WIN2008 R2 Active Directory Two deployment Enterprise Windows Server 2008 R2 additional domain controller _win server

Source: Internet
Author: User
Tags administrator password

Digression-This article commemorates the "pain" of the 98-pass exam. The younger brother prepares to test the driver's license, recently was handed over the regulation, has put down the Bowen matter. hahaha, just as soon as I passed the code word!

The first Windows Server 2008 R2 domain controller in the deployment Enterprise (http://www.jb51.net/article/38401.htm) has completed the establishment of a Windows network domain forest in the enterprise. However, in the enterprise for AD, in order to ensure safe and stable operation, at least two more than the physical domain controller.

Backup domain controllers (BDC) can be deployed in earlier windows, and after Win2K, AD uses additional domain controllers and operations master roles to troubleshoot domain controller backups; After WIN08, the read-only domain controller (RODC) concept was introduced to increase the use of branch offices. It is deployed together with a read-write domain controller to increase the availability of Windows AD. Here, we discuss additional domain controllers for deploying the current domain, that is, reading and writing to an additional domain controller.

The extra domain controller is not the first domain controller in the enterprise, so it should be properly planned before it is deployed, that is, when creating a domain forest. As a result, although it does not have the first DC deployment of the need to pay attention to more matters, but for the win08r2 is still a lot of places to mention, but also with the earlier version of the different.

One, DC Basic configuration of Network properties

Its configuration should mainly refer to the current network planning and the configuration of the first DC, in this continuation of the previous article described in the content. Because the first DC is planned to act as a DNS server at the same time, the value in the Preferred DNS server configuration entry for this additional domain controller should point to the IP address of the first DC (see Figure 1). However, when planning for this additional domain controller to also be a DNS server in the domain, and the DNS service has been installed, and DNS zone data is synchronized from the first DC, you can set the Preferred DNS server option to its own IP address.

Figure 1

Note: If you have a dedicated DNS server in your enterprise, you need to point to these servers, not to the first DC.

Also, you need to change the public network in the Network and Sharing Center window to private network. This ensures that additional domain controls are able to communicate with other servers and customers normally in the configuration and operation.

second, prepare to install AD Service

WIN08R2 installs additional domain controllers, which are still added through the role of Server Manager to complete initialization preparation. Check Active directory Domain Services (Figure 2) in the role selection process and follow the wizard to complete the initialization operation.

Figure 2

Iii. completion of AD installation of the server

1. Perform "dcpromo" through the "Run" dialog box, open the Active Directory Domain Services Installation Wizard (Figure 3), select "Install with Advanced mode" as recommended, and click Next.

Figure 3

Depending on the ad Deployment Wizard, it is still recommended that you choose Use Advanced Mode Setup.

2. Because there is already an ad directory forest, select existing forest in the "Select a deployment Configuration" interface. Because you are now installing an additional domain controller, select Add domain controller to an existing domain and click Next (Figure 4).

Figure 4

3, specify the forest to which this additional domain controller is to be installed, that is, add an additional domain controller to which forests. It is recommended here to fill in the domain to which this server will be installed instead of the other domains in the forest. WIN8R2 in this process, you also need to specify who has permissions to upgrade additional domain controllers. If you are upgrading directly to an additional domain controller in a workgroup, you cannot use the current account voucher, only the standby credentials. In addition, even if the server that previously used the platform as an additional domain controller had joined the domain, the domain user who logged on to the upgrade must also have to add the Remove DC permission in the domain to use the current user credentials directly, otherwise you would only be able to use the standby credentials (Figure 5).

Figure 5

For different deployment configurations, the network credentials required by the Ad Installation wizard are not the same, and if you implement the installation of a new forest as described in the previous section, you only need to be a member of the local Administrators group on the server that will be the first domain controller for the forest. However, to add a new domain or delete a domain to an existing forest, you must be a member of the Enterprise Admins group or domain Admins group in the parent domain of the domain to which you want to add or remove. The Active Directory Domain Services Installation Wizard verifies that credentials are sufficient to implement the deployment configuration specified in the wizard, as shown in table 1 for the permissions required to add and remove different domains or DCs.

Table 1

4, specify which domain you want to install the server to, as its additional domain controller exists (Figure 6). When selected, click Next.

Figure 6

Determine the site where the current additional domain controller physical host is placed (Figure 7). This is not the case when implementing an installation other than the first DC in an earlier release, and is explicitly specified when making a choice, while in win08r2, Microsoft refines These steps and makes them clearer. This makes it easier for engineers to configure more precisely when they deploy.

Figure 7

5, click Next, and configure the other domain controller options (Figure 8). Here, because it is an additional domain controller in the installation domain, the global catalog, the read-only domain controller (RODC), can be ignored in this procedure for whether it becomes a DNS server. The reasons are as follows:

Now that you have a DNS server in the forest and you want to implement it as a DNS server, you can implement it separately after the Ad Setup Wizard completes, and you can set it up as needed in the subsequent management process, as the global catalog is not built on each DC. However, if it is the first DC for a particular site, it is necessary to select it here, because it is recommended that at least one GC is required for each site, since the installation of an additional domain controller can be read and write, it is certainly not possible to select the read-only domain controller option.

Figure 8

6. Click Next, and the wizard may prompt a dialog box (Figure 9) for infrastructure host configuration conflict. If the domain forest has only one DC before, you will definitely encounter this prompt dialog box when installing an additional domain controller, the second DC. The reason for this prompt dialog box is that the infrastructure master (IM) in the current domain also hosts the role of GC.

Figure 9

The referral information for IM updates is information from other domains, that is, not the local domain information. In the following two cases, IM is actually not working:

When there is only one domain, it doesn't matter where the infrastructure master is placed. Because there is no other domain information that needs to be referenced. Multi-domain environment, all DCs are GC. The infrastructure master also does not need to work, as all DCs are GC,GC with read-only information from other domains.

and im running on the GC will stop updating the object information because it already contains a reference to the object it owns. Therefore, it is highly recommended that IM and GC not coexist on the same DC. Here, select "Transfer infrastructure master role to this domain controller."

7. For win08r2 to install additional domain controllers, you can install from media (IFM) without replicating all directory data over the network. Store the installation media on a local drive, removable media (such as a DVD), or a network shared folder. Performing IFM operations to create additional domain controllers can significantly reduce the network bandwidth used to install AD. However, network connectivity is still necessary to replicate all new objects and the latest changes to existing objects to the new domain controller.

There are two different ways to create installation media:

It is recommended that you use the Ntdsutil.exe tool to create a IFM subcommand that enables you to create files that are necessary to install the Ad directory service, and you can use the Restore System state backup to be used as the installation media, but the domain controller's system state backup typically contains more data than is required to perform the IFM operation.

Note: If you use a backup of another DC as the installation media, you should use the latest available backup. Older backups require more network bandwidth to perform replication. The backup cannot be used earlier than the domain tombstone, which is set to 180 days by default (the default value is 60 days in the forest created on earlier versions of the server).

However, for ease of operation and soundness, it is recommended to do so through network replication, if network resources and server resources allow (Figure 10). Select Copy data from an existing domain controller over the network, and then click Next.

Figure 10

8. Due to the installation of an additional domain controller, whether replicated from the network or through IFM, the data needs to be replicated from an existing DC. The source domain controller interface allows you to manually specify which existing DC is the source of data that must be replicated during installation, or you can have the wizard automatically select a DC (for example, Figure 11).

Figure 11

It is recommended that when you specify an installation partner, you should select a DC with a lower number of inbound and outbound connections, and not a device that is responsible for producing or forwarding changes using the File Replication Service (FRS) replication partner. Additionally, if you do not use IFM, the new NTDS Settings object and the new computer account will be created or modified on the installation partner, and the installation partner will also replicate the SYSVOL content to the new domain controller.

Attention:

A read-only domain controller (RODC) can never be an installation partner. If you install an RODC, only writable domain controllers that are running WIN08 or WIN08R2 can act as installation partners. If you install an additional domain controller for an existing domain, only the DC for that domain can be an installation partner.

9. Specify the location of the Active Directory database file, log file, Sysvol folder, and set the administrator password for the directory Restore mode. On the summary page, confirm the relevant settings information, click Next, and direct network replication to install the additional domain controller (Figure 12).

Figure 12

Here, you can check "reboot after Finish" to automatically restart the update after the installation is complete.

Iv. simple validation and other operations after completion

1, the same as the first DC, the installation will still need to perform basic testing and verification.

2, the DC can be used as a DNS server for DNS in the domain backup.

3. In order to load balance and reduce the risk of DCs in the domain, the operation host can be migrated and distributed to different DCs.

This article from the "Fat Brother Technology Hall" blog

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.