Domain Controller installation and adding to domain

Promote a member server to a domain controller (1)

At present, many companies have more than 10 PCs in their networks: According to Microsoft, generally, the number of PCs in the network is less than 10, so we recommend that you adopt the peer network mode, if there are more than 10 servers, we recommend that you use the domain management mode, because the domain can provide a centralized management mode, which has many advantages over the decentralized management of the same network, so how can we upgrade a Member Server to domain control? Now let's start to practice:

All member servers in this article use Microsoft's Windows Server 2003, while the client uses Windows XP. First, of course, install Windows Server 2003 On the Member Server and enter the system after the installation is successful. The first thing we need to do is to assign a fixed IP address to the member server, the following is the machine name: Server.

IP: 192.168.5.1

Subnet Mask: 255.255.255.0

DNS: 192.168.5.1 (because I want to configure this machine as a DNS server)

Because DNS is not installed during the default installation process of Windows Server 2003, You need to manually add it as follows: "Start-set-control panel-add and delete programs", and then click "Add/delete Windows Components". The following figure is displayed:

Move down the scroll bar on the right, find "network service", and select:

By default, all network services are added. You can click "details" below to customize the installation.

Only DNS is needed, so all others are removed and will be installed later:

Then click "OK" and click "Next" to complete the entire DNS installation. Ensure that

The installation disc of Windows Server 2003 is located in the optical drive. Otherwise, the file cannot be found, so you need to manually locate it.

After installing the DNS, you can perform the upgrade operation. First click "start-run", enter "dcpromo", and then press enter to see the "Active Directory Installation Wizard"

Click "Next" here ":

This is a compatibility requirement. Versions earlier than Windows 95 and NT 4 SP3 cannot be logged on and run on Windows server.

2003 domain controller, I suggest you try to use Windows 2000 or above as the client. Click "Next ":

Here, because this is the first domain controller, select "Domain Controller of the new domain" and click "Next ":

Since it is the first domain control, we also choose "domain in the New Forest ":

Here we want to specify a domain name. Here we specify demo.com,

The NetBIOS name is specified here. do not conflict with the following client. That is to say, there cannot be another PC in the network.

The computer name is "Demo". Although it can be modified here, it is recommended that you use the default one, saving you trouble in the future.

Here, you must specify the storage location of the AD database and log. If there is no problem with the space of the C disk, we recommend that you use the default value.

In this example, the location of the sysvol folder is specified. We do not recommend that you modify it:

During the first deployment, there will always be the above DNS registration diagnosis error screen, mainly because although DNS is installed, but it is not configured, there is no available DNS server on the network, therefore, the response time-out occurs. Therefore, select "install and configure DNS on this computer and set this DNS server as the preferred DNS server for this computer ".

"This is an option for selecting permissions. Here, I select the second option:" Only for Operating Windows 2000 or Windows 2003

"Because the operating system before Windows 2000 does not exist in the entire environment where I did my experiments"

Here is a key point. I hope you will remember this password after setting it. Never forget it, this password is used in the subsequent articles about restoring the Active Directory.

This is the confirmation screen. Please carefully check whether the entered information is correct, especially if the domain name is correctly written, because the domain name can be changed

It's not a joke. If you have any, you can click the previous step to re-enter. If you are sure it is correct, then click "Next" to officially launch the installation:

After several minutes, the installation is complete:

Click Finish:

Click "restart now ".

Next, let's take a look at the differences between the installation of AD and the absence of installation. The first thing we feel is the shutdown speed and the boot speed.

Degrees have obviously slowed down. Let's look at the login interface again:

There is an additional "login to" selection box:

After entering the system, right-click "my computer", select "properties", and click "computer"

How is it? It is different from the one before ad is installed. For example, if there are no local users, how many icons are there in the management tool?

These will be described in future articles. I will not discuss them here.

Promote a member server to a domain controller (2)

In my previous article, I upgraded a server member server to a domain controller. Now let's take a look at how to add the following workstation to the domain. Due to the consideration of network security, the domain administrator account should be used as few as possible. Therefore, first create a delegated account on the domain controller, log on to the domain controller, and run "DSA. MSC, the "ad user and computer" Console appears:

Create a user first, expand "demo.com", right-click "users", and click "new"-"user ":

Then a new user wizard appears. Here, I created a new user named "SWG" and set the password to "never expire ".

In this way, click "Next" until the creation is complete. Right-click "demo.com" and select "dispatch control" first ":

A "delegate control wizard" will appear ":

Click "Next ":

Click the "add" button in the middle and enter the "SWG" account you just created:

Click "OK ":

Click "Next ":

In the preceding figure, the user does not need to go to "Management Group Policy link" for the time being, so here, just select "add computer to domain" and click "Next ":

Finally, there is an information check screen. If there is no problem, simply click "finish.

Next, go to the client to see how to bring XP in. The client operating system used in the experiment is Windows XP Professional Edition, note that the home version of Windows XP is intended for family users and cannot be added to the domain. Do not make a mistake. Let's first set up the XP Network:

Computer Name: testxp IP: 192.168.5.5

Subnet Mask: 255.255.255.225.0

DNS server: 192.168.5.1,

After setting the network, right-click "my computer", select "properties", and click "computer name ".

Here, change "affiliated" to a domain, enter "demo.com", and click "OK". The following figure is displayed:

Enter the "SWG" account just created on the domain controller and click OK:

If the above picture is displayed, it indicates that the instance is successfully added, click OK, and then click restart. Let's see if the login screen is different:

See the "login to". You can select the domain login or local login. Here, select the domain "Demo", so that you can use

The domain user has logged on. After entering the system, right-click "my computer", select "properties", and click "computer name ":

What is the difference between the areas marked with a black box and those not added to the domain?

After the following client is added to the domain, if the domain controller is closed or crashed, the following client cannot log on to the domain, so a domain controller is created, it is necessary to prevent one of them from accidental damage.

. The domain controller that was established later was called the extra-Domain Controller. Let's take a look at the process of establishing the OTs controller:

Of course, network settings are always in the first step:

Computer Name: bserver

IP: 192.168.5.2

Subnet Mask: 255.255.255.0

DNS: 192.168.5.1

Since it is upgraded to a domain controller, the DNS component also needs to be added. The adding method is the same as that set in my first article and will not be repeated here. After adding the template, click "start"-"run"-"dcpromo ":

The wizard and operating system have the same compatibility with the first domain controller installed. The only thing you need to note is the following figure:

When the first server is installed, select "Domain Controller of the new domain". Here, select "external domain controller of the existing domain" and click "Next ".

Step 1 ":

Here, enter the password of the domain administrator account, enter the DNS full name or NetBIOS Name of the corresponding domain in "Domain", and click "Next ":

Enter the DNS full name of the existing domain, and click "Next" to install the first domain controller.

It is the same, so I will not write it down until it is finished.

User configuration file in the Active Directory

In the previous article about Domain Users (how to upgrade a member server to a domain controller (1) and (2, therefore, the method for setting up a user here is no longer repeated. This article mainly introduces the user configuration file.

First, what is a user configuration file? According to Microsoft's official explanation: the user configuration file defines the settings and files and sets for the system to load the required environment when the user logs in. It includes all user-specific configuration settings. What settings does the user configuration file have in the system? What content does the user configuration file contain? Let's take a look:

The user configuration file is stored in the "Documents and Settings" folder under the System Disk (usually drive c). There is a folder with the same user name as your login user name, the user configuration file is saved here. By the way, if a user with the same name on the local machine and domain has logged on to the system, in this case, the suffix is dragged after a folder with the same name. For example, in a domain (demo.com), there is a computer (testxp) and a local SWG account, there is also a SWG account in the domain, and all have logged on to this computer, then the following situation occurs:

Log on to the local account first: the local SWG user configuration folder is SWG, and the domain user configuration folder is

SWG. demo.

Log on to the domain account first: the user configuration folder of the domain user is SWG, and the local user configuration folder is SWG. testxp. From the above, we can see that user configuration files include desktop settings, my documents, favorites, ie settings, etc.

Personalized configuration. Note that there is a folder named "all users" in the "Documents and Settings" folder, if you create a file in the "desktop" folder under this folder, you will find that all users have this file on the desktop at login, therefore, the configuration in this folder works for every user on this computer. After the network becomes a domain architecture, all domain users can log on to any computer in the same domain. After you modify the user configuration file on a computer, you will find that when logging on to another computer, all the settings are still the original, and no changes have been made, because the user's configuration file is saved locally, both the domain user and local user are saved on the computer that logs in. Right-click my computer, select Properties, click Advanced, and click set in the user configuration file ":

Note that all the parts marked in the red box in "type" are "local", which means that the user configuration file is saved locally, so how can we keep the user's configuration file going with the account? That is, no matter which computer the user logs in to, can the user keep the user configuration file consistent? To solve this problem, the roaming user configuration file is used. The principle is to save the user configuration file in a public location of the network. When the user logs in to the computer, the user configuration file will be downloaded from the public network location to the local and applied, and then when the user logs out, the local user configuration file will be synchronized to the public network location, to ensure the effectiveness of user configuration files in public locations for the next use. How can we implement this function? Now let's take a look:

First, you need to open a shared folder in the public location of a network to store user configuration files. In an experiment, you can open a shared folder for share on the domain controller, and open permissions:

Then, click "start-set-control panel-management tools", double-click "ad user and computer", and select the corresponding user. Here, the "SWG" account is used as an example:

Double-click the "SWG" account, select "configuration file", and enter \ 192.168.5.1 \ share \ % username % in "user configuration file-configuration file path, "192.168.5.1" is the IP address of the domain controller, as shown in:

Click OK. Next, go to the client and log on with the "SWG" account to see what will happen.

As shown in, the status of demo \ SWG is changed from "local" to "Roaming", and then the user is logged out, the user's local user configuration file will be automatically synchronized to the public network location. If you use "SWG" to log on to a computer in another domain, all user configuration files are the same as those on this computer. So what changes have taken place on the server?

As shown in, a "SWG" folder with the same user name will be automatically created in the "share" folder on the server. By default, this folder can only be opened by corresponding users:

Is the screen quite familiar?

At present, many companies' IT pro share a common sigh, that is, users like to mess up their desktop or something, although through

The group policy can be used to limit one part, but it is not always perfect. Here, we recommend that you use the mandatory user configuration file.

You can modify your personal configuration file at will, but once you log out, these changes will not be saved, so that the user's configuration file will remain the same in the next login, how can this function be implemented? In fact, you only need

Change "ntuser. dat" to "ntuser. Man". Let's take a look at the modification process:

First, you can modify the extensions of hidden files and known files in "tools-Folder Options-View:

Click "OK" to see the "ntuser. DAT file, but there will be a problem, if you modify the "ntuser. dat, you will find that there is no way to modify this file, because the file is in use and cannot be modified; if you want to modify the "ntuser. dat ", that is, under \ 192.168.5.1 \ share \ SWG

"Ntuser. dat ", modification can be modified, but because the local" ntuser. "dat" refers to the "ntuser. man is overwritten, that is, it is not modified. Many people want to directly change the owner of the "SWG" folder on the server, and then add permissions to the administrator account, so that the "ntuser. dat "is changed, but I have tried it several times and found that such an operation may cause some permissions not to be inherited, resulting in errors. Therefore, we do not recommend that you use it, here we recommend a method:

First, log off the "SWG" account and log on to another account, such as the administrator. Of course, if you log on to \ 192 directly after successful login. 168 .. if 5.1 \ share \ SWG tries to modify it, you will be disappointed because the access is rejected. How can I access and modify it, "Start-run-cmd" and press enter to start the command line. Enter: net use \ 192.168.5.1 password/User: SWG in the command line, the "command succeeded" is displayed, so that a connection is established with the server using "SWG". Now \ 192.168.5.1 \ share \ SWG can be modified,

Then, log out of the Administrator account and log in with "SWG" to see if the account is successful:

As you can see, the type has changed from "Roaming" to "forced". Now you can make any changes on the desktop. You will find that you can log on to the desktop after logging on to the platform and restore it to its original state. This setting is useful when multiple users use the same account.

Finally, pay attention to the following two questions:

1. When the configuration forces the user configuration file, when using another user to log in and modify the configuration, ensure that the modified user is logged out. Why? Think about it for yourself!

2. When using a roaming user configuration file, do not store large programs or files on the desktop or other places, because the user will download and upload the configuration file during login and cancellation, if the file is too large, it will affect the login and logout speed.

Thank you!