Active Directory Domain Services

Concept:

Workgroup: Workgroup

Suitable for less network resources, 10 computers around.

Decentralized management (peer network, each employee maintains their own computer, identity equality)

Suitable for small networks

Inconvenience: In order to achieve mutual access, you may need to set up a lot of user accounts for other colleagues on each computer (if you are unwilling to disclose the Administrator password)

Each computer maintains its own administrator password, and if it forgets the password, it may be forcibly cracked by the IT administrator.

Each computer is free to install a variety of software, easy to cause system crashes

Windows domains Domain

Logically organize the resources in your network as a whole. Resources: Computers, users, groups, printers, shared folders, and so on.

Logically organized together: physical computers and networks without any changes, ★ Search

Centralized management (Client/server architecture)

Initiated managed Computers: Domain controllers domains CONTROLLER=DC managed computers: Member machines or member servers

Suitable for medium to large networks

For workgroup improvements: Simply set up an account on the domain control to access the entire Active Directory

After you forget the password, simply reset it by the domain administrator on the domain controller

You can use Group Policy for software distribution: Automatically configure the required software for member machine installation.

Automatic backup of user files using the configuration file location.

Concept:

Directory services: You can easily search the network for user accounts, groups, computers, shared folders and other objects.

Active Directory: A directory service implemented by Microsoft Corporation. Active directory, the directory service, is an open tcp389 port, LDAP Lightweight Directory Access protocol.

Active Directory is also a database: databases, easy to store a large amount of objects, you can return the query results in a very short time.

Active Directory Benefits:

Centralized management: Powerful tools = Group Policy

Convenient access to network resources (one login, access everywhere)

Scalability

Domain domains: A popular implementation of directory services, the background of complex query statements, packaging into a graphical easy-to-manage form.

DCS domain controller: the computer on which the Active Directory service is installed.

Container container: An object that can hold other objects is called a container.

Logical Structure:

Single domain: only one domain.

Domain tree: Parent domain and subdomain form domain tree, ★ use contiguous domain name suffix

Domain Forest domains Forest: Multiple domain names suffix different domain trees form a forest.

Organizational unit: OU, Sub-ou

★ ¡ï The whole forest in a number of domains there is a "trust" relationship, you can exchange visits.

Physical Structure:

Site: Used to optimize replication traffic between multiple domain controllers (knowledge synchronization, primarily universal group synchronization)

Can put multiple domain controllers in the same high-speed network into a single site, the ★-Site internal replication priority.

Domain controller.

Implementation of the domain controller:

1 must be a Windows Server operating system (except Web Edition)

2 have local Administrator privileges

3 have NTFS file system, enough space

4★★ has a static IP address

5★★ has the support of the DNS service (a computer is identified by the computer name in the workgroup, and a computer is identified by a domain name similar to www.benet.com, which can be automatically installed and configured during the upgrade of the domain controller)

Configuration process:

1 2008r2 original state, log in with administrator

2 Set the static IP address, ★★dns point to 127.0.0.1 (the DNS service will be installed on the domain controller, you can resolve the domain name yourself)

3 Perform Dcpromo.exe elevation domain controller.

domain controller promotion, implementation of DCS

Create a domain in a new forest (creating a forest out of nowhere, and becoming the first domain in the forest, also known as the forest root domain)

★ ¡ï New Forest Domain name: At least two paragraphs, separated by a period of English, such as qq.com, do not recommend meaningless strings or special symbols.

Follow default, ignore DNS warning, check "Install DNS server"

Define the Restore Mode password: Used only when restoring a domain controller backup, and the recommended and Active Directory administrator passwords are different.

★ Select the "Reboot after completion" option.

4 restart, the original Workgroup Administrator automatically upgrade to a domain administrator, the password does not change.

Management Tools Labs: Active Directory users and computers, referred to as Aduc

1 Open the Active Directory user and computer console, expand the domain name suffix

Builtin directory: No self-built, Windows comes with groups called "built-in groups"

Computers Directory: Membership opportunities to join a domain are listed here

Domain Controllers directory: Lists all domain controllers in the domain

Users directory: default location for domain Users and groups

Domain Admins: The group in which the domains administrator resides

Domain users: Normal and user-located groups

Enterprise Admins: The group in which the corporate administrator is located, the scope of permissions is greater than the domain administrator

2 creation of an organizational unit OU:

★ According to the region or department, the large-scale domain is divided into manageable pieces.

Right-click the domain name suffix, new, organizational unit:

Simulate the company's structure and establish organizational units for each department

3 creation of the User:

Create an employee account number in each department's organizational unit.

New, user

Name can be used in Chinese

★ ¡ï Login Name: Purely Chinese companies often use the names of employees to all zhangsan, foreign companies accustomed to use: the name of the whole spell. Full spelling San.zhang of surname

★ ¡ï Password: Must meet complexity requirements

————————————————————————————————————————————————————

Display Name: Unique in your OU

Login name: Unique in your domain

When the display name and logon name are not the same, the logon domain must use the login name.

4 joining a computer to a domain:

Start the original state of Windows, set up the same network segment IP as the domain controller

★★★dns must point to the IP of the domain controller

Before the official domain, you should be able to ping the Active Directory domain name suffix, such as ping qq.com, if not resolved, do not rush to add domain, first troubleshoot network problems

Computer properties, change computer name location, subordinate: Fill in the Domain name suffix, enter the user has the right to join the computer domain account number, password

★ ¡ï Restart the computer

Login domain: ★ The member computer has two sets of accounts available, one set is the original local account, set is a domain account

If you want to log in to the domain, you must click on "Switch User", use "Other user" login domain, the user name of the wording:

Domain shorthand \ login name, such as qq.com Zhangsan user, can write Qq\zhangsan

Login @ domain name suffix, such as qq.com Zhangsan user, can write [email protected]

————————————————————————————————————————————————————

Implementation of additional domain controllers: Prevent "single point of Failure" (important service has only one server, cause business confusion after a failure), a domain at least two domain controllers

1 Starting an existing domain controller

2 Start a workgroup state 2008r2, and the domain controller on the same VM switch (if you do not need to set the gateway on the same switch)

Set the same network segment IP as the domain controller, the preferred DNS points to 127.0.0.1, and the secondary DNS to the first domain controller IP

3 Running Dcpromo.exe elevation domain controller

Existing forest

To add a domain controller to an existing domain

Enter the domain name suffix of any domain in the forest (typically the domain name suffix for this field)

Select the additional domain controller that you want to be a domain controller

Subsequent default

Fill in the Restore Mode password to complete the restart.

4 Additional domain controllers have just been upgraded and need to execute Ipconfig/flushdns on the first domain controller (recommended, otherwise it may not be possible for the first domain control to recognize the second one in a short time)

Establish an OU, group, user, and other objects in two domain controllers to see if the other one can learn.

This article from the "10930418" blog, reproduced please contact the author!

Active Directory Domain Services