Shulou(Shulou.com)06/02 Report--

Active Directory Domain Services

Concept:

Working group: workgroup

Suitable for less network resources, about 10 computers.

Decentralized management (peer-to-peer network, each employee maintains his or her own computer, identity equality)

Suitable for small network

Inconvenience: in order to access each other, it may be necessary to set up many user accounts for other colleagues on each computer (if you are unwilling to disclose the administrator password)

Each computer maintains the administrator's password on its own. If you forget the password, the it administrator may forcibly crack the password and install all kinds of software freely on each computer, which can easily cause the system to crash.

Windows domain Domain

The resources in the network are logically organized together as a whole. Resources: computers, users, groups, printers, shared folders, etc.

Logically organized together: physical computers and networks do not need to make any changes, ★★ search

Centralized management (Client/Server architecture)

Computer that initiates administration: domain controller Domain Controller=DC managed computer: member machine or member server

Suitable for large and medium-sized networks

For the improvement of the workgroup: only need to set up a set of accounts on the domain control, you can pass through the entire active directory

After forgetting the password, the domain administrator can simply reset it on the domain controller to distribute the software using group policy: automatically configure the required software for the member machine installation. The automatic backup of user files is realized by using the location of configuration files.

Concept:

Directory service: you can easily search for user accounts, groups, computers, shared folders and other objects in the network.

Active Directory: a directory service implemented by Microsoft. Active Directory, is a kind of directory service, open tcp389 port, ldap lightweight directory access protocol.

Active Directory is another database: Database, which can easily store a large number of objects and return query results in a very short time.

Advantages of active Directory:

Centralized management: powerful tools = group policy

Convenient access to network resources (once login, everywhere)

Expandability

Domain Domain: a popular implementation of a directory service that wraps complex query statements in the background into a graphical and manageable form.

Domain controller Domain Controller: a computer with active Directory service installed.

Container Container: objects that can hold other objects are called containers.

Logical structure:

Single domain Domain: there is only one domain.

Domain tree Domain Tree: parent and child domains form a domain tree, and ★ uses consecutive domain name suffixes

Domain forest Domain Forest: multiple domain trees with different suffixes form a forest.

Organizational unit: OU, sub-OU

★★★ multiple domains throughout the forest have a "trust" relationship that allows them to visit each other.

Physical structure:

Site: used to optimize replication traffic between multiple domain controllers (synchronization of knowledge, mainly synchronization of common groups)

Multiple domain controllers in the same high-speed network can be placed in one site, and replication is preferred within the ★★ site.

Domain controller.

Implementation of domain controller:

1 must be a windows server operating system (except web version)

2 have local administrator privileges

3 there is a ntfs file system with enough space

4 ★★ has a static ip address

5 ★★ is supported by dns service (a computer is identified by the computer name in the working group, and a computer is identified by a domain name similar to www.benet.com in the domain, which can be automatically installed and configured in the process of upgrading the domain controller)

Configuration process:

1 2008r2 original state, login with administrator

2 set a static ip address with ★★ dns pointing to 127.0.0.1 (the dns service will be installed on the domain controller and you can resolve the domain name by yourself)

3 execute dcpromo.exe to promote the domain controller.

Domain controller promotion, the implementation of domain controller

Create a domain in a new forest (create a forest out of nothing and become the first domain in the forest, also known as the "forest root domain")

Domain name of ★★★ Xinlin: at least two paragraphs, separated by English periods, such as qq.com, meaningless strings or special symbols are not recommended.

By subsequent default, ignore the dns warning and select "install dns Server"

Define the restore mode password: use only when restoring domain controller backups, and the recommended password is different from that of the active Directory administrator.

★★ selects the restart on completion option.

4 after restart, the original workgroup administrator is automatically upgraded to domain administrator with the same password.

Management tools Lab: Active Directory users and computers, referred to as ADUC

1 Open the active Directory user and computer console and expand the domain name suffix

Builtin directory: a group that does not need to be built by itself and comes with windows, which is called "built-in group"

Computers directory: members who join the domain are listed here

Domain Controllers directory: lists all domain controllers in the domain

Users directory: default location for domain users and groups

Domain Admins: group of domain administrators Domain Users: group of normal and user Enterprise Admins: group of enterprise administrators with larger permissions than domain administrators

2 creation of organizational unit OU:

★★ divides larger domains into manageable chunks based on region or department.

Right-click the domain name suffix, New, organizational Unit:

Simulate the structure of the company and establish organizational units for each department

(3) creation of users:

Set up an employee account in the organizational unit of each department.

New, user

Names can be in Chinese.

★★★ login name: pure Chinese companies often use employee names to spell zhangsan, which is commonly used in foreign companies. All surnames are spelled san.zhang

★★★ password: must meet complexity requirements

Display name: unique in the OU

Login: unique in the domain in which you are located

When the display name and login name are different, the login domain must use the login name.

4 join the computer to the domain:

Start the original state windows and set the ip of the same network segment as the domain controller

★★★ dns must point to the ip of the domain controller

Before formally adding a domain, you should be able to ping the domain name suffix of the active directory, such as ping qq.com. If it cannot be parsed, do not rush to add a domain. Troubleshoot the network problem first.

Computer properties, change the location of the computer name, belong to: fill in the domain suffix, enter the account number and password that have permission to join the computer to the domain

★★★ restart the computer

Login domain: two sets of accounts are available for ★★ member computers, one is the original local account and the other is the domain account

If you want to log in to the domain, you must click "switch users" and log in to the domain using "other users". Write the user name:

Domain name abbreviation\ login name, such as zhangsan user of qq.com, can write qq\ zhangsan

Login @ domain suffix, such as zhangsan user of qq.com, can write zhangsan@qq.com

Implementation of extra domain controller: prevent "single point of failure" (there is only one server for important service, which causes business chaos after failure), at least two domain controllers in one domain.

1 start the existing domain controller

2 start a workgroup status 2008r2 on the same vm switch as the domain controller (if not on the same switch, you need to set up a gateway)

Set the same network segment ip as the domain controller. The preferred dns points to 127.0.0.1, and the secondary dns points to the first domain controller ip.

3 run dcpromo.exe to promote the domain controller

The existing forest adds the domain controller to the existing domain to enter the domain name suffix of any domain in the forest (generally fill in the domain suffix of this domain) to choose which domain controller to become the extra domain controller to fill in the restore mode password by default to complete the restart.

4 the extra domain controller has just been upgraded, so you need to execute ipconfig / flushdns on the first domain controller (recommended, otherwise the first domain controller may not recognize the second one in a short time)

Set up ou, group, user and other objects in two domain controllers to see if the other can learn.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.