windows server 2003 ad 安裝設定與管理維護 林寶森 [email protected]
TRANSCRIPT
Windows Server 2003AD 安裝設定與管理維護
Reasons to Maintain a Single Domain
• Ease of Management
• Easier Delegation
• Fewer Members in Domain Admins Group
• Object Capacity Same as Multiple Domain Structure
OUOUOUOU
OUOUOUOU OUOUOUOU
Reasons to Create Multiple Domains
• Distinct domain-level policies
• Tighter administrative control
• Decentralized administration
• Separation and control of affiliate relationships
• Reduced replication traffic
OUOUOUOU
OUOUOUOU OUOUOUOU
OUOUOUOU
OUOUOUOU OUOUOUOU
OUOUOUOU
OUOUOUOU OUOUOUOU
OUOUOUOU
OUOUOUOU OUOUOUOU
Installing DNS During the Active Directory Installation• The Active Directory Installation Wizard Prompts You to
Install and Configure a Local DNS Server if It Does Not Find an Existing DNS Infrastructure
Installs the DNS Server Service
Creates a Forward Lookup Zone
Configures the Zone As Active Directory Integrated
To Implement DNS, the Active Directory Wizard:To Implement DNS, the Active Directory Wizard:To Implement DNS, the Active Directory Wizard:To Implement DNS, the Active Directory Wizard:
Enables Secure Dynamic Updates for the Zone
Installing and Configuring DNS
To Install and Configure DNS To Install and Configure DNS To Install and Configure DNS To Install and Configure DNS
Create a Forward Lookup Zone Must be authoritative for your DNS domain Enable dynamic updates
Configure the DNS Primary Suffix
Assign a Static IP Address
Install the DNS Server Service
Create a Reverse Lookup Zone (optional)
Establishing the Root Domain
• Start Installation Wizard• Select Domain Controller and Domain Type• Specify Required Information
– Domain, DNS, and NetBIOS names– Database, log, and shared system volume locations– Select to weaken permissions
• Active Directory Is Installed• Computer Is Domain Controller• Active Directory Tools Added
Adding a Domain Controller to an Existing Domain
• Start Installation Wizard
• Select Domain Controller Type
• Specify Required Information– Network credentials– DNS name of domain to join– Database, log, and shared system volume locations
• Active Directory Is Installed
Creating a Child Domain
• Start Installation Wizard• Select Domain Controller and
Domain Type• Specify Required Information
– Network credentials– DNS names of parent and child domains– Database, log, and shared system volume locations– Select to weaken permissions
• Active Directory Is Installed
Creating a Tree in an Existing Forest• Start Installation Wizard • Select Domain Controller and
Domain Type• Specify Required Information
– Network credentials– DNS names of new tree– Database, log, and shared system volume locations– Select to weaken permissions
• Active Directory Is Installed
The Active Directory Installation Process
The installation processThe installation process
Starts the security protocol and sets the security policy
Creates the: Active Directory partitions, database, and log files
Forest root domain
SYSVOL folder
Configures the site membership of the domain controller
Enables security on the directory service and the file replication folders
Applies the password for restore mode
Starts the security protocol and sets the security policy
Creates the: Active Directory partitions, database, and log files
Forest root domain
SYSVOL folder
Configures the site membership of the domain controller
Enables security on the directory service and the file replication folders
Applies the password for restore mode
What Are SRV Resource Records?
• SRV resource records are DNS records that map a service to the computer that provides the service
• Format of SRV records
• Example
• Find Netlogon.dns in systemroot/System32/Config
_ldap._tcp.contoso.msft 600 IN SRV 0 100 389 london.contoso.msft
_Service._Protocol.Name Ttl Class SRV Priority Weight Port Target
Configuring Zones for Dynamic Updates
• DNS Dynamic Update Protocol– Allows clients to automatically update DNS servers– Can be used in conjunction with DHCP
DNS Server
Request for IP addressRequest for IP addressRequest for IP addressRequest for IP address11
Assign IP address Assign IP address of 192.168.120.133 of 192.168.120.133
Assign IP address Assign IP address of 192.168.120.133 of 192.168.120.133
22
Zone DatabaseZone Database
Computer1 192.168.120.133
Computer1 192.168.120.133
DHCP Server
Windows XP / 2003 Windows XP / 2003 client updates client updates forward resourceforward resourcerecord on DNS serverrecord on DNS server
Windows XP / 2003 Windows XP / 2003 client updates client updates forward resourceforward resourcerecord on DNS serverrecord on DNS server
DHCP updates reverseDHCP updates reverseresource record forresource record forWindows XP / 2003 Windows XP / 2003 clients and bothclients and bothresource records for resource records for other clientsother clients
DHCP updates reverseDHCP updates reverseresource record forresource record forWindows XP / 2003 Windows XP / 2003 clients and bothclients and bothresource records for resource records for other clientsother clients
What Are Active Directory Integrated Zones?
Active Directory Integrated ZonesActive Directory Integrated Zones
Are primary and stub DNS zones that are stored as objects in the Active Directory database
Can be stored in an application or a domain partition
Offer the following benefits Multimaster replication Secure dynamic updates Standard zone transfers to other DNS servers
Are primary and stub DNS zones that are stored as objects in the Active Directory database
Can be stored in an application or a domain partition
Offer the following benefits Multimaster replication Secure dynamic updates Standard zone transfers to other DNS servers
Removing Active Directory• Remove Active Directory by:
– Using the Active Directory Installation Wizard – Providing appropriate administrative credentials
• The Active Directory Installation Wizard Performs Specific Removal Operations Depending on the Type of Domain Controller
Domain Controller
Provide Credentials:Enterprise Admins group memberDomain Admins group member
Provide Credentials:Enterprise Admins group memberDomain Admins group member
Remove Active DirectoryRemove Active Directory
What Is a User Principal Name?
• A logon name that is used only for logging on to a Windows Server 2003 network
• Advantages– Unique in Active Directory– Can be the same as a user’s e-mail address
[email protected]@contoso.msft
What Are Directory Partitions?
Active Directory DatabaseActive Directory Database
Configurablereplication
Domain
Forest Schema
Configuration
<Domain>
<Application>
Definitions and rules for creating and manipulating objects and attributes
Definitions and rules for creating and manipulating objects and attributes
Information about the Active Directory structureInformation about the Active Directory structure
Information about domain-specific objectsInformation about domain-specific objects
Information about applicationsInformation about applications
Contains:
What Is a Schema?• A forest-wide definition of object classes and attributes
that can be extended
• Schema changes can be redefined or deactivated
Examples of object class
User
Computer
Printer
Examples of attributes
accountExpiresdepartmentdistinguishedNamedirectReportsdNSHostNameoperatingSystemrepsFromrepsTofirstNamelastName
What Are Distinguished Names?
Distinguished names identify an object's domain and path to reach itDistinguished names identify an object's domain and path to reach it
Contoso.msft
Finance
Sales
Suzan Fine
CN=Suzan Fine,OU=Sales,OU=Finance,DC=contoso,DC=msft
Relative distinguished name
Relative distinguished name
What Is the Global Catalog?
A repository that contains a subset of the attributes of all objects in Active Directory
Global CatalogGlobal Catalog
Read OnlyRead Only
Creating a Global Catalog Server
NTDS Settings Properties
General Object Security
NTDS Settings
Description:
Query Policy:
Global Catalog Server
OK Cancel ApplyApply
Global Catalog Provides
•Universal group membership information for the account
•Domain information when using user principal names during logon
Global Catalog Provides
•Universal group membership information for the account
•Domain information when using user principal names during logon
When to Customize a Global Catalog Server
firstNamelastNameemail addressaccountExpiresdistinguishedName
firstNamelastNameemail addressaccountExpiresdistinguishedName
Common AttributesCommon Attributes
Global Catalog ServerGlobal Catalog Server
Create additionalattributes
Create additionalattributes
Add only the additional attributes that you query or refer to frequently Add only the additional attributes that you query or refer to frequently
departmentfirstNamelastNameemail addressaccountExpiresdistinguishedName
departmentfirstNamelastNameemail addressaccountExpiresdistinguishedName
Changed AttributesChanged Attributes
Adding Object Attributes to the Global Catalog
company Properties
General
company
Show objects of this class while browsing.
Deactivate this attribute.Deactivate this attribute.
Index this attribute in the Active Directory.
Ambiguous Name Resolution (ANR)Ambiguous Name Resolution (ANR)
Replicate this attribute to the Global Catalog.
Attribute is copied when duplicating a user.Attribute is copied when duplicating a user.
Company
1.2.840.113556.1.2.146
Company
Unicode String
1
64
Common Name:
Description:
X.500 0ID:
Syntax and Range
Syntax:
Minimum:
Maximum:
This attribute is single-valued.
OK Cancel Apply
What Is Forest and Domain Functionality?
Network environment
Domain functional levels
Forest functional levels
Windows 2000mixed-mode domain
Windows 2000native-mode domain
Windows Server 2003Domain
Windows Server 2003Interim
Enable forest-wide or domain-wide Active Directory features