Window
Understanding the principle of the Active Directory, now we can do the Active Directory installation and configuration, the Active Directory installation configuration process is not very complicated, because the Win2K provided the Installation Wizard, just follow the prompts step-by-step according to the system requirements set. However, the preparation before installation is more complicated, and only if the Active Directory is fully understood can the configuration activity directory be installed correctly. The following is a detailed introduction to the installation and configuration of the Active Directory and its preparation.
First, the preparation of the Active Directory before installation
In front of us we know that "Active Directory" is a key service in the whole Win2K system, it is not isolated, it is very close and related to many protocols and services, and it involves the system structure and security of the whole Win2K system. Installing the Active Directory is not as simple as installing a general Windows component, and a series of planning and preparation is needed before installation. Otherwise, light is simply not able to enjoy the benefits of the Active Directory, and heavy does not properly install the Active Directory service.
1. Before you install the Active Directory, you must ensure that one machine already has the Win2K server or Advanced Server installed, with at least one NTFS partition, and that the DNS protocol has been configured for TCP/IP, and that the DNS service supports the SRV records and dynamic update protocols.
2, the second is to plan the entire system's domain structure, the Active Directory it can contain one or more domains, if the entire system of directory structure planning is not good, the level is not clear to play the advantages of the Active Directory. The choice of root domain (which is the basic domain of a system) here is a key, and the choice of root domain Word can have the following several scenarios:
1 You can use a registered DNS domain name as the active root domain name, which benefits the same DNS name used by both the enterprise's public and private networks.
2 We can also use a registered DNS domain name of the subdomain as the Active Directory root domain name.
3 Select a domain name that is completely different from the registered DNS domain name for the Active Directory. This enables the enterprise network to present two different naming structures, both internally and on the Internet.
4 The public part of the corporate network is named after a registered DNS domain name, while the private network separates the two parts from the namespace by using another internal domain name, so that each part must use the other's name space to identify the object.
3, another is to carry out domain and account naming planning, because the use of Active Directory is one of the significance of the internal and external network using a unified directory services, the adoption of a unified naming scheme to facilitate network management and business contacts. The Active Directory domain name is usually the full DNS name of the domain, but to ensure backward compatibility, it is best to have a previous version of the name for each domain to be used on computers running Win2K Previous versions of the operating system (Win2K). User accounts in the Active Directory, each user account has a user logon name, a Win2K previous version of the user logon name (the security Account Manager's account name), and a user principal name suffix. When a user account is created, the administrator enters its login name and selects the user principal name, and the Active Directory recommends that the previous version of the user logon name Win2K the first 20 bytes of the user's logon name. Active Directory naming policy is the first step of enterprise planning network system, which directly affects the basic structure of the network and even affects the performance and scalability of the network. The Active Directory provides a good reference model for modern enterprises, taking into account the multi-level structure of the enterprise, taking into account the distributed characteristics of the enterprise, and even providing a completely consistent naming model for direct access to the Internet.
The user's principal name refers to the name of the user account and the domain name that represents the user account. This is the standard usage for logging into the Win2K domain. The standard format is: user@domain.com (like a personal e-mail address). Do not include the @ sign in the user logon name or user principal name. The Active Directory automatically adds this symbol when the user's primary name is created. The user principal name that contains multiple @ numbers is invalid.
In the Active Directory, the default user principal name suffix is the DNS name of the root domain in the domain tree. If the user's organization uses a multi-tiered domain tree composed of departments and regions, the domain name for the underlying user may be very long. For users in the domain, the default user principal name may be grandchild.child.root.com. The default logon name for the user in this domain may be user@grandchild.child.root.com. This requires that the user name entered when the user logs on may be too long. Input is very inconvenient, win2k in order to solve this problem, the user is required to create a primary name after the root domain with the corresponding user name, so that the same user with a simpler login user@root.com can log on, Rather than the long list mentioned earlier.
4, the final thing is to pay attention to set the trust relationship between the domain, for Win2K computers, through a two-way, transitive trust based on the Kerberos V5 security protocol to enable account authentication between domains. When you create a domain in the domain tree, trust relationships are automatically established between neighboring domains (parent and child domains). In a domain forest, trust relationships are automatically established between the forest root domain and the root domain of each domain tree that is added to the forest. If these trust relationships are transitive, you can authenticate users and computers between any domain in the domain tree or the domain forest.
If you upgrade a previous version of Windows domain to a Win2K domain, the Win2K domain automatically retains the existing one-way trust relationship between the domain and any other domains Win2K. Includes all trust relationships that Win2K previous versions of Windows domains. If a user wants to install a new Win2K domain and wants to establish a trust relationship with any Win2K previous version of the domain, you must create an external trust relationship with those domains.
Ii. installation of the Active Directory all new installations are installed as member Server, if you choose to install the Active Directory option when the Win2K Server is newly installed, the system appears similar to "If you install the Active Directory at this time, all domain names in the system cannot be changed again ... "Sort of hint. In general, we do not choose to install the Active Directory when the system is newly installed, so that we have time to specifically plan the Protocol and System architecture related to the Active Directory. The directory service needs to be specially installed after the Dcprom o command. The directory service can also be uninstalled, not as if you were setting up a lifetime in the first order of Windows NT 4.0, which distinguishes between a domain controller or a member Server, which is not convertible.
Dcpromo is a graphical wizard that directs users to build domain controllers step-by-step, and can create a new domain forest, a domain tree, or just another backup of a domain controller. Many other network services, such as DNS server, DHCP server, and Certificate Server, can be installed at a later time with the Active Directory, facilitating the implementation of policy management. There is nothing special about this graphical Interface wizard, as long as we understand the meaning of the Active Directory before and have a series of plans before the installation, it is easy to complete all the installation tasks.
After the Active Directory is installed, there are mainly three Active Directory Microsoft Management Interfaces (MMC), one is Active Directory Users and Computer Management, mainly for the implementation of domain management; one is the management of domain and domain trust relationships for active directories, primarily for managing multi-domain relationships; There is also a site management for Active Directory, You can place domain controllers in different sites. Within the scope of the general LAN, for a site, the site within the domain controller replication is automatic; replication between domain controllers between sites requires administrator settings to optimize replication traffic and improve scalability. From the Active Directory management interface, you can also right-click in the site, domain, and organizational unit to start the management interface of Group Policy (Policy) and implement detailed management of the objects.
Administrators can also easily administer authorization for sites, domains, and organizational units. Right-click on them to start the Manage Licensing wizard, step-by-step to set which administrators have what administrative rights for which objects. For example, the Enterprise internal Technical Support Center Administrator, only reset the user password permissions, did not create and delete user account permissions. This more detailed management method, become "granular".
In addition, the Active Directory also fully takes into account the needs of the backup and Recovery directory services, the Win2K Backup tool has the option to specifically backup the Active Directory, in the event of an accident, the machine can be launched at the time of F8 into the security recovery model, to ensure the reduction of the vicious impact of disaster.