2018 Year 8 month Day
- Domain and Active Directory
What is a domain
Domainis a stand-alone unit in a Windows network where mutual access between domains requires a trust Relation. Trust relationships are bridges that connect between domains and domains. When a domain establishes a trust relationship with other domains, the two domains can not only manage each other as needed, but also distribute device resources such as files and printers across the network, so that network resources can be shared and managed between different domains.
Why domains are required
If the resources are distributed on n servers, then the user needs to log on to the N server when they need the resources, and they need n accounts. A user so, that m, the administrator will need to create a n*m account for them, so not only responsible and difficult to manage.
With the domain, administrators only need to create a domain user for each user, the user can only log in the domain once to access resources in the domain, and achieve a single login.
User information is hosted on domain controllers (DCs, domain controller), which can be selected as a domain controller in a server or servers. When there are multiple domain controllers, each domain controller is equal, and each domain controller has information about all users in the domain, and the domain controller needs to synchronize this information. Other servers that are not an appropriate domain controller simply provide resources.
What is Active Directory
Active Directoryis the directory service provided by the Windows 2003Server platform. Store information in a central database so that users have only one user account on the network. A directory is a physical container that stores all kinds of objects, and the directory service is the service that makes all the information and resources in the directory work.
Information security is greatly enhanced, the introduction of policy-based management, so that the management of the system is more clear, has a strong scalability, scalability, intelligent information replication capabilities, with the integration of DNS, and other directory services interoperability, with flexible query.
Active Directory Logical Structure: domain, organizational unit, tree, forest.
Domain controllers (Dc,domain controller) hold information about all users, groups, computers, and so on in the domain (in fact, the domain controllers hold more information than these), and the domain controller stores the information in the Active Directory.
Active Directory and DNS relationships
in a TCP/IP network, DNS (domain name System) is used to resolve the mapping of computer names and IP addresses, Active Directory and DNS are closely related, Active Directory use DNS server to enlist domain controller IP, the location of various resources, etc. , at least one DNS server exists in a domain forest, so you need to install DNS at the same time to install Active Directory. In addition, domain naming is also named in the DNS format.
- Active Directory and organizational unit
? objects: users, computers, printers, groups, and so on. Each object has its own properties and property values.
? Organizational unit (ou,organization Unit): organizational units are used to group objects logically into groups for easy management, lookup, authorization, and access. An organizational unit represents only a collection of objects in a single domain (which can include group objects) the organizational unit inherits, and the child cells inherit the ACL of the parent unit. At the same time, domain administrators can grant users administrative rights to all organizational units or individual organizational units in a domain. Just like the head of a company's various departments, power averaging can be managed more effectively.
Windows Server 2012R2 domain and Active Directory Project Setup
2018 Year 8 month
- Install and configure the domain
? Active Directory Design
} Domain name and controller installation location
n SMB, for simplicity, install only one domain controller in the network
The name of the n domain should be the same as the DNS domain name: DCServer.network.com
n All other computers joined to the domain
The design of the organizational unit
n We are here to design the OU according to the company's administrative structure
n Users, groups, computers, printers, etc. in each department are placed on the corresponding organizational unit
Experimental topological diagram
for experimental use The VMware Workstation Pro virtual machine simulates the server and client, and the virtual machine uses the network connectivity of the internal network, where subdcserver acts as a domain member server server, Dcserver and Rodcsever (System windows Server 2012r2) is a domain controller.
Change host Name:
- Install the AD domain control and DNS server.
- Next until the installation.
- Promote to a domain controller.
- Select Add Forest. (due to the request to set the domain name)
- Enter password, domain control password, for domain control demotion, delete use.
- Next, until the installation.
- Install the restart computer due to the presence of the Active Directory. The startup time is longer and the established domain network is found.
- When you log on on a domain control controller, you can only log on as a user in the domain. Although the user name is still administrator, administrator is a domain user. (The diagram is active Director user and computer within the tool.)
- Join the client (server) to the domain
A. Three roles: domain controllers, member servers, and stand-alone servers.
B. This three role of the server can change.
- turn on the computer right-click Properties.
- set the host name and domain name to join the domain control, enter the account password. Account default Administrator.
- Join successfully and restart the computer.
- after restarting, turn on the computer properties.
- You can see it on the Dcserver domain control.
- Detach the server (computer) from the domain
- Install Active Directory After the change
use the Active drirectory Users and Computers tool to manage users and groups.
A. Create a network department Organizational unit, with user one, user login name is [email protected], password is network.com, login target client.
B. Create a business unit with user two, user login named [email protected], password network.net logon segment morning eight to six o'clock in the evening.
- Open dcserver on the Active drirectory user computer.
- Right-click to create an organizational unit.
- Select User cannot change password and password never expires. Password is network.com
- Click View to select Advanced Features.
- Open the Network section and right-click the user Selection attribute.
- Open account, click Login to, add login target client.
- Click Add, select Client, OK.
B. Create a Business Department organizational unit with user Two, user login called [email protected], password for network.net logon segment in the morning from eight to six o'clock in the evening.
- Create an organizational unit, named Business Department.
- Click the login time to open the account.
- Click on Monday to Sunday morning eight to deny login, after six o'clock
creating subdomains is typically used in the following situations:
- an independently operated subsidiary that has been separated from the company.
- Some companies ' departments or groups operate relatively independently from other departments based on the need for special technologies.
- security-based considerations.
the benefits of creating subdomains are mainly in the following areas.
- facilitates the management of its own users and computers, and allows for management policies that differ from the parent domain.
- beneficial to the security management of subdomain resources.
in a parent-child domain environment, because a two-way transitive parent-child trust relationship is established between the parent and child domains, the child domain user can use the computer of the subdomain by default, as well as the computer of the parent domain.
- Add rodcserver to the domain.
- Install the active drirectory Domain service and the DNS service.
- Select Next until the installation.
- Click Promote to Domain controller.
- Select the second input new domain name Rodcserver, and click Change input domain user and password, default administrator.
- set the Domain Admin password and click Next to install.
- Open the ActiveDirectory domain trust relationship, and click the Network.com right button property.
- Create a directory on Rodcserver.
- Right-click on the property and tap security.
- Select the first one, click Edit, and click OK.
- permissions are not only available for use in domains, but also for users in the forest.
- read-only domain control, secondary domain control.
the AD DS databaseof a read-only domain controller (read-only domian controller,RODC) can only be read, cannot be modified, This means that the AD DS database for the RODC cannot be directly modified by the user or application . the AD DS database content of an RODC can only be copied from other read-write domain controllers. the RODC is primarily designed to be used by Remote branch office networks , as the remote branch offices generally have smaller network sizes and fewer users, and the security of the network may not be as complete as the head office or it technician , the use of an RODC avoids affecting the entire AD DS environment because its AD DS database is compromised .
Auxiliary domain controller, in the case of the primary domain control does not work, auxiliary can replace him to continue to work.
- First, add the Subdcserver to the network domain.
- Install the Active drirectory domain and promote it to a domain controller.
- Select to add the domain control to the existing domain.
- Click Change to enter the domain control user and password.
- Select read-only domain control to do read-only domain controller, do not tick read-only, do the auxiliary domain control. Enter the password restore Mode password.
- Default Select Next, select DCServer.network.com
Written according to 79342787
Please use your phone "sweep" x
Windows Server 2012 Domain control subdomain read-only domain secondary domain