A Free Trial That Lets You Build Big!
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
In Windows Server systems, some services must be built in a domain environment, not only for unified authentication and resource sharing, but also for network security. To build a virtualization test, we need to build a domain environment first. Get to know the domain before you go.
When working with workgroups, computers are relatively independent, and workgroups are only one way to categorize computers in a network, and in a workgroup, access to network resources does not affect much. The Working Group is like allowing free access to the parking lot, joining the working group, such as you can stop in zone A, or park B, if parked in zone A, and the other cars in area a a loose combination.
Unlike Windows domain, where domains are tightly organized, computers are joined to a domain and logged on with a domain account to access certain shared resources. At least one domain controller, or DC, in a domain is responsible for the validation of computers and users. A domain is like a paid parking lot, which requires card verification to get in and out (there can be more than one access control, that is, DC), but after verification it can be used inside the shared facilities, and even other cars. For example, when your computer successfully logs on using a domain account with administrator privileges, you can use that domain account to log on to SQL Server on other computers in the same domain, then you can no longer use the SA account. Of course, domain-joined computers do not mean that they can only stay in the domain, and if they are only logged on with a local account instead of a domain account, the computer is not different from the workgroup. In general, your car can be parked in a paid parking lot, or it can be parked in a free parking lot, unless there are special restrictions on the car (use Group Policy to restrict the computer to log on using a domain account only). Your computer is only logged on with a local account and you can't use Windows authentication when you want to access SQL Server on another computer, but you can still use SQL Server authentication to log in with the SA account.
First, the Domain test network
Next we deploy the domain in Window Server 2012, for later, we will connect the domain's network as the Management Network and configure the network as parameters. The figure configures two domain controllers to be backed up, although Windows Server 2003 no longer distinguishes between primary and backup domain controls, but because of the objective existence of the host role, the role of the domain controller is somewhat different, as described below.
650) this.width=650; "Style=" background-image:none; border-right-0px; padding-left:0px; padding-right:0px; border-top-width:0px; border-bottom-width:0px; border-left-width:0px; padding-top:0px "title=" Domain network structure "border=" 0 "alt=" domain network Structure "src=" http://s3.51cto.com/wyfs02/M01/83/04/ Wkiol1dozubqy7ynaacoqvkhtv4069.jpg "width=" height= "198" >
Second, configure the domain controller
Installing a domain controller (DCS) on Windows Server is a simple matter, but there are a few things to check before installing: Whether the login account has local administrator rights, whether the operating system supports it, whether TCP/IP is configured correctly, Whether the disk has NTFS partitions and sufficient space to hold the active Directory database, whether the DNS server supports, and so on. It is also best to pre-modify the computer name and restart it to avoid the hassle of modifying the domain controller name after the installation is complete.
Both Windows Server 2008 and later versions can install active Directory Domain Services (AD DS) as a role and promote to a domain controller. You can also use the dcpromo command in Windows Server 2008 to install and promote AD Domain Services to domain controllers directly in the run. However, the DCPROMO command in Server 2012 has not been supported, so after installing the AD Domain service as a role, you can find a link promoted to a domain controller in the event prompt above the server management interface.
The steps for installing a domain controller are no longer mentioned, and there are many pages in the network that have been described in detail, but there are a few things you need to know about domain configuration:
1, Forest (Forest), domain tree (tree), Domain, and subdomain (child domain)
These nouns are already very visually explaining the relationship between them, but it is also important to note that the first domain we establish is the root domain, where the first domain tree and the first forest are established, so that the root domain is both the forest root domain and the root domain, so that when a new domain is created in the network, In fact, the establishment of a new forest, in the configuration of domain control when not the wrong choice. The root domain is also a domain, only a special status, only one forest root domain, but can have more than one root domain. Root domains and subdomains that have a common namespace form a domain tree, and a domain tree with different namespaces forms a forest. The name of the domain tree is the same as the first domain, and the name of the forest is the same as the first domain tree, and the first domain. Therefore, the choice of domain name is very important, after the establishment of a domain name modification is feasible, but after all, there is a great risk.
For example, we established two forests according to the rules in assigning the Forest Root Domain Name article. If your organization has two generic domain names, one for the external Internet, such as the home page for your organization, the other can be used to organize the internal network as the name of the forest (that is, the name of the first domain), so that the established forest will resemble the forest x.com on the left. If you have only one generic domain name, for internal and external differences, you can create a two-level domain name for the inner network as the forest, so that the established forest will be similar to the forest cloud.z.com on the right. The common domain name is used to facilitate trust between forests and forests, but if you can use any name that matches the domain name rule in your tests, our lab environment will use cloud.z.com as the forest name.
650) this.width=650; "Style=" background-image:none; border-right-0px; padding-left:0px; padding-right:0px; border-top-width:0px; border-bottom-width:0px; border-left-width:0px; padding-top:0px "title=" forest, domain tree, and subdomain "border=" 0 "alt=" forest, domain tree, and subdomain "src=" http://s3.51cto.com/wyfs02/M01/83/04/ Wkiol1dozujsvzlkaadf8tgojmu822.jpg "width=" "height=" 367 ">
2. DNS servers, global catalog servers (GC), and read-only domain controllers (RODC)
There are several options that are encountered during configuration domain control: DNS Service, Global catalog server (GC), and read-only domain controller (RODC)
3. ad database, log file, and Sysvol folder
Active Directory uses a file-based database, and the database engine is a jet-developed extensible Storage Engine (ESE), also known as Jet Blue. Jet Blue plans to upgrade the database engine for access to Jet red, but it is used in other Microsoft products, such as Ad,wins,exchange server. ESE has the ability to scale up to 16TB capacity, accommodating 1 billion of objects. All related files in the database are in the%systemroot%\ntds\ folder by default, mainly including:
Active Directory uses the SYSVOL folder (which needs to be placed in an NTFS partition) to share common files between DCs, including logon scripts and policy profiles. Detailed reference to Sysvol and Netlogon share importance in Active Directory
4. FSMO Host role
Active Directory has two modes of data replication between multiple domain controllers (DCS): Single-master replication mode (Single-master model) and multi-master replication mode (multi-master model).
Multi-master replication mode for data replication between DCs, which allows data to be updated on any DC and then replicated to other DCs, with some algorithms resolved when data conflicts occur (e.g., whichever data is last written). Multi-host replication mode achieves the purpose of load balancing and high availability between DCs. However, for some data-multi-master replication patterns that can cause difficult data conflicts or resolve conflicts that require too much cost, Active Directory uses a single-master replication mode that allows only one DC to update data and then replicate to other DCs. This data is primarily performed by 5 operations master roles, which can be assigned to different DCs in the forest, which are also known as flexible single master operation roles (flexible-operation, FSMO), respectively:
Forest level (only one DC in the forest has the role):
Domain level (only one DC in the domain owns the role):
5. Functional Level
When you create a new forest in Active Directory, you need to determine the functional level of the forest and the domain, which determines the functionality of Active Directory Domain Services (AD DS), and also determines which Windows server operating systems can be supported as domain controllers by the forest and domain. Windows Server has been revamped, has also improved Active Directory, formed different functional levels, a higher functional level to provide more features, currently has a functional level includes: Windows 2000 native mode, Windows Server 2003 , Windows Server 2008, Windows Server 2012, and so on.
On an operating system that is running Windows Server 2008, you can set the forest and domain functional level for Windows Server 2003, and a server that is running the Windows Server 2003 operating system can join as a domain controller. However, setting the functional level of the forest and domain to Windows Server 2008, a server running the Windows Server 2003 operating system cannot join the domain controller, but a server running the Windows Server 2012 operating system can.
Additionally, the functional level can not be reduced, and the domain functional level cannot be lower than the forest functional level.
6. Domain trusts
Domain trusts are the establishment of a relationship between domains so that users in one domain can authenticate on a domain controller in another domain, but establishing trust is only a possibility to achieve cross-domain access to resources, and the user is only authorized on the resource to ultimately achieve cross-domain access.
Domain trusts are divided into unidirectional and bidirectional, one-way is I trust you but you do not trust me or vice versa, two-way is mutual trust. In addition, domain trusts can be configured to have transitive, that is, I trust you to trust (third-party), transitive trust eliminates the task of configuring trust relationships in a complex domain environment.
The parent domain and subdomain in the same forest have a two-way transitive trust by default. There is a two-way transitive trust (tree trust) between domain trees by default, and a shortcut trust (Shortcut) can be established between domains in two different domain trees to speed up the validation process. Forest trusts can be established between different forests (Forest trust).
Domain trusts can be established with other directory systems that use Kerberos to authenticate. External trusts can be established with older NT4 systems (External Trust).
650) this.width=650; "Style=" background-image:none; border-right-0px; padding-left:0px; padding-right:0px; border-top-width:0px; border-bottom-width:0px; border-left-width:0px; padding-top:0px "title=" forest, domain tree, and subdomain-trust "border=" 0 "alt=" forest, domain tree, and subdomain-trust "src=" http://s3.51cto.com/wyfs02/M01/83/05/ Wkiom1dozurre-j6aaeby8yflbs942.jpg "width=" "height=" >
In theory, the Windows domain is independent of the physical network topology, and multiple domain controllers in a domain can either be in the same subnet or belong to different subnets as long as they meet the conditions that can communicate with each other, either in the same physical location or in different physical locations. However, communication between domain controllers and computers in a domain is ultimately constrained by physical network topologies, such as replication between domain controllers and account validation, which are closely related to physical locations.
A site can be seen as a set of computers in a domain that is connected at high speed, and the domain controllers and computers deployed in different sites by physical location can improve the efficiency of replication and account validation between domain controllers in the domain. For example, in a domain, the Beijing site has two domain A and B, the Shanghai site has two domain-controlled C and D, the replication between them if in accordance with the order of BCDA replication, it will be inefficient. In the ABCD order, the domain control within the same site is replicated to each other, as long as the site is replicated once.
III. Testing and Maintenance domains
1. Modify the domain controller computer name
Modifying a domain controller computer name can not simply open the computer properties directly to modify, involving intra-domain name resolution, improper modification may cause the domain controller can not find the trouble. It is recommended that you modify the computer name and restart the computer before upgrading to a controller, as you do need to modify the domain controller computer name to use the netdom command. At the PowerShell command line prompt:
# Show All computer names of a DC
NETDOWM ComputerName Dc02.cloud.z.com/enumerate
2. Migrating FSMO Roles
The previous article describes the 5 FSMO roles in AD, and we need to consider migrating the FSMO role to properly deploy these roles across multiple DCs in the domain, or to migrate DCs. There are two ways to transfer FSMO roles, the first of which is through the GUI:
In Windows 2012, open Active Directory users and computers in the Server Manager menu tools. By default, connected to a domain, right-clicking on the domain name "operations master", where you can migrate RID, PDC, and infrastructure masters.
In Active Directory domains and trust relationships, right-select operations master, where you can migrate domain naming masters.
In the Active Directory schema, right-click the operations master, where you can migrate the schema master. However, the Active Directory schema does not appear in Server Manager, we need to register regsvr32 schmmgmt.dll in advance and then add the Active Directory Schemas snap-in from the menu "file" in the MMC console. And then follow-up management.
The second use of the Ntdsutil command, you can enter the "?" Process To query for help:
from DC01 to Dc03ntdsutilrolesconnectionsconnect to server Dc03.cloud.z.comquit
Transfer schema Mastertransfer naming mastertransfer infrastructure mastertransfer Pdctransfer RID Masterquit
3. Clean up the ad meta-data
When the DC is demoted, you need to manually clear its information in AD, you can use the Utdsutil command:
# Remove metadata of a DC that need to being deletedntdsutilmetadata cleanupconnectionsconnect to server Dc03.cloud.z.comquit Select operation Target
Select Domain 0
Select Domain 0
List severs for domain in site
# Select The DC that need to be deleted
Select Server 0remove Select Serverquitquit
4. Migrating Domain Controllers
Migration domain control from DC01 to DC03 mainly consists of the following steps:
5. Other Maintenance tools
Ntdsutil.exe. Ntdsutil.exe is a command-line tool that provides management capabilities for Active Directory Domain Services (ad DS) and Active Directory Lightweight Directory Services (AD LDS). You can use the Ntdsutil command to perform AD DS database maintenance, management, and control of FSMO roles and to remove metadata for domain controllers that are not properly uninstalled.
Adsiedit.msc. ADSIEdit is used to edit a single object or a small number of objects in Active Directory. In WS2012 Server Manager, the AD DS server right-click menu can be found.
Ldp.exe. Ldp.exe for managing Active Directory Lightweight Directory Services (AD LDS)
Windows Server 2012 Virtualization Combat: Domain
Start building with 50+ products and up to 12 months usage for Elastic Compute Service