카드 문자 허용 여부 |
false |
-GpoName<String[]>
Specifies the name to be used when creating the application server GPO in the specified domain or represents the domain in which an app server GPO with the default name should be created. GPO is specified in the format DOMAIN\GPO_NAME. Domain is specified in the format DOMAIN. If the parameter contains only the domain name then the following default GPO name is used:
-- <domain> application server policy for <DirectAccess connection friendly name>.
The Default value is DirectAccess Application Server Settings
A list of GPOs can be specified.
별칭 |
none |
필수 여부 |
false |
위치 |
named |
기본값 |
none |
파이프라인 입력 허용 여부 |
True (ByPropertyName) |
와일드카드 문자 허용 여부 |
false |
-InformationAction<System.Management.Automation.ActionPreference>
별칭 |
infa |
필수 여부 |
false |
위치 |
named |
기본값 |
none |
파이프라인 입력 허용 여부 |
false |
와일드카드 문자 허용 여부 |
false |
-InformationVariable<System.String>
별칭 |
iv |
필수 여부 |
false |
위치 |
named |
기본값 |
none |
파이프라인 입력 허용 여부 |
false |
와일드카드 문자 허용 여부 |
false |
-Name<String[]>
Specifies the list of application servers that have to be added to the DirectAccess deployment. The servers are specified by their hostnames and are added to the security group specified by the SecurityGroupName parameter. The servers cannot be specified by their IPv4 or IPv6 addresses.
별칭 |
none |
필수 여부 |
true |
위치 |
2 |
기본값 |
none |
파이프라인 입력 허용 여부 |
True (ByPropertyName) |
와일드카드 문자 허용 여부 |
false |
-PassThru
작업 중인 항목을 나타내는 개체를 반환합니다. 기본적으로 이 cmdlet은 출력을 생성하지 않습니다.
별칭 |
none |
필수 여부 |
false |
위치 |
named |
기본값 |
none |
파이프라인 입력 허용 여부 |
false |
와일드카드 문자 허용 여부 |
false |
-SecurityGroupName<String>
Specifies the name of a security group that is already part of the DirectAccess deployment to which the specified list of application servers should be added. Specified in the DOMAIN\SG_NAME format.
별칭 |
none |
필수 여부 |
true |
위치 |
3 |
기본값 |
none |
파이프라인 입력 허용 여부 |
True (ByPropertyName) |
와일드카드 문자 허용 여부 |
false |
-SecurityGroupNameList<String[]>
Specifies the list of application server security groups that are to be added to the DirectAccess deployment. Specified in DOMAIN\SG_NAME format.
별칭 |
none |
필수 여부 |
false |
위치 |
named |
기본값 |
none |
파이프라인 입력 허용 여부 |
True (ByPropertyName) |
와일드카드 문자 허용 여부 |
false |
-ThrottleLimit<Int32>
Cmdlet을 실행하도록 설정할 수 있는 동시 작업의 최대 수를 지정합니다. 이 매개 변수를 생략하거나 값으로 0 을 입력하면 Windows PowerShell®은 컴퓨터에서 실행 중인 CIM cmdlet의 수에 따라 cmdlet에 대한 최적의 스로틀 제한을 계산합니다. 스로틀 제한은 현재 cmdlet에만 적용되고, 세션이나 컴퓨터에는 적용되지 않습니다.
별칭 |
none |
필수 여부 |
false |
위치 |
named |
기본값 |
none |
파이프라인 입력 허용 여부 |
false |
와일드카드 문자 허용 여부 |
false |
-Confirm
cmdlet을 실행하기 전에 확인 메시지를 표시합니다.
필수 여부 |
false |
위치 |
named |
기본값 |
false |
파이프라인 입력 허용 여부 |
false |
와일드카드 문자 허용 여부 |
false |
-WhatIf
cmdlet이 실행되는 경우 발생할 결과를 보여 줍니다. cmdlet은 실행되지 않습니다.
필수 여부 |
false |
위치 |
named |
기본값 |
false |
파이프라인 입력 허용 여부 |
false |
와일드카드 문자 허용 여부 |
false |
<CommonParameters>
이 cmdlet은 -Verbose, -Debug, -ErrorAction, -ErrorVariable, -OutBuffer, -OutVariable 등의 일반 매개 변수를 지원합니다. 자세한 내용은 TechNet의 about_CommonParameters(https://go.microsoft.com/fwlink/p/?LinkID=113216)
<WorkflowParameters>
입력
입력 형식은 cmdlet으로 파이프할 수 있는 개체의 형식입니다.
- None
출력
출력 형식은 cmdlet 실행 시 출력되는 개체의 형식입니다.
Microsoft.Management.Infrastructure.CimInstance#DAAppServer
Microsoft.Management.Infrastructure.CimInstance개체는 WMI(Windows Management Instrumentation) 개체를 표시하는 래퍼 클래스입니다. 파운드 기호(#) 뒤의 경로는 기본 WMI 개체에 대한 네임 스페이스 및 클래스 이름을 제공합니다.
The DAAppServer object consists of the following properties:
-- The list of application server security groups. Each security group is specified in theDomain\GroupNameformat.
-- The List of application server GPOs. Each GPO is specified in theDomain\GPONameformat.
-- The properties of the connection to the application server. If there are no application servers configured then the default value is NoE2EAuth, which mean no end-to-end authentication is required.
-- Whether or not IPsec traffic protection is enabled. If there are no application servers configured then the default value is Disabled.
예
EXAMPLE 1
This example adds an appserver security group to DirectAccess deployment.
This cmdlet adds security group daAppServerGrp consisting of application servers to the DirectAccess deployment. Additionally, a GPO is created with default name DirectAccess Application Server Settings in the same domain as the DirectAccess server and the GPO is filtered on this security group.
PS C:\> Add-DAAppServer -SecurityGroupNameList daAppServerGrp -PassThru
EXAMPLE 2
This example add an application server to the application server security group.
This cmdlet adds the application server da-test-0807 to the pre-existing security group daappservergrp.
PS C:\> Add-DAAppServer -Name da-test-0807 -SecuirtyGroupName daAppServerGrp
EXAMPLE 3
This example adds an application server GPOs to the DirectAccess deployment. The setup consists of two domains viz. corp.contoso.com and child.corp.contoso.com. There is already an Application Server GPO in corp.contoso.com. This cmdlet adds a GPO in the domain child.corp.contoso.com
PS C:\> Add-DAAppServer –GpoName child.corp.contoso.com\DAAppServerGpo –PassThru