Secure and Stable ad and DNS Architecture

(The problem with AD 50% is caused by DNS. If we implement a secure and stable AD and DNS architecture, the following are my notes on DNS and AD, and I hope to help you, the sorting is messy. Please forgive me)

1. Let's review the installation and verification of AD.

Verify the installation of AD

Check the creation as follows:

(1) SYSVOL and sharing

(2) Directory Service database and related logs

(3) default Active Directory structure

Check related Event Logs

Run the Dcdiag and Netdiag commands.

SRV (service resource record) is a resolution between the service and the host name.

2. delete an invalid DC. You cannot simply take the service away, because the DC information is still retained in other DC. Other DC will try to find this DC during replication.

Delete an invalid DC

If there are two DC, DC1, and DC2, if DC2 breaks down, and DC1 does not delete DC2 information on DC1, DC1 will try again to contact DC2 during data replication. A replication error occurs, which we do not want to see.

How to delete DC2 from DC1

You do not need to enter the directory recovery mode and directly enter the command line.

Use ntdsutil

C:> ntdsutil

Ntdsutil: metadata cleanup (database cleanup)

Metadata cleanup: connections (access to the Connection Tool)

Metadata cleanup: connections (entering a specific domain controller)

Server connections: connect to damain lab.com (first I connect to my domain)

Server connections: connect toserver lab-dc1.lab.com (connect to my server again)

Server connections: quit (return to the previous directory)

Netadata cleanup: slesct operation target (the DC to be specified is invalid)

Slesct operation target: list current selections

Slesct operation target: list sites (first check the websites on the current computer)

Slesct operation target: select site 0 (connect to one of the sites)

Slesct operation target: list servers in site (then we can see several DC servers)

Slesct operation target: select server 1 (1 indicates the server that has crashed)

Slesct operation target: list current selections

Slesct operation target: quit

Netadata cleanup: remove

Check whether Dcdiag and Netdiag are deleted.
3. To implement a secure and stable AD and DNS architecture, we must first understand how the client finds DC?

When the client wants to log on to the domain, it does not directly find the DC, because he does not know who is the DC, then it will first check the DNS server and parse the SRV resource records through DNS, he will query the SRV record, who is the DC of the current network. If there is an SRV record, the client will get a DC address and then access the DC. if no SRV record or SRV record is incorrect in DNS, our client cannot contact our DC.

SRV is a service resource record. The meaning of this format record is to make a resolution between our computer service and the host name. the SRV record in DNS is that when each DC is started, it registers its own SRV record. that is to say, when the Administrator opens each DC, the DC will announce to his DNS server what the computer will do. he will write what he will do to the DNS. this process is complete.

4. If you want to achieve redundancy between the two DC servers, you must install the DNS service for both the two DC servers. Note that DC1 is the integration zone of AD, then you can create an AD integration area on DC2.

DNS regions

Main region: readable and writable

Auxiliary area: Many auxiliary areas are created to achieve redundancy. All information in the auxiliary area is copied from the main area. If the main area is broken, the auxiliary area can still be queried, however, you cannot write any information to the region. therefore, in the Active Directory layout of Microsoft, DNS does not need to be a primary region or a secondary region. The advantage of using an integrated AD region is that the two DC servers will be both DNS servers in the future, in addition, if a DNS is modified, the DNS will synchronize with each other, that is, the DNS will change from the original master-slave relationship to the current parallel relationship. so far, we can say that our DNS is redundant, and that no matter whether the current DC is switched off, it will not affect one of my DNS applications.

5. Let's take a look at the maintenance of the Active Directory.

(1) Modification Process of the AD database (read/write process)

For example, we add a user to the AD and modify events.

It first initializes the event and writes it to a buffer in the memory. Then it does not directly write the database (Ntds. but after the memory is written, it will write EDB. log (what happens every day will be EDB. log), write EDB. log will write the event to the AD database (Ntds. (dit), the event will be written to another file, that is, the last file Edb. chk, when Edb. after the chk is written, it is deemed that the modification process is complete.

Is the file EDB. log and Ntds. dit larger?

EDB. log will be larger. For example, if you add a new user XY, it will write to EDB. logs are also written to Ntds. but if the user XY is deleted, EDB. logs will also be written into XY. This user has been deleted and has been added, while Ntds. this information will be deleted when the dit is deleted by XY, and the database will be reduced.

EDB. the log file will not become larger all the time, as long as it is filled with 10 MB, it will be automatically renamed to EDB000001.log (normally, we will save this file permanently, but we can also delete this file) and release an empty file.

With EDB. log has two files, res1.log and res2.log, to avoid the incomplete read/write of AD due to insufficient disk space, delete these two files. after deletion, there is another 20 mb space, which is used to read and write data.

6. How to move the AD database and log (the database must be backed up during the process)

Why is it moving? 1. the disk space is insufficient. 2. For security reasons.

To the directory reply Mode

C:> ntdsutil

Ntdsutil: files (maintenance in the files mode is required because files are operated)

File maintenance: move db to d: ad (move the AD database to the d drive under the ad folder)

File maintenance: move logs to d: ad (move the AD log File to the active folder on drive d)

Why can the two locations be maintained independently? In an AD that requires high availability and reliability, we put DB and EDB in the AD. log is stored on two different disks or on different logical drives, so you can implement security for them separately. On the other hand, we can improve performance.

How to fragment the AD database (the database must be backed up during the process)

This problem is that many people are easily ignoring and ignoring an active directory in the Active Directory stabilization process. In fact, like a disk, the Active Directory can also read and write frequently, high load, some fragments are generated, and fragment is also required. (Will disk sorting be performed frequently on a server? Disks should not be sorted out frequently. If you organize disks frequently on the server, the sorting process will have a bad impact on the data on your server, however, after you sort out the server disk, you still cannot solve the problem of AD database fragmentation. Due to the normal disk sorting, the AD database is not organized) we recommend that you organize data every year or two years, but backup is required because it is risky.

AD is actually to copy all the databases and then write a file again.

To the directory reply Mode

C:> ntdsutil

Ntdsutil: files (maintenance in the files mode is required because files are operated)

File maintenance: compact to d: ad (put the AD database to the ad folder of the d disk)

On disk D, AD folder will generate a new sorted database, copy the new database to the original database location, and replace the original file. The database decreases, and the query performance increases.

Suggestion: In a real environment, do not perform multiple AD-related management tasks at the same time. If there are too many tasks, the Active Directory will fail.

7. AD Database Backup

System state data

System status backup is a very important backup. We recommend that the administrators of each of our servers regularly back up system status information every week. The size is about 700M.

Ntbackup (do not enter the directory restoration mode)

Introduction to Operation Control

Although there are multiple DC servers, It's okay not to turn that one off.

In order to avoid both roles, some work must be completed by one.

Schema Master (the first DC in the forest)

The core of AD is the schema master. If it is absent, the schema master cannot be extended, and Exchange cannot be installed.

Domain naming master (the first DC in the forest)

When I want to add a Domain tree or a subdomain to my forest, the Domain naming master is responsible for checking, do you want to add the domain name to conflict with the original domain name. If a conflict exists, the Domain naming master rejects the addition of the new Domain. If the new Domain is no longer in use, the Domain naming master cannot add subdomains or Domain trees.

PDC Emulator (the first DC in each region)

1. the time difference in the domain cannot exceed 5 minutes. By default, all other DC and client will contact the PDC for the synchronization time.

2. In order to avoid conflicts, the Group Policy must be enabled only when there is PDC.

The first DC in each domain of the RID master)

Without the RID master, our domain cannot be used to create users.

Infrastructure master the first DC in each domain)

What is permission assignment?

1. Hierarchical permission management

2. Implemented through delegation

(1) management autonomy

(2) Service independence

Use MMC to design a management tool for network management.

When building the second DC, we will create a region like AD, and then enable AD integration for dynamic updates. During DC synchronization, they will synchronize themselves.

Manual DC synchronization allows you to synchronize two or more DC servers on the site and service.