As far as Active Directory (AD) is concerned, there are a lot of articles from Windows 2000 that are being explored, and every time Microsoft launches a new generation of Windows, this important service technology is progressing in both functionality and performance. Here, take the latest Windows Server 2008 R2 (WIN08R2) system as an example, starting from scratch to tell about WIN08R2 Active Directory related technologies. I hope I can keep on writing all the time!
- -fat brother
With the deployment of ad in the enterprise over the years, technicians are almost aware of a range of concepts related to the Active Directory, such as domains, domain trees, domain forests, OUs, and sites, as well as domain controllers (DCs). So where does the ad come from?
Maybe someone will start with the first DC. Indeed, the starting point for ad starts with installing the first DC. However, few people may realize that when you install the first DC, you are actually deploying the first domain of ad-the root domain, the first domain tree, and even the domain forest that implements a single domain. Except that there is only one domain tree in this forest, and there is only one domain in the domain tree, and this is the only computer in the domain-the first DC.
Thus, in the enterprise even before the deployment of the first DC, not only to consider how to install a domain controller so simple, but to consider the whole domain forest, domain tree planning, and related services, such as DNS services, such as planning deployment. and consider clearly where each service is implemented, each step to achieve the practice. Only in this way down, the subordinate of the ad can be greater to meet the needs of the present and future. Here, the process of installing the first DC in the domain forest allows you to understand a number of basic issues to consider before deployment.
One, DC Basic configuration of Network properties
For servers that will be installed as DCs, their system configuration and basic disk planning are not here to be described, but critical network connection properties must be noted. You can configure its IP properties by opening the properties of the local connection. The IP address of the server DC must be a static IP address, although it is not necessarily necessary to configure the default gateway, but the DNS server points must be configured correctly because the work of the ad is closely dependent on the DNS service. The entire Microsoft network environment in this example is built from scratch, and considering having this first DC as a DNS server in the corporate network, you need to configure its preferred DNS server address as the IP address of this computer (Figure 1).
Because the WIN08R2 default firewall configuration is filtered based on the type of connection network, it is a good idea to change the public network whose network type is recognized by default to private network through the Network and Sharing Center (Figure 2).
Of course, in addition, the NetBIOS name of the current computer, that is, the computer needs to be set up, because after the DC is installed, it is unwise to modify the operation.
second, prepare to install AD Service
WIN08R2 the installation of the ad service is slightly different from earlier versions, you can add it through the role of server management to complete the initialization preparation (Figure 3), open the Server Management tool, expand the Roles node, and click Add Role in the right window.
Open the Add Role Wizard (Figure 4), where the system's three-point hints are available, most importantly 2nd. For the first to 3rd, you can configure without prompting, and do not affect the installation, click "Next".
In the server roles list, check Active directory Domain Services (Figure 5), and the system will automatically eject the dialog box.
Requires the ". NET Framework 3.5.1 Feature" (Figure 6) to be installed, because AD must support this feature on WIN08R2,
So you must click the "Add Required Features" button, return to the "Select Server Role" dialog box and click "Next" (Figure 7).
In the Active Directory Domain Services dialog box, the wizard gives you four points of attention (Figure 8), based on which you can learn about the tasks that should be performed before and after the ad is installed and the services that the ad requires.
Click "Next" to install (Figure 9).
When the Setup Results dialog box appears, if there are no errors, proof that the installation of the ad is complete, but because the computer is not fully functioning DC, you are prompted to enable the Ad Installation Wizard (Dcpromo.exe) to complete the installation (Figure 10). You can click the "Close the wizard and start the Active Directory Domain Services Installation Wizard (Dcpromo.exe)" To enter the installation Wizard, or you can manually open the Ad Setup Wizard after you click the "Close" button.
Iii. completion of AD installation of the server
1. You need to run the AD Domain Server Setup Wizard to complete the deployment of this server, so enter "Dcpromo" in the "Run" dialog box and click "OK" to start the wizard (Figure 11).
2, after the system automatically detected, the Ad Installation Wizard will appear in the Welcome interface (Figure 12). In this dialog box, you can choose to use Standard or Advanced mode for installation. For advanced mode it is provided to experienced users with more control over the installation process,
However, it is recommended that you use Advanced mode for this operation. Advanced mode enhancements to the standard mode can be seen in table 1. In addition, you can start the Advanced wizard by running the dcpromo command (DCPROMO/ADV) with the/ADV switch directly from the command prompt.
3, click "Next", select the subordinate configuration (Figure 13), because the purpose is the first DC in the subordinate enterprise, so select "new domain in New Forest" here. Because you need administrator privileges to create a new forest, you must be a member of the local Administrators group on the server on which you are installing AD.
4. Click "Next" to name the root domain of the domain forest (Figure 14). You need to have a complete plan for the DNS infrastructure before. You must know the full DNS name of the forest. You can install the DNS Server service before you install AD or, as this example does, choose to have the Ad Installation Wizard install the DNS Server service.
Having the Ad Wizard install the DNS Server service will automatically generate NetBIOS names using the DNS name here called the first domain in the forest. By clicking Next, the wizard verifies the uniqueness of the DNS name and NetBIOS name on the network. Because you are using advanced mode, the domain NetBIOS name step appears (Figure 15) regardless of whether or not a NetBIOS conflict occurs. Of course, in standard mode, this step occurs only if you check that the auto-generated NetBIOS name conflicts with the name in the existing network.
5. Click "Next", "set Forest functional Level" (Figure 16), the functional level determines the ability to enable ad in a domain or forest, and also limits the version of Windows Server that can run on DCs in the domain or domain forest. However, the functional level does not affect the operating system running on workstations and member servers connected to the domain or domain forest.
When you create a new domain or a new forest, it is recommended that you set the domain and forest functional levels to the highest values that the current environment can support, so that you can maximize the functionality of the ad as much as possible. If you definitely do not add a domain controller running Windows Server 2008 (hereafter referred to WIN08) or any earlier operating system to a domain or forest, you can select the WIN08R2 functional level. In addition, if you may retain or add a domain controller running WIN08 or earlier, you should select the Windows Server 2008 functional level during installation. If you are sure that this type of domain controller will not be added or that such domain controllers are no longer in use, you can upgrade the functional level after installation. It is worth noting that the domain functional level cannot be set to a value below the forest functional level. For example, setting the forest functional level to WIN08 can only set the domain functional level to WIN08 or WIN08R2. The Windows 2000 (hereafter referred to as Win2K) and Windows Server 2003 (WIN03) domain functional level values are not selectable in the Set Domain Functional Level wizard page. Therefore, if you select the forest functional level as WIN08R2, the wizard will not appear with the SET domain functional level step, and all domains added to the forest by default will be WIN08R2 domain functional levels.
Special attention should be paid to:
After you set the domain functional level to a specific value, the domain functional level cannot be rolled back or lowered, except when the domain functional level is elevated to win08r2 and the forest functional level is WIN08 or lower, the domain functional level can be rolled back to WIN08 and can only be dropped from win08r2 to WIN08 , and you cannot roll it back directly to WIN03.
After you set the forest functional level to a value, you cannot rollback or reduce the forest functional level, except when you promote the forest functional level to WIN08R2 and the ad Recycle Bin is not enabled, you can choose to roll back the forest functional level to WIN08. You can only drop it from win08r2 to WIN08, and you cannot roll it back directly to WIN03.
Table 2 below lists the features that are enabled for each domain functional level and the supported domain controller operating systems
Table 3 below lists the features that are enabled for each forest functional level and the supported domain controller operating systems
6, click "Next" to configure "other domain controller Options" (Figure 17). During ad installation, you can choose to install the DNS service for the DC, or set it as a global catalog server (GC) or read-only domain controller (RODC).
DNS Server Options
As mentioned in the "Basic configuration of DC Network Properties" section, the DNS server option is required to install the DNS service at the same time on the DC. The default setting for this option depends on factors such as the deployment configuration previously selected and the DNS environment in the current network. The default DNS service installation configurations for different ad deployment configurations are listed in table 4.
It is to be noted that:
If the DNS service is installed before the Ad Installation Wizard is started, but the ad does not have a DNS infrastructure, the DNS service will continue to resolve the name for any file-based zones it hosts, but it will not host any ad-integrated DNS zones for the domain where the domain controller resides.
Global Catalog Options
Because the first DC in the forest must be a GC, the Global Catalog check box is automatically selected when the domain forest is created, and the dimmed cannot be canceled. When you install another DC in an existing domain, the check box is also selected by default. However, you can cancel the selection manually.
When you create a new subdomain or domain tree, the global catalog check box is not selected by default because the first domain controller in the new domain hosts all domain-wide operations master roles (FSMO roles), including the infrastructure operations master role. In a multi-domain forest, there may be a problem hosting the infrastructure master role on the GC unless all DCs in the domain are GC. Therefore, the global catalog is installed on the first DC of the new subdomain or domain tree, you need to transfer the infrastructure master role after installing the other DCs into the domain, or make sure that all other DCs installed to the domain are also GC. Also, when you install another writable domain controller, the Ad Installation Wizard verifies that the infrastructure master is hosted on the appropriate DC and verifies that it can fix the problem that is raised by using the selected installation option.
Installing an RODC is not allowed under the following conditions:
Installing the first domain controller in the new Forest the first domain controller is installed in the new domain the forest functional level is not WIN03, WIN08, or WIN08R2 writable domain controller that does not have WIN08 or win08r2 in the domain where the RODC is to be installed
The relationship between options
If the read-only domain controller (RODC) check box is selected, the wizard automatically selects this option unless the DNS server check box is not selected. If you clear the DNS server check box after the wizard selects it, the wizard warns: "If you do not install the DNS server at the same time, clients in the branch office may not be able to find the RODC." By default, the Global Catalog check box may also be selected, depending on the other installation options you choose. By default, the wizard automatically selects the Global Catalog check box if the read-only domain controller check box is selected.
Validation check Options
After you select an option on the Additional Domain Controller Options page, and then click Next, the wizard performs the following validation checks before proceeding.
Static IP Address Validation-If the DNS server check box is selected, the Ad Installation Wizard verifies that all physical network adapters for the server have a static address, including static IPV4 and IPV6 addresses. Although it is possible to complete an ad installation without using a static IP address, this is not recommended because the client may not be able to contact the DC if the IP address of the DC has changed.
Infrastructure master Check-if you choose the option to install additional domain controllers in the domain, the Ad Installation Wizard defaults to the Global Catalog check box selected. If you are installing a writable domain controller (the read-only domain controller check box is cleared) and the Global Catalog check box is cleared, the wizard checks to see if the infrastructure master role is currently hosted on a global catalog server in the domain. If the result of the check is Yes, the wizard prompts you to transfer the role to the DC you are installing. You can click "Yes" to transfer the infrastructure master role to this DC, or click "No" to change the configuration later.
Adprep/rodcprep Check-If the RODC is installed, the wizard verifies that the Adprep/rodcprep command completed successfully and that the changes caused by the command are replicated throughout the forest. If the Adprep/rodcprep command does not complete successfully, or if the change has not been replicated to the entire forest, you receive an error message stating that the command must be run before proceeding with the installation. If you receive this message, you can run Adprep/rodcprep again on any computer in the forest, or wait for the changes to replicate to the entire forest.
7, click "Next", the system will eject the DNS Service Delegation Warning dialog box (Figure 18). Click "Yes" to continue with the wizard. This dialog box appears because the DNS server option was selected when the other server was configured, and the current computer did not find the authoritative parent domain Windows DNS server for the specified domain, which could not determine whether delegation of the specified domain was caused.
8, determine the location of the ad database, log files, and SYSVOL placement (Figure 19). For a database, it primarily stores information about users, computers, and other objects on the network; the log files record activity associated with the ad, the SYSVOL storage Group Policy objects and scripts, which are by default part of the operating system files located in the%windir% directory.
When deciding where to store an ad file, you can consider the following two factors--
Backup and Recovery
For a server that has only one hard drive, just accept the default installation settings for the Ad Installation Wizard. However, you must create at least two volumes on the hard disk. One volume is used to store critical volume data and another volume is used to store backups. When backing up a DC using Windows Server Backup or the Wbadmin.exe command-line tool, you must at least back up the system state data to use Backup to restore the server. The volume used to store the backup cannot be the same as the volume that hosts the system State data. The system components that make up the system state data are determined by the server role that is installed on the computer. The system state data includes at least the following data (depending on which server role is installed and other data may be included):
Registry COM + Class registration database boot file Active Directory Certificate Services (AD CS) database hosts Active Directory database (Ntds.dit) volumes that host Active Directory database log files SYSVOL Directory Cluster Service information Microsoft Internet Information Services (IIS) Meta directory system files under Windows resource protection
For more complex installations, you may need to configure your hard disk storage to optimize the performance of your ad. Because database and log files utilize disk storage in different ways, you can improve the performance of the ad by assigning each content to a different hard drive spindle.
For example, a server has four available hard disk drives with their drive volumes labeled:
Drive C, contains the operating system file drive D, does not use drive E, and does not use drive F for backup
On this server, you can maximize the performance of the ad by installing the database and log files separately into dedicated drives such as D and E. This helps improve the search performance of the database, because one drive spindle can be dedicated to search activities. This configuration also reduces the chance of a bottleneck in the disk that hosts the log file, in the case of a large number of simultaneous changes. You can store the SYSVOL in drive C along with the operating system files.
9, click "Next", the wizard asked to enter "directory Restore Mode Administrator password" (Figure 20). Directory Service Restore Mode (DSRM) passwords are required to log on to a domain controller when AD is not running.
The DSRM password differs from the domain Administrator account password.
When you create the first DC in the forest, the Ad Installation Wizard enforces the password policies that are in effect on the local server. For all other DCs installations, the Ad Installation Wizard enforces password policies that are in effect on existing DCs. This means that the specified DSRM password must conform to the minimum password length, history, and complexity requirements for the domain that contains the existing DC. By default, you must include strong passwords for uppercase and lowercase letters, numbers, and symbols.
10. Click "Next" to display the installation summary (Figure 21), and you can click Export Settings to save the settings specified in this wizard to an answer file. You can then use the answer file to automate subsequent installations of the ad.
An answer file is a plain text file that contains a [DCInstall] title, and the answer file provides the settings for the configuration required for the Ad Installation Wizard. When you use this answer file, the administrator does not need to interact with the wizard. The wizard adds text to the answer file that explains how to use the file, for example, how to use the DCPROMO command to invoke the file and what settings must be updated to use the file.
To install ad using an answer file, at the command prompt, enter:
where filename is the name of the answer file.
11, click "Next", the installation Wizard to perform the installation operation (Figure 22). If you do not check the "reboot after completion" checkbox,
After execution, the Ad Installation Wizard will appear with the Completion Setup page (Figure 23). Click "Finish",
You are prompted to restart your computer configuration to take effect (Figure 24). Click "Reboot now" to complete the DC installation operation.
Iv. simple verification of installation after completion
After you restart the server, you can determine the basic installation success of the DC by verifying the following points.
1. Whether the ad data file is produced (Figure 25).
2, the DNS service is working properly, resource records related to the domain, especially the SRV records are written correctly (Figure 26).
3, the Sysvol folder exists, can be normal access.
4, the log whether there are error events, and so on.
If there is no problem, the first DC in the currently deployed enterprise is basically working properly.
This article from the "Fat Brother Technology Hall" blog