?
?
Objective
We follow to create the first domain in the first forest. Create a method to install a Windows Server first, and then upgrade it to a domain controller. Then create a second domain controller, a member server with a domain-joined WIN8 computer.
Environment
Network 192.168.100.1 Subnet Mask 255.255.255.0 gateway 192.168.100.2
Domain contoso.com
DC1 192.168.100.11/24
DC2 192.168.100.12/24
Server 192.168.100.13/24
PC1 192.168.100.14/24
Prerequisites for creating a domain
- DNS domain name : First think of a DNS-compliant domain name, such as contoso.com
- DNS server : The domain needs to register itself in the DNS server, the other computer through the DNS server to find this machine, so you need an ad-capable DNS server, and Support dynamic update (if there is no DNS server, you can create a domain in the process, Select this domain control to install the DNS server)
Note: AD requires a SYSVOL folder to store domain shared files (such as Domain Group Policy-related files), which must be located on an NTFS disk, which is created by default on the system disk, and is recommended for performance in other partitions.
?
Create the first domain controller in the network modify the machine name and IP
The IP address is modified first, and the DNS is directed to itself, and the machine name is automatically changed to dc1.contoso.com after you upgrade to domain control by modifying the computer name DC1
Install domain features
Select Server
Select Domain Service
Promote to a domain controller
Add a New Forest
The forest root domain name should not be the same as the DNS name of the external server, if the DNS URL for the external service is http://www.contoso.com, the internal forest root domain name cannot be contoso.com, or there may be compatibility issues in the future.
- Select the forest functional level, domain functional level. 、
Here we choose to win 2012, the domain functional level can only be win 2012, if you choose a different forest functional level, you can also select a different domain functional level
- DNS servers are installed directly on this server by default
- The first domain controller must be the role of a global catalog server
- The first domain controller cannot be a read-only domain controller (RODC) This role is a feature of win 2008
- Set the directory restore password.
Directory Restore Mode is a safe mode that repairs the ad database when booting into safe mode, but this password must be used
?
This warning does not need to be ignored
The system automatically creates a NetBIOS name that can be changed.
Legacy systems that do not support DNS domain names, such as Win98 Winnt need to communicate through NetBIOS names
- Database folder: Using the storage AD database
- Log files folder: A record of changes to the storage ad that can be used to repair the ad database
- Sysvol folder: Shared files with a storage domain (for example, Group Policy)
If you have more than one hard disk in your computer, it is recommended that you set the database and log folder to a different hard disk, two hard drives can provide operational efficiency, and separate storage can avoid the problem of two copies of data at the same time, to improve the ability to repair AD. (But I think it's now a RAID mode, no need to separate, and the operating system partition can be separated)
Smooth pass inspection, direct installation
Installation Complete reboot
Check that the records within the DNS server are complete
Domain control registers its role in the DNS server so that other computers can find domain control through the DNS server. Therefore, first check whether these records already exist in the DNS server. A domain administrator account is required to log in to Contoso\Administrator.
Check Host Records
Select Management Tools-dns
By default there is a contoso.com zone, and the host record indicates that the domain control dc.contoso.com has correctly registered its hostname with the IP address within the DNS server.
If the domain controller has properly registered the home to the DNS server, there should also be folders such as _tcp _udp. When you click the _tcp folder, you see a _ldap record of the data type service location (SRV), indicating that dc1.contoso.com is properly registered as a domain controller. You can also see that the _GC record global catalog is also played by Dc1.contoso.com.
Troubleshoot issues with registration failures
If the domain member itself is set up or a network problem occurs, data cannot be registered to the DNS server.
If you have a member computer with IP dollars correctly registered to the DNS server, you can run Ipconfig/registerdns on this machine to register manually. When you are finished, check to the DNS server if you have the correct records, such as Server1.contoso.com,ip address 192.168.100.13, if the zone contoso.com has corresponding A records and IPs.
If a domain controller does not register its role with a DNS server, that is, no _tcp folders and records are found, the Netlogon service is restarted to the server
To create more domain controllers
If there are multiple domain controllers within a domain, the following benefits can be found.
- Improve the efficiency of user login: If there are more than one domain controller to provide service to customers, can share the burden of audit user login identity (account and password), make the user login more efficient.
- Troubleshooting: If a domain controller fails, another normal domain controller can continue to provide the domain server at this time.
We upgraded the dc2.contoso.com to a domain controller
First Rename, change IP
The back is the same as the previous installation function
Different here, add the domain control to the existing domain, enter the domain name contoso.com, and enter the existing permissions to add the password for the domain-controlled account contoso\administrator.
Only users within Enterprise Admins and Domain Admins have permission to create additional domain controllers.
Select Copy from other domain controls
After the installation is complete, the machine restarts, and then checks the DNS records.
Modify DNS Pointing
Modify the DNS of DC1 and DC2 to point each other's preferred DNS to the other domain control
Join or detach a Windows computer from a domain
After Windows joins the domain, you can access the AD database and other domain resources. Computers that can be added to the domain:
Windows Server (R2)
Windows Server (R2)
Windows Server 2003 (R2)
Windows 8
Windows 7
Windows Vista
Windows XP
Join a Windows computer to a domain
We're going to join the server.contoso.com machine to the domain.
Change the machine name to IP first.
Enter domain name and domain account password
If it is an error, check that DNS is pointing to domain control.
Once completed we can log on to this server using a domain account
The domain name is automatically added after the computer name
Out of Domain
Just enter the workgroup and click OK
Ad management tools within member computers
Sometimes the administrator can not manage to be able to open the account of the authority to delegate to other departments of the administration, delegated to them, of course, they can not log on to the domain control, it is necessary to install AD management tools on their computers
Windows Server 2012
Add features, add remote server Administration Tools
Windows8 and Windows7
Go to the official website. Download Remote Server Administration Tools for WINDOWS8/7
Create an organizational unit with a domain user account
You can create a user account within any container or organizational unit (OU). Create the OU for the business unit first and then create the user.
Create an organizational unit
Click Active Directory Admin Center
Enter a name
Create user
Business Unit-New user
- User UPN Login : Users can log in to the domain using the same name ([email protected]) as the domain e-mail format, which is known as the user Principal name (UPN). This name is unique in the forest.
- User name sAMAccountName login : The user can also use this name (Contoso\wang) to log in. Where Wang is the NetBIOS name. This name must be unique within the same domain. Legacy systems such as Windows NT Windows 98 do not support UPN, so you can only use this login when you log on on those computers.
Sign in to a domain with a new account
We use 2 ways to log in to a domain
Log in to domain control with a new user account
In addition to members in a few groups such as domain administrators, other general domain accounts cannot be logged on to the domain control by default unless otherwise open.
Give the user domain-controlled logon permissions
The general user must have permission to allow local logons on the domain control to log on on the domain control. This permission can be opened with Group Policy.
System Administration Tools-Group Policy Management
Computer Configuration-Policy-windows Settings-security settings-Local Policies-User rights assignment-allow log on locally and then add users or groups to the list
Group Policy configuration completion requires application to domain control to be effective, there are three ways to apply:
- Restart the domain controller
- This policy is automatically applied by the domain controller and may take up to 5 minutes or longer
- Manual application: Run gpupdate or gpupdate\force on a domain controller
Scenarios for multiple domain controllers
If there are more than one domain controller in the domain, the security setting value that is set is first stored in the domain controller of the PDC operations master role, which is played by the first domain controller by default.
Active Directory Users and Computers-select contoso.com right-click operations master
They will not apply these setting values until they have been copied from the PDC operations master to other domain controllers waiting to be set. When to apply in two different situations:
- Automatic replication : The PDC operations master defaults to 15 seconds to automatically replicate it, so other domain controllers may need to wait 15 seconds or longer to accept this setting value.
- Manual Replication : Select Active Directory Sites and Services on any one of the domain controllers-sites-default-first-name servers Click the domain controller that you want to receive Settings-ntds settings-replicate now. If the DC1 is the operations master, DC2 is the domain control that needs to be received
If it is a Group Policy setting, his ancestors are stored in the PDC operations master, but if the Active Directory user account or other objects are changed, those changes are first stored on the connected domain controller, and the system automatically replicates the change data to other domain controllers after 15 seconds by default.
If you are querying a domain controller that is currently connected, you can display the connected domain controller as if you were pointing the mouse at Contoso in the diagram in the Active Directory Admin Center Console. If you want to change the connection to another controller, click Change Domain controller.
Settings for domain user personal data
Each domain user account has some related property data, such as address phones, that can be used by domain users to find users in Active Directory, so the more complete the data is, the better.
Limit logon time to log on to the computer
We can limit the user's logon time to use some computers to log on to the domain.
If you can only allow users to log on to the computer during normal working hours
The default user can log on to all member computers that are not domain controllers, but you can restrict them from using only certain computers to log on to the domain. You can only log on to the server computer if you restrict.
Active Directory Lightweight Directory Service
In order for applications that support directory access to enjoy the benefits of directory services in environments without domains, Active Directory Lightweight Directory Services AD LDS is available in Windows Server 2012, which allows you to create multiple directory server environments within your computer. Each link is referred to as an AD LDS instance, with each instance having a separate directory setting, schema, and database.
Active Directory Recycle Bin
In older versions of the operating system, if the system administrator mistakenly deletes the ad object, it needs to go into Directory Services Restore mode. Restore trouble, and the domain cannot provide services when the restart is restored.
Although Windows Server R2 new ad Recycle Bin, so that the system administrator does not need to enter the directory Services Restore mode, you can save the deleted objects, but it is not very useful, such as the need to pass complex commands and steps.
The ad Recycle Bin for Windows Server 2012 has been further improved by providing easy-to-use image interface management tools.
To enable the ad Recycle Bin, the forest and domain functional level must be above the Windows Server R2 (inclusive) level. Note that once the Recycle Bin is enabled, it cannot be disabled, so the domain and forest functions are basically not degraded.
Enable Active Directory Recycle Bin
Open Active Directory Admin Center, click the domain name Contoso on the left, click Enable recycle bin on the right
An error.
Because there are multiple domain controllers within the domain, the ad Recycle Bin feature is fully functional after the setting values are replicated to all domain controllers. (I do experiments, save performance and a secondary domain control does not open)
Turn on the secondary domain control and copy the settings value again to open the Recycle Bin.
Delete an organizational unit
Try to remove the business unit, but first remove the option to prevent deletion
Uncheck the box to prevent accidental deletion.
Then delete the business unit
Restore organizational units
Next, to save the organizational unit through the Recycle Bin, double-click deleted objects.
Select the organizational unit you want to save back, click Restore
Removing domain controllers and domains
You can remove a domain controller by downgrading it, that is, removing Actice directory from the domain controller. Note the following before you downgrade:
If another domain controller exists in the domain, it is demoted to a member server for that domain.
If this domain controller is the last domain controller in this domain, no other domain controllers exist in the domain, so the domain will be deleted and the domain controller will be downgraded to a separate server.
Note: It is recommended that the member server be server.contoso.com from the domain first, because after the domain is deleted, the server's account cannot log on to the domain (after the domain is removed, the member server can also be detached from the domain).
You must be a member of the Enterprise Admins group to have permission to delete the last domain controller in the domain. If there are subdomains below this domain, delete the subdomain first.
- If this domain controller is a global catalog server, check to see if there are other global catalog servers in its site, and if not, specify another domain controller to act as a global catalog server, or it will affect user logons. Active directory Sites and Services-site-defalut-first-site-name–server-ntds Setting and right-click-Properties-Tick global Catalog
- If the deleted domain controller is the last domain controller in the forest, Lin Hui is removed together. Members of the Enterprise Admins group have permission to remove this domain controller from the forest.
To remove a domain controller step:
Uncheck the check box
Downgrade first
Select an account with permissions
If you cannot remove this domain controller because of a failure (for example, you need to be able to connect to an attempt domain controller while it is being deleted), you can check the force removal of this domain controller at this point.
Local administrator password that belongs to the downgrade
Server restarts after demotion and logs back in
Although the server is no longer domain-controlled, the domain service component still exists or continues to be deleted.
Remove the last domain control
When there are no more domain controllers in the domain, this option is more than the last one to delete.
Removing DNS zones and application partitions
Remove the administration tool when finished
Windows Server R2 Create an ad domain