Windows.server.2008.r2.active.directory. Configuration Guide (ii)

Source: Internet
Author: User
Tags in domain

Create a second domain tree in the forest

New method for creating a second (or more) domain tree in the forest: First Spring Festival The first domain in this domain tree, and the method to create the first domain is implemented by the method of creating the first domain controller in Carbon brother.

Select the appropriate DNS schema

To join the cisco.com domain to h3c.com, you must be able to locate the domain naming operations master in the forest with the DNS server when you create the domain controller dc5.cisco.com, or you will not be able to create cisco.com. The domain naming operations master defaults to being played by the first domain controller in the forest

There must be a primary lookup zone in the DNS server that is called cisco.com, so that domain controllers that are domains cisco.com can register themselves in this zone. Domains cisco.com and h3c.com can use the same DNS server, or they can use a variety of different DNS servers.

use the same set of DNS Server: Create a separate primary zone named cisco.com within this DNS server and enable dynamic updates to you. This DNS server now has both the cisco.com and h3c.com two zones, so that both the computer and the domain controller in cisco.com and h3c.com can find each other through this DNS server

each uses a different DNS Server and replicates the logs via zone transfer: Create a primary zone named cisco.com within this DNS server and enable the Dynamic Update feature, and you will also need to create a secondary zone named h3c.com within this DNS server, where the logs need to be replicated from the domain h3c.com DNS server through zone transfer, which lets the domain Cisco Computers and domain controllers within. com can locate computers and domain controllers within h3c.com. At the same time you also need to create a secondary zone named cisco.com within the DNS server of the domain h3c.com, the logs in this zone also need to be replicated from the domain cisco.com DNS server through the zone transfer function, which allows the computers and domain controllers within the domain h3c.com to be found with cisco.com Computers and domain controllers within the

Other information: The h3c.com domain environment we built earlier is to install the DNS server to a domain controller, so it automatically creates a DNS zone h3c.com, and then when you install the first domain controller for cisco.com, it also installs the DNS server on this server by default and automatically creates a DNS zone Cisco.com, and the forwarder is automatically set up to forward query requests from other regions to the H3c.com DNS server, so that the computers and domain controllers in the cisco.com can query the computers and domains in the cisco.com and h3c.com zones at the same time through the cisco.com DNS server Controller. However, you must also create a cisco.com secondary zone within the H3c.com DNS server, where the logs need to be replicated from the cisco.com DNS server through zone transfer, which allows computers and domain controllers within the domain h3c.com to find the computer and domain control within the domain cisco.com System. You can also use conditional forwarders to forward only cisco.com queries to cisco.com DNS servers within the H3c.com DNS server, so that you do not need to create a secondary zone cisco.com or zone transfer. Note Because cisco.com DNS server Yangjiang uses a forwarder stone to always forward queries for all other areas except cisco.com, it forwards the DNS server to h3c.com. So the H3C.COMDNS server uses the conditional forwarder instead of the generic forwarder, otherwise queries from other regions will be cycled between the two DNS servers in addition to the cisco.com and h3c.com two zones.

Change the computer name of the domain controller: If you need to change the computer name of a domain controller because the company organization changes or is more convenient for administrative work, you can use the Netdom.exe program at this time. However, before you make sure that the domain functional level for this domain has been elevated to Windows Server 2003, you must be at least a user who is a member of the Domain Admin group to have permission to change the computer name of the field controller. You can also change the computer name by using the computer's properties.

Because access token is created at login time, if you join a user to a group after the user has successfully signed in, the access token does not contain the SID for that group. Therefore, the user does not have the permissions that the group has, and the user must log off and re-login to recreate an Access Token that contains the SID for this group

Type of trust: There are a total of 6 types of trust relationships, as shown in the preceding 2, which was created automatically by the system when you created the domain using the Active Directory Domain Services Setup Wizard, and the other 4 must be manually created

650) this.width=650; "Style=" background-image:none;margin:0px;padding-left:0px;padding-right:0px; border-top-width:0px;border-bottom-width:0px;border-left-width:0px;padding-top:0px; "Title=" LIP_IMAGE008_THUMB2 "border=" 0 "alt=" LIP_IMAGE008_THUMB2 "src=" http://s3.51cto.com/wyfs02/M01/7D/C5/ Wkiom1bvmjwge63raaciqd-4pxa821.gif "width=" 620 "height=" 166 "/>

Considerations before creating a trust:

To create a trust is to create a communication bridge between two different domains, from the perspective of domain management, two domains each need a user with the appropriate permissions, in their respective domain to do some separate settings, has completed the creation of trust between the two domains of each other. The system administrator in which the trusting domain side is required to create an incoming trust for this trust relationship. Outgoing trusts and incoming trusts are visible as two endpoints for this trust relationship

In the case of a one-way trust in the trust B domain of domain A, we must create an outgoing trust in Domain A, and in contrast, you must create an incoming trust in domain B. That is, in a domain to wear an outgoing to the B-domain trust, while the relative, in the B-domain wear a trust that let a domain pass in

650) this.width=650; "Style=" background-image:none;margin:0px;padding-left:0px;padding-right:0px; border-top-width:0px;border-bottom-width:0px;border-left-width:0px;padding-top:0px; "Title=" LIP_IMAGE010_THUMB2 "border=" 0 "alt=" LIP_IMAGE010_THUMB2 "src=" http://s3.51cto.com/wyfs02/M01/7D/C1/ Wkiol1bvmsqb5apnaabkiaaotgq114.gif "width=" 555 "height=" 181 "/>

When you use the New Trust Wizard to create a one-way trust relationship in a diagram, you have the option of creating an out-of-domain trust first, and then creating an incoming trust for the B domain separately, or by choosing to create both the out trust for the a domain and the incoming trust for the B domain, if it is a separate creator of two trusts. You need to set the same trust password for both the outgoing trust in the a domain and the incoming trust of the B domain, and if you create both trusts, you do not need the aggregate trust password in the trust process, but you need to have the appropriate permissions in both domains, the default is Domain Admins or enterprise Members of the Admins group have this permission.

To create a domain trust B domain, and the B domain also trusts the two-way trust of Domain A, we must create both the outgoing trust and the incoming trust in domain A, where the outgoing trust is used to trust the B domain, and the incoming trust is for the B domain to trust the a domain. The relative must also create an incoming trust and an outgoing trust in the B domain. When you use the New Trust Wizard to create a two-way trust relationship in a diagram, you can separate the outgoing and incoming trusts for the Spring festival a domain separately, and then create a separate incoming and outgoing trust for the B domain, or choose to create an incoming trust and outgoing trust for both A and B domains: If you are creating an outgoing trust for domain A and B separately Incoming trust, you need to set the same trust password in domain A and B, and if you are creating both A and B domains of outgoing trust, outgoing trust, you do not need to set the trust password in the trust process, but you need to have the appropriate permissions in this two domain, the system default is domain Members of the admins or Enterprise Admins group have this permission.

650) this.width=650; "Style=" background-image:none;margin:0px;padding-left:0px;padding-right:0px; border-top-width:0px;border-bottom-width:0px;border-left-width:0px;padding-top:0px; "Title=" lip_image012_thumb1 "border=" 0 "alt=" lip_image012_thumb1 "src=" http://s3.51cto.com/wyfs02/M02/7D/C5/ Wkiom1bvmjbbfw3kaabyv-ef1iw869.gif "width=" 568 "height=" 274 "/>

When you create a trust relationship between two domains, you can use a DNS name to specify each other's frustration by using the NetBIOS name: If you are using DNS to be depressed, you prefer to query each other's domain controllers through a DNS server, if you are depressed by using NetBIOS, Can be queried through a broadcast or a WINS server, but the broadcast message cannot be spanned to another network, so if it is queried by a broadcast, the domain controller for the two domain must be in the same network. If you are a carbon brother WINS server to query, then the two domain domain controller can not need to be within the same network.

Out of using the New Trust Wizard to create a trust between two domains or forests, you can also use the netdom trust command to new, delete, or manage trust relationships

AD Replication of Databases

The direct Active Directory replication for domain controllers in the same site is a way to change the diagram by notifying other domain controllers in the same site when there is a data change in the Active Directory database of a domain controller, by default it waits 15S. If the domain controller that receives the notification needs this data, it will issue a request to the source domain controller to update the data, and the program that will begin copying after the request is received by the source domain controller

replication partner: The source domain controller does not replicate the change data directly to all domain controllers in the same site, but instead replicates only to its direct replication partners , and those domain controllers are their direct replication partners? Within each domain controller is a program called the Knowledge Consistency Checker (KCC) that automatically creates the most efficient replication topology, which is deciding which domain controllers are its direct replication partners, and which domain controllers are its transfer replication partners, in other words, Replication topology is the logical connection path for replicating Active Directory data

Reduce replication latency: in order to reduce replication latency, that is, when Active Directory data from the source domain controller starts to change, the interval between the data being replicated to all other domain controllers is not too long, so the KCC, when creating the replication topology, When data is taken from the source controller to the destination domain controller, the domain controller that jumps is not more than 3 skilled.

In order to avoid overloading the source domain controller, the source domain controller bin does not notify all of its replication partners at the same time, but will be spaced 3S, that is, first notify the replication partners, interval 3S before notifying 2nd, and so on.

When a new domain controller joins, the KCC will recreate the replication off, and will still follow the policy of jumping the number of domain controllers not exceeding 3, for example, after adding a DC8, its replication topology is good, as shown in its Ken replication topology only, In the figure, the KCC sets the domain controller DC8 with DC4 as a direct replication partner, otherwise DC8 between domains DC4, boredom is through DC8-DC1-DC2-DC3-DC4

Or DC8-DC7-DC6-DC5-DC4, will violate the strategy of jumping the number of domain controllers not exceeding 3 units.

650) this.width=650; "Style=" background-image:none;margin:0px;padding-left:0px;padding-right:0px; border-top-width:0px;border-bottom-width:0px;border-left-width:0px;padding-top:0px; "Title=" lip_image014_thumb1 "border=" 0 "alt=" lip_image014_thumb1 "src=" http://s3.51cto.com/wyfs02/M01/7D/C1/ Wkiol1bvmsvqkcnhaadev9mo94o222.gif "width=" 576 "height=" 278 "/>

emergency replication: for some important update data, the system will not wait for 15S to notify the direct replication partner, but immediately notify, this operation is called emergency replication. These important data updates include user account lockout, account lockout policy changes, and so on.

direct replication of different sites: the replication topology between domain controllers in different sites is different from the direct replication topology of domain controllers in the same site, and each site has a domain controller called intersite topology generator . It is responsible for creating a replication topology between sites. and pick a domain controller from within its site to play the role of the birdgehead server (bridgehead server).

The connection objects between domain controllers within the same site are automatically created and maintained by the KCC replication, and are bidirectional. You can also create connection objects manually, as needed. The connection objects created manually are one-way, that is, only DC3 can replicate the Active Directory database directly from DC4. The way to create this one-way connection object is as follows:

650) this.width=650; "Style=" background-image:none;margin:0px;padding-left:0px;padding-right:0px; border-top-width:0px;border-bottom-width:0px;border-left-width:0px;padding-top:0px; "Title=" lip_image016_thumb1 "border=" 0 "alt=" lip_image016_thumb1 "src=" http://s3.51cto.com/wyfs02/M00/7D/C5/ Wkiom1bvmjjcd4nzaad-ikqh6si643.gif "width=" 583 "height=" 231 "/>

You can also choose to play the bridgehead server domain controller, they are known as the preferred bridgehead server, you can set more than one domain controller as the preferred bridgehead server, single AD DS from which to pick one to replicate data, if one fails, it will pick another preferred bridgehead server.

Do not seek to specify a preferred bridgehead server because it will let the KCC stop picking the bridgehead servers automatically, so if the preferred bridgehead server you choose fails, the KCC will no longer pick up the bridgehead server automatically, so that no bridgehead servers are available for use. If you want to transfer the domain controller of the preferred bridgehead server to a different site, first remove the role of the preferred bridgehead server.

650) this.width=650; "Style=" background-image:none;margin:0px;padding-left:0px;padding-right:0px; border-top-width:0px;border-bottom-width:0px;border-left-width:0px;padding-top:0px; "Title=" lip_image018_thumb1 "border=" 0 "alt=" lip_image018_thumb1 "src=" http://s3.51cto.com/wyfs02/M00/7D/C5/ Wkiom1bvmjqjhfcmaahah8br4sg587.gif "width=" 593 "height=" 303 "/>

A site link bridge consists of two or more site links that make these site links transferable, as shown by a site link Sitelinkab that has been created between SiteA and SiteB. A site link SITELINKBC is also created between SiteB and Sitec, and the site link bridge sitelinkbridgeabc to have an implicit site link between SiteA and Sitec, which means that the KCC, when creating the replication topology, You can set the SiteA domain controller DC1 with the SITEC domain controller DC3 as a direct replication partner, allowing the DC1 and DC3 to replicate the Active Directory database directly from the two WAN link physical lines, without the need for SITEB to forward the domain controller DC2

The cost of Sitelinkab in the figure is 3, the SITELINKBC cost is 4, so the cost of SITELINKBRIDGEABC is 3+4=7, because this overhead is higher than the sitelinkad overhead of 3 and SITELINKBC 4, Therefore, the KCC will no longer create a connection object directly with DC3 when creating the replication topology, that is, the DC1 and DC3 are not always the direct replication partners, unless DC2 is not available DC1

650) this.width=650; "Style=" background-image:none;margin:0px;padding-left:0px;padding-right:0px; border-top-width:0px;border-bottom-width:0px;border-left-width:0px;padding-top:0px; "Title=" lip_image020_thumb3 "border=" 0 "alt=" lip_image020_thumb3 "src=" http://s3.51cto.com/wyfs02/M00/7D/C1/wKioL1bvmS-S_ Npiaadvdbvcn80985.gif "width=" 597 "height=" 352 "/>

The system automatically bridges all site links by default

650) this.width=650; "Style=" background-image:none;margin:0px;padding-left:0px;padding-right:0px; border-top-width:0px;border-bottom-width:0px;border-left-width:0px;padding-top:0px; "Title=" lip_image022_thumb1 "border=" 0 "alt=" lip_image022_thumb1 "src=" http://s3.51cto.com/wyfs02/M01/7D/C5/ Wkiom1bvmjyh0lz5aaga--sx56q384.gif "width=" 575 "height=" 275 "/>

Because the system automatically bridges all of the site links by default, you do not need to create a site link bridge yourself unless you want to control the direction of Active Directory data replication or the two sites are restricted from direct communication. For example, if the SiteB assumes a firewall and restricts SiteA's computers from being allowed to communicate with Sitec computers through a firewall, the SITELINKBRIDGEABC in the diagram is meaningless. Because SiteA will not be able to replicate Active Directory data directly with Sitec at this point, if SiteA can also communicate with Sitec through another site sited, there is no need for KCC to waste time creating SITELINKBRIDGEABC, or wasting data trying to replicate the Active Directory database through SITELINKBRIDGEABC, which means you can first cancel the bypass check box for all site links and then create your own SITELINKBRIDGEADC to communicate

650) this.width=650; "Style=" background-image:none;margin:0px;padding-left:0px;padding-right:0px; border-top-width:0px;border-bottom-width:0px;border-left-width:0px;padding-top:0px; "Title=" LIP_IMAGE023_THUMB2 "border=" 0 "alt=" LIP_IMAGE023_THUMB2 "src=" http://s3.51cto.com/wyfs02/M01/7D/C1/ Wkiol1bvmthy3ftpaacmnafzk78272.gif "width=" 597 "height=" 218 "/>

650) this.width=650; "Style=" background-image:none;margin:0px;padding-left:0px;padding-right:0px; border-top-width:0px;border-bottom-width:0px;border-left-width:0px;padding-top:0px; "Title=" lip_image025_thumb1 "border=" 0 "alt=" lip_image025_thumb1 "src=" http://s3.51cto.com/wyfs02/M02/7D/C5/ Wkiom1bvmj7cyydaaagjlflki10815.gif "width=" 605 "height=" 249 "/>

The global Catalog mainly provides the following features

Quick Find objects: because the global catalog stores the pace properties of domain directory partition objects for all domains in the forest, users can use these properties to quickly find objects that are located in other domains. For example, a system administrator can use the global catalog to quickly find objects by using the Start-administrative tool-active The Directory Admin Center-click Global Search-to select a global catalog search path in the Scopes drop-down table

The TCP port number for the global catalog is 3268, so open this port on the firewall if the user is separated from the global catalog server by a firewall

provide UPN validation to you: when a user logs on with a UPN, the domain controller that is responsible for authenticating the user cannot tell the domain that the user is affiliated to from its Active Directory database, and it can ask the global catalog server. For example, when a user logs on to a domain hk.cisco.com computer with its UPN account, because Hk.cisco.com's domain controller is not aware of the domain in which the [email protected] account is located, it will want a global catalog query. To complete the work of verifying the user's identity

Although the UPN suffix of the user account is the domain name of the account in default, but the suffix can be changed, and the user account is transferred to another domain, its UPN does not change, that is, the UPB suffix is not necessarily its domain name

provides member data for universal groups: when a user logs on, an access Token is created for the user, which contains the SID of the group to which the user is a member, and the system must know which group the user belongs to when the club user logs in. However, because member information for universal groups is stored only in the global catalog, when a user logs on, the domain controller responsible for authenticating the user needs to query the global catalog server for the universal group to which the user is a member to create access Toke and let the user complete the logon program

If the user is a member of the Domain Admins group, he can log on whether the global catalog is online or not

While you should enable a global catalog server within each site, for a small site, it is possible to assume that a global catalog server may be having difficulty because of the limited hardware availability, lack of funding, and insufficient bandwidth, so you can cache the universal group membership at this time To resolve this issue

650) this.width=650; "Style=" background-image:none;margin:0px;padding-left:0px;padding-right:0px; border-top-width:0px;border-bottom-width:0px;border-left-width:0px;padding-top:0px; "Title=" LIP_IMAGE027_THUMB2 "border=" 0 "alt=" LIP_IMAGE027_THUMB2 "src=" http://s3.51cto.com/wyfs02/M02/7D/C2/ Wkiol1bvmtoay9e4aadczzes5xk593.gif "width=" 557 "height=" 238 "/>

Domain controllers are updated every 8 hours by default, that is, every 8 hours to the global catalog server to request updated data, and it is from which site's global catalog server to update the cached data, this can be the bottom of the site Global catalog to refresh the cache to find

650) this.width=650; "Style=" background-image:none;padding-left:0px;padding-right:0px;border-top-width:0px; border-bottom-width:0px;border-left-width:0px;padding-top:0px; "title=" lip_image029_thumb3 "border=" 0 "alt=" lip_ Image029_thumb3 "src=" Http://s3.51cto.com/wyfs02/M00/7D/C2/wKioL1bvmTWgM9FxAAHXmre7Xd0988.gif "width=" 579 "Height = "260"/>




Limited number of words, follow-up information please see the next article

Windows.server.2008.r2.active.directory. Configuration Guide (iii)


Windows.server.2008.r2.active.directory. Configuration Guide (ii)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.