Windows r2_ Create AD DS domain Service (graphic)

Directory

• Directory
• Active Directory Concepts
• Create the first AD domain controller
  • Building a DNS server
  • To create an ad domain controller by using a Windows window program
  • The relationship between AD and LDAP
  • Using PowerShell to create a adds domain controller
  • Check if the ADDC domain controller is installed successfully
  • Management tools
• Create an additional domain controller
  • To install an additional domain controller using the Windows window interface
  • Installing additional domain controllers using PowerShell scripts

Active Directory Concepts

AD (Active Directory): is a method of organizing resource information, the meaning of which is that we can easily and efficiently find matching information in a large amount of data through headings or search terms . The technology that supports this kind of information retrieval is the LDAP protocol.

AD Domain : In order to avoid the administrative inconvenience caused by the excessive amount of account data, we will divide all the account data according to the domain concept, and then manage each domain separately. generic AD domain or hook with DNS domain .

AD DS (Active Directory domain server): Active directories, which is a service provided by the WIN08R2 server, is implemented by the AD domain controller . The use of AD information retrieval thinking, can efficiently and quickly processing large account data. achieve a unified centralized management of enterprise employee account information, to achieve single sign-on, multiple access . It is important to note that because AD DS manages a large amount of account information, it determines that AD DS requires a database to support the entire service, and that the role of this playing database is the AD database that exists in the AD domain controller .

AD Domain Controller : The AD domain controller contains the AD database , which is used to store account data within the ad domain, and provides the ability to modify and delete the data. and the AD domain controller also provides the AD DS service, so installing an ad domain controller is equivalent to creating the AD DS domain service.

Note: The main benefits of the Ad Server are:
1. Centralized management of accounts, applications and other computer resources.
2. The domain account can achieve a single point of remote login.

ad-to-DNS relationships : Domain controllers need to register themselves with the DNS server so that other computers can locate the domain controller through the DNS resolution service to enable logon information validation, and this DNS server best supports dynamic update functionality. Therefore, the ad service needs to have the support of the DNS service, or you can modify the hosts to achieve the above functions.

Create the first AD domain controller

preparatory work :
1. Select a DNS domain name jmilk.com
2. Prepare a DNS server to support AD DS

• Support for dynamic updates
• Support Zone transfer
• Turn off fast transfer because there are some DNS service areas that do not support this feature
  

Building a DNS server

When we deploy to the AD DS service role, the DNS service role is automatically installed on that server, and the system automatically creates a zone in the DNS server that supports AD DS. The zone also automatically turns on secure dynamic updates.
Specific DNS installation and use, Dot here

Because this is the first domain controller on the server, this upgrade completes the following actions:

• Create a New Forest
• Create a new domain tree
• Create a domain in a new domain tree
• Create the first domain controller in this domain
  
  • domain tree : The domain tree contains multiple ad domains, and all ad domains within the domain tree share an ad database, but in this ad database, only the data belonging to that domain is stored in each domain.
    
  • Forest : A forest is made up of several domain trees that trust two-way delivery occurs between different domains when the forest is created. Any user in the forest domain can access resources in the entire forest as long as they have certain permissions, which means they can log on to any computer in the forest.
  • Trust : You must create a trust relationship between two different ad domains to access resources within the offset domain. When a new domain is joined to the domain tree, it automatically passes all domains within the trusting domain tree in both directions. As long as you give the new domain some appropriate permissions, users within the new domain can access resources within the other domains.

To create an ad domain controller by using a Windows window program

Step1 Add the AD Domain service role in Server Manager to install the necessary software environment

STEP2: Click Run AD Domain Services Setup Wizard to start installing AD DS

Step3: Select Use advanced settings and click Next

Step4: Choose to create a domain in the new Forest

Step5: Enter the domain name of the new domain, and generally fill in the domain name of the DNS domain. I am here to fill out the jmilk.com level two domain that is already in the DNS server. This two-level domain also acts as the root domain in the forest.

Step6: The Setup Wizard automatically requires that you set up a NetBIOS-formatted domain name in order for some older servers to access this resource through NetBIOS. Names are not case-sensitive.

Step7: Select the forest functional level for Windows Server R2

STEP8: If DNS has already been installed on the server, go directly to the next step. Otherwise, you need to install a DNS server. And the first domain controller will have global catalog functionality.

• Global Catalog : All ad domains within the domain tree share the same ad database, but the data in the ad database is scattered across domains, and each domain stores only its own data. This can make it inconvenient to find resources for a domain, and the global catalog is designed to avoid this problem. In a global catalog, some of the properties of accounts in all AD domains in the forest are stored, and this is usually a convenient search for this object. Example: A unique identifier such as account name, UPN, phone number, etc. with a global catalog, you can quickly find resources within other domains, regardless of the domain in which the user exists.

Step9: Select the path where the ad database is stored

STEP10: Set a Restore password (strong password) for AD DS, which can be used to enter Safe mode, in which the ad can be repaired.

Step11: Next until you manually restart the service. This adds domain controller installation is complete. After the installation of the domain controller is completed, the user account of the server is automatically transferred to the AD database.

Note : If the DNS service is installed before the AD DS domain controller is installed, you need to integrate the DNS domain with AD DS

This enables you to associate AD DS domain controllers and DNS domains

The relationship between AD and LDAP

LDAP is a directory service protocol used to access the ad database, and adds represents the location of an object in the AD database through an LDAP name path, so that it can be used to access objects within the AD database. The LDAP name path includes DN, RDN.

1. DN is the full path within the ad database, here is an example:

Lin Xiao Yang is a user account, its DN is: cn= Lin Xiao Yang, ou= business Group, ou= Business, dc=sayms, dc=com. Where DC represents a component in a DNS domain name, an OU represents an organizational unit, and a CN represents an ordinary name.
The whole DN indicates that the account of the user forest is stored in the path of Sayms.com\ business unit \ Business Group.

2. Rdn It is part of the path in the DN full path , such as the DN above, Cn= Lin Xiao Yang is rdn

Using PowerShell to create a adds domain controller

Edit PowerShell code files INSTALLADDSCONTROL.PS1

dcpromo /unattend /InstallDns:yes /newDomain:forest /replicaOrNewDomain:domain /newDomainDnsName:jmilk.com /DomainNetbiosName:JMILK /forestLevel:4 /domainLevel:4 /createNDSDelegation:no /databasePath:"%SystemRoot%\NTDS" /logPath:"%SystemRoot%\NTDS" /sysvolpath:"%SystemRoot%\SYSVOL" /safeModeAdminPassword:fanguiju383.com /rebootOnCompletion:yes

Note : Windows server prevents PowerShell Script from being executed for security reasons and needs to be opened manually.
Execute the following instruction in PowerShell:

Set-ExecutionPolicy

Check if the ADDC domain controller is installed successfully

Step1: Check that the logs within the DNS server are complete
View the DNS domain jmilk.com if there is a resource record for the host where the adds domain controller resides.

STEP2: Check the SRV log, if the domain controller successfully registered to the DNS service, you will see the _tcp, _udp folder in the jmilk.com domain.

The data type to the right of the _tcp folder is the _LDAP record for the service location (SRV). Indicates that Dns1.jmilk.com has successfully registered as a domain controller. The _GC record indicates that dns1.jmilk.com is a global catalog server.

Note: when these records are present in the DNS zone, all computers that join this domain can be found by using the Zone resolution feature to locate the ADDC domain controller as dns1.jmilk.com.

use Nslookup to check SRV logs :
If you use the nslookup directive to successfully parse _ldap._tcp.dc._msdcs.jmilk.com

C:\users\administrator>nslookupdns Request timed out. Timeout was2seconds. Default server: UnKnownAddress:::1>SetType=srv> _ldap._tcp. DC. _msdcs. Jmilk. comServer: UnKnownAddress:::1_ldap._tcp. DC. _msdcs. Jmilk. comSRV Service location:priority =0Weight = -Port =389SVR hostname = DNS1. Jmilk. comDns1. Jmilk. comInternet address =192.168. 1.

Check the ad database storage file :
1. Run :run–> %systemroot%\NTDS

The Ntds.dit file in the figure is the ad database file, and the. log file is the log file (the extension is hidden by default).
2. Run :run–> %systemroot%\sysvol
See if there is a SYSVOL folder in the Sysvol folder for the storage domain, and the Sysvol folder and its subfolders must be shared folders. Use the net share directive to view a list of shared folders.

c:\users  \administrator  >net Share shared name resource annotations------------------------------------------------------------ ----------c$ c:\  default shared IP C $  Remote Ipcadmin$ c:\windows  remote management netlogon c:\windows  \sysvol  \sysvol  \jmilk . Com\scripts  Logon server Sharesysvol c:\windows  \sysvol  \SYSVOL  logn server Share  

Management tools

We can click start –> management tool to view the management tools related to AD DS

These management tools can bring great convenience to managing the adds domain.

For example , we can view the event log file through the Event Viewer tool to check for any adds related issues.

Create an additional domain controller

An additional domain controller is typically installed in another physical server (HOST2), and is present as a backup of the domain controller (HOST1) for AD DS. Both of these domain controllers exist in the same ad root domain, and the additional domain controllers have the following benefits:

• Improve user sign-in efficiency (LB)
• Provides fault tolerance (HA)

When installing an additional domain controller, we need to copy the AD database from an existing domain controller to an additional domain controller. WIN08R2 provides two ways to replicate AD databases.

• Replicate directly over the network, but it takes a long time for the ad database to be very large.
• The ad database is copied through the installation media by means of a USB flash drive, DVD, and so on.

To install an additional domain controller using the Windows window interface

Step1: Install the AD domain service in HOST2 with HOST2 able to ping HOST1 with reference to the installation method described above. Note the installation domain controller and the additional domain controller also exist in separate places. Specific as follows:
1). Select an existing forest

2). Enter the same root domain name as the HOST1 domain controller jmilk.com (you can actually enter any domain name in the forest, and the Installation Wizard simply finds all domains in the forest through that domain name) –> Click Settings and enter account credentials

3). Select the domain controller you want to add and click Next

4). Select an AD DS site for an additional domain controller

• site : is made up of one or several IP subnets. General sites are computers within a LAN (LAN).

5). Directly click Next, if HOST2 does not have a DNS service, you will need to install the DNS server at the same time. This option is default if the DNS service is already installed.

6). Select how ad databases are replicated over the network

7). Restart the computer after completing the installation of the additional domain controller

Installing additional domain controllers using PowerShell scripts

Create a PowerShell script file Installreplicaaddscontrol.ps1

dcpromo /unattend /replicaOrNewDomain:replica /replicaDomainDNSName:jmilk.com /siteName:Default-First-site-Name /InstallDns:yes /confirmGC:yes /createNDSDelegation:no /userDomain:jmilk.com /userName:jmilk.com\administrator /password:fanguiju383.com /databasePath:"%SystemRoot%\NTDS" /logPath:"%SystemRoot%\NTDS" /sysvolpath:"%SystemRoot%\SYSVOL" /safeModeAdminPassword:fanguiju383.com /rebootOnCompletion:yes

Windows r2_ Create AD DS domain Service (graphic)