Window
In Windows 2003, various network services appear as server roles, making it easier for users to allocate and manage network resources. The application Server role manages the network with the Active Directory service, Domain Name System service, Dynamic Host Configuration Protocol service, and Windows Internet Naming Service coordination and support. This article will focus on the above activities Directory services to achieve the method and skills.
(i) What is the Active Directory
Active Directory (Active Directory) is a directory service for Windows 2003. It stores information about the various objects on the network and makes that information easy for administrators and users to find and use. The Active Directory service uses structured data storage as the basis for the logical hierarchy of directory information.
The Active Directory has the advantages of information security, policy-based Management, scalability, scalability, replication of information, integration with DNS, interoperability with other directory services, and flexible queries.
Two DNS and Active Directory
Because active directories are integrated with DNS (domain Name system, domain name systems) to share the same name space structure, it is important to note the differences between the two:
1.DNS is a name resolution service
The DNS client sends a DNS name query to the configured DNS server. The DNS server receives name queries and then resolves name queries through locally stored files, or queries other DNS servers for name resolution. DNS does not require an Active Directory to run.
2. The Active Directory is a directory service
The Active Directory provides a repository of information and services that allow users and applications to access information. Active Directory clients send queries to the Active Directory server using the Lightweight Directory Access Protocol (lightweight directories access PROTOCOL,LDAP). To locate the Active Directory server, the Active Directory client queries DNS. The Active Directory requires DNS to work.
That is, the Active Directory is used to organize resources, and DNS is used to find resources; only they work together to return information to a user or other procedure that requests similar information. DNS is a critical component of the Active Directory, and if there is no DNS, the Active Directory cannot resolve the user's request to the IP address of the resource, so we must have a deep understanding of DNS before installing and configuring the Active Directory.
(iii) Planning activities directory
Before installing the Active Directory, we first need to carefully plan the structure of the Active Directory to make it easier for users and administrators to use it.
1. Planning DNS
If the user is ready to use the Active Directory, the namespace needs to be planned first. A usable Active Directory structure is required before the DNS domain namespace can be properly executed in Windows 2003. So, start with the Active Directory design and support it with the appropriate DNS namespace.
In Windows 2003, the Active Directory domain is named with the DNS name. When you select a DNS name for the Active Directory domain, the start of the registered DNS domain name suffix used on the Internet, such as microsoft.com, is preserved, and the name and the geographical (departmental) name used in the organization are combined to make up the full name of the Active Directory domain. For example, the sales group in Microsoft might call their domain "sales.microsoft.com." This method of naming ensures that each Active Directory domain name is globally unique. Furthermore, once this naming method is adopted, it becomes very easy to use an existing name as the parent name for creating other subdomains and to further increase the namespace for use by the new Department in the organization.
2. Planning the user's domain structure
The easiest domain structure to manage is a single domain. When planning, users should start with a single domain and add additional domains only if the single domain mode does not meet the requirements of the user. A single domain can span multiple geographic sites, and a single site can contain users and computers that belong to multiple domains. In a domain, you can use organizational units (Ou,organizational Units) to achieve this goal. You can then specify Group Policy settings and place users, groups, and computers in the organizational unit.
3. Planning the user's delegation mode
Users can assign permissions to the lowest level in the organization by creating an organizational unit tree in each domain and delegating permissions for some of the organizational unit subtree to other users or groups. By delegating administrative authority, users no longer need people who regularly log on to a specific account that has administrative authority over the entire domain. Although users also have administrator accounts and Domain Admins groups with administrative authorization for the entire domain, these accounts can still be retained for the occasional use by a small number of administrators.
(iv) Installation of Active Directory services
Running the Active Directory Setup Wizard to upgrade a Windows 2003 computer to a domain controller creates a new domain or adds additional domain controllers to an existing domain.
1. Pre-Installation preparatory work
First and foremost, you must have administrator rights to install the Active Directory, or you will not be able to install it. Make sure that the system disk is an NTFS partition before you install the Active Directory. At the same time, the DNS server has been well resolved, such as lanyi.com.
2. Installing a domain controller
Before you install the Active Directory to determine that the DNS service is working properly, let's install the domain controller with the root domain as lanyi.com.
(1) Click the start → settings → control panel menu item, double-click the Administrative Tools item in the Control Panel dialog box, and then, in the dialog box that appears, double-click the Manage Your Server Wizard option to start the Configuration wizard. Click the Add or Remove roles option, and then click the Next button.
(2) In the Configure Options dialog box, select the Custom configuration option. Click the Next button.
(3) In the Server Role dialog box, select the domain controller (Active Directory) option and click Next to start the Active Directory Installation Wizard. Click the Next button.
Note: You can also run the Dcpromo.exe file in the C:\Windows\system32 directory and start the Active Directory Installation Wizard.
(4) Because the user has established the first domain controller in the domain, select the domain controller for new domain option in the Domain Controller Type dialog box. Click the Next button.
(5) In the Create a new Domain dialog box, select the domain in New Forest option. Click the Next button.
(6) In the New Domain Name dialog box, enter the domain name that you want to create in the DNS full name for new domains box, which is lanyi.com. Click the Next button.
(7) In the NetBIOS Name dialog box, change the NetBIOS name. Running a non-Windows operating system client will use the NetBIOS domain name. You can leave the default settings and click the Next button.
(8) in the database and Log Files Folder dialog box, you will see where the database and log files are saved, generally without modification. Click the Next button.
(9) In the Shared System Volume dialog box, specify the folders that are shared as system volumes. The SYSVOL folder holds the server copy of the domain's public files. The contents of the SYSVOL broadcast are replicated to all domain controllers in the domain, and their folder locations are not generally modified. Click the Next button.
(10) In the Configure DNS dialog box, click the Next button. (If the DNS server is not configured before the Active Directory is installed, this is recommended for the Installation Wizard to configure DNS.) )
(11) Select the default permissions for users and groups in the Permissions dialog box, and, given that the previous operating system for Windows 2003 is still required in most network environments, select the Permissions compatible with Windows 2000 Server operating system option and click Next.
(12) In the Directory Service Recovery Mode Administrator Password dialog box, enter the administrator password in directory recovery mode. Click the Next button.
At this point, the Setup Wizard displays the installation summary information. Click the Next button to start the installation, and then restart the computer after the installation is complete.
3. Delete Active Directory
Run the Dcpromo.exe file and delete the Active Directory as prompted by the wizard.
(v) Directory of Backup and recovery activities
In Windows 2003, backing up and restoring the Active Directory is a very important task. You cannot back up the Active Directory separately because Windows 2003 backs up the Active Directory as part of the system State data. The System state data includes 8 parts, such as registry, system startup file, class registration database, Certificate Services data, File Replication Service, Cluster service, domain name service and Active Directory, and usually only the first 3 parts. None of these 8 parts can be backed up separately and must be backed up as part of the system State data.
1. Back up the Active Directory
If there is more than one domain controller in a domain, when one of the domain controllers is reinstalled, backing up the Active Directory is not required, you only need to remove one of the domain controllers from the domain, reinstall it, and bring it back into the domain, so the other domain controller will naturally replicate the data to this domain controller. If there is only one domain controller in a domain, it is necessary to back up the Active Directory.
(1) Click the "start → program → attachment → system tools → backup" menu item to start the Backup or Restore Wizard. Click the Advanced mode option to open the Backup Tools dialog box and click the Backup Wizard button. Click the Next button.
(2) in the content to back Up dialog box, select the back up System State data only option. Click the Next button.
(3) In the backup type, destination, and Name dialog box, enter the backup data file name and click Next to complete the Backup wizard.
2. Recovery of Active Directory
There are two ways to restore the Active Directory.
The first approach is to recover data from other domain controllers in the domain, the premise is that a domain controller must also be available within the domain, when the corrupted domain controller is reinstalled and joined to its original domain, the data is replicated automatically between the domain controllers, and the Active Directory is restored.
Another approach is to restore from backup media. Typically, there is only one domain controller in the entire network environment, so restoring the Active Directory from media is a frequent event.
Active Directory recovery from backup media can be selected in two ways: authentication (authoritative restore) and unauthenticated (nonauthoritative restore).
3. Non-verifiable recovery
Typically, Windows 2003 is recovered in a way that is not authenticated. When the Active Directory is restored from backup media, other domain controllers in the domain overwrite the old data with the new data during the replication process.
To implement an unauthenticated recovery, the directory service must be offline. Also, you must have the domain server in Directory service recovery mode. Restart the server, press F8 to expand the system boot Advanced menu, and select the Directory Service Restore Mode option. When Windows 2003 appears in the User Logon window, enter the local administrator account and password, and after the login is successful, the restore operation can take place.
Note: This is not an administrator account and password in the Active Directory.
(1) Click the "start → program → attachment → system tools → backup" menu item to start the Backup or Restore Wizard. Click the Advanced mode option to open the Backup Tools dialog box and click the Restore Wizard button. Click the Next button.
(2) in the "Restore Project" dialog box, select the appropriate backup file, click the "Next" button to complete the data recovery, restart the machine.
Note: Normally, you cannot restore the Active Directory data that was backed up 60 days ago.
4. Authentication Mode Recovery
Validation mode forcibly replicates data recovered from backup media to all domain controllers in the domain, regardless of whether data has changed since the backup. Verify-mode Recovery Active Directory is typically used for Active Directory a serious error occurred on a domain controller in the domain, and this error is spread to other domain controllers in the domain through replication.
To achieve validation, you must first implement an unauthenticated recovery and then use the Ntdsutil command-line tool to implement a validated recovery.
Restart the server, press F8 to expand the system boot Advanced menu, and select the Directory Service Restore Mode option. When Windows 2003 appears in the User Logon window, enter the local administrator account and password, and after the login is successful, the restore operation can take place.
(1) Click the start → run menu item, enter "Ntdsutil" in the dialog box that appears, and start the command line tool.
To recover the entire Active Directory database, use the following commands:
Authoritative restore
Restore Database
(2) Recover some of the Active Directory data using the following commands:
Authoritative restore
Restore subtree ou=works,dc=lanyi,dc=com
The second line of command needs to be determined according to the actual situation, such as your domain name word is lanyi.com, the OU to be restored is works, that is, restore subtree ou=works,dc=lanyi,dc=com, and so on.
Finally, use the QUIT command to exit and reboot the machine.
Note: The management and use of the Active Directory is beyond the scope of this article, readers can refer to the relevant books.