In Windows Server systems, some services must be built in a domain environment, not only for unified authentication and resource sharing, but also for network security. To build a virtualization test, we need to build a domain environment first. Get to know the domain before you go.
When working with workgroups, computers are relatively independent, and workgroups are only one way to categorize computers in a network, and in a workgroup, access to network resources does not affect much. The Working Group is like allowing free access to the parking lot, joining the working group, such as you can stop in zone A, or park B, if parked in zone A, and the other cars in area a a loose combination.
Unlike Windows domain, where domains are tightly organized, computers are joined to a domain and logged on with a domain account to access certain shared resources. At least one domain controller, or DC, in a domain is responsible for the validation of computers and users. A domain is like a paid parking lot, which requires card verification to get in and out (there can be more than one access control, that is, DC), but after verification it can be used inside the shared facilities, and even other cars. For example, when your computer successfully logs on using a domain account with administrator privileges, you can use that domain account to log on to SQL Server on other computers in the same domain, then you can no longer use the SA account. Of course, domain-joined computers do not mean that they can only stay in the domain, and if they are only logged on with a local account instead of a domain account, the computer is not different from the workgroup. In general, your car can be parked in a paid parking lot, or it can be parked in a free parking lot, unless there are special restrictions on the car (use Group Policy to restrict the computer to log on using a domain account only). Your computer is only logged on with a local account and you can't use Windows authentication when you want to access SQL Server on another computer, but you can still use SQL Server authentication to log in with the SA account.
First, the Domain test network
Next we deploy the domain in Window Server 2012, for later, we will connect the domain's network as the Management Network and configure the network as parameters. The figure configures two domain controllers to be backed up, although Windows Server 2003 no longer distinguishes between primary and backup domain controls, but because of the objective existence of the host role, the role of the domain controller is somewhat different, as described below.
650) this.width=650; "Style=" background-image:none; border-right-0px; padding-left:0px; padding-right:0px; border-top-width:0px; border-bottom-width:0px; border-left-width:0px; padding-top:0px "title=" Domain network structure "border=" 0 "alt=" domain network Structure "src=" http://s3.51cto.com/wyfs02/M01/83/04/ Wkiol1dozubqy7ynaacoqvkhtv4069.jpg "width=" height= "198" >
Second, configure the domain controller
Installing a domain controller (DCS) on Windows Server is a simple matter, but there are a few things to check before installing: Whether the login account has local administrator rights, whether the operating system supports it, whether TCP/IP is configured correctly, Whether the disk has NTFS partitions and sufficient space to hold the active Directory database, whether the DNS server supports, and so on. It is also best to pre-modify the computer name and restart it to avoid the hassle of modifying the domain controller name after the installation is complete.
Both Windows Server 2008 and later versions can install active Directory Domain Services (AD DS) as a role and promote to a domain controller. You can also use the dcpromo command in Windows Server 2008 to install and promote AD Domain Services to domain controllers directly in the run. However, the DCPROMO command in Server 2012 has not been supported, so after installing the AD Domain service as a role, you can find a link promoted to a domain controller in the event prompt above the server management interface.
The steps for installing a domain controller are no longer mentioned, and there are many pages in the network that have been described in detail, but there are a few things you need to know about domain configuration:
1, Forest (Forest), domain tree (tree), Domain, and subdomain (child domain)
These nouns are already very visually explaining the relationship between them, but it is also important to note that the first domain we establish is the root domain, where the first domain tree and the first forest are established, so that the root domain is both the forest root domain and the root domain, so that when a new domain is created in the network, In fact, the establishment of a new forest, in the configuration of domain control when not the wrong choice. The root domain is also a domain, only a special status, only one forest root domain, but can have more than one root domain. Root domains and subdomains that have a common namespace form a domain tree, and a domain tree with different namespaces forms a forest. The name of the domain tree is the same as the first domain, and the name of the forest is the same as the first domain tree, and the first domain. Therefore, the choice of domain name is very important, after the establishment of a domain name modification is feasible, but after all, there is a great risk.
For example, we established two forests according to the rules in assigning the Forest Root Domain Name article. If your organization has two generic domain names, one for the external Internet, such as the home page for your organization, the other can be used to organize the internal network as the name of the forest (that is, the name of the first domain), so that the established forest will resemble the forest x.com on the left. If you have only one generic domain name, for internal and external differences, you can create a two-level domain name for the inner network as the forest, so that the established forest will be similar to the forest cloud.z.com on the right. The common domain name is used to facilitate trust between forests and forests, but if you can use any name that matches the domain name rule in your tests, our lab environment will use cloud.z.com as the forest name.
650) this.width=650; "Style=" background-image:none; border-right-0px; padding-left:0px; padding-right:0px; border-top-width:0px; border-bottom-width:0px; border-left-width:0px; padding-top:0px "title=" forest, domain tree, and subdomain "border=" 0 "alt=" forest, domain tree, and subdomain "src=" http://s3.51cto.com/wyfs02/M01/83/04/ Wkiol1dozujsvzlkaadf8tgojmu822.jpg "width=" "height=" 367 ">
2. DNS servers, global catalog servers (GC), and read-only domain controllers (RODC)
There are several options that are encountered during configuration domain control: DNS Service, Global catalog server (GC), and read-only domain controller (RODC)
- A DNS server is a domain name server. DNS service support is required for resolving names such as computers, clusters, etc. in a domain. Establishing a domain must provide the DNS service in the domain, and if the DNS server is ticked during the configuration domain, the native will be configured as a DNS server (the configuration program detects the current DNS infrastructure to determine whether the DNS service is checked by default).
- A global catalog server, a GC, can be understood as a read-only global cache in the forest, which stores all the properties of all objects in the forest in the domain and some properties of all objects in other domains. The global catalog enables users to search directory information on all domains in the forest, regardless of where the data is stored. The search will be performed in the forest at the maximum speed and lowest network traffic. "If you check the global catalog server in the configuration, it will make this domain controller a global catalog server at the same time."
- Read-only domain controllers (read only controller, RODC). A read-only domain controller (RODC) is a new type of domain controller in the Windows Server 2008 operating system. With an RODC, organizations can easily deploy domain controllers in locations where physical security is not guaranteed. The RODC hosts the read-only partition of the Active Directory Domain Services (AD DS) database. "" Insufficient physical security is the most common reason to consider deploying an RODC. An RODC provides a way to deploy a domain controller more securely in a location that requires fast, reliable authentication services but does not ensure the physical security of a writable domain controller. ”
3. ad database, log file, and Sysvol folder
Active Directory uses a file-based database, and the database engine is a jet-developed extensible Storage Engine (ESE), also known as Jet Blue. Jet Blue plans to upgrade the database engine for access to Jet red, but it is used in other Microsoft products, such as Ad,wins,exchange server. ESE has the ability to scale up to 16TB capacity, accommodating 1 billion of objects. All related files in the database are in the%systemroot%\ntds\ folder by default, mainly including:
- Ntds.dit the database file. You are interested in viewing Active Directory database file NTDS. DIT Learn more.
- Edb.chk the checkpoint file. Additions and deletions to the database, the checkpoint file records the transaction completion before committing the update to the database, and commits the update from the log file to the database if the transaction completes.
- Edb.log and Edbxxxxx.log are log files. After each log file 10mb,edb.log file is filled, it is renamed to Edbxxxxx.log and the filename number is increased. Additions and deletions to the database are written to the log file for transaction processing.
- Edbresxxxxx.jrs keep the file for the log. Takes up disk space for log files and is used only when there is not enough disk space for the journal file.
- Edbtmp.log temporary log files. When the current Edb.log is filled, Edbtmp.log will be created to continue logging, while the current Edb.log is renamed to Edbxxxxx.log, and Edbtmp.log is named Edb.log.
Active Directory uses the SYSVOL folder (which needs to be placed in an NTFS partition) to share common files between DCs, including logon scripts and policy profiles. Detailed reference to Sysvol and Netlogon share importance in Active Directory
4. FSMO Host role
Active Directory has two modes of data replication between multiple domain controllers (DCS): Single-master replication mode (Single-master model) and multi-master replication mode (multi-master model).
Multi-master replication mode for data replication between DCs, which allows data to be updated on any DC and then replicated to other DCs, with some algorithms resolved when data conflicts occur (e.g., whichever data is last written). Multi-host replication mode achieves the purpose of load balancing and high availability between DCs. However, for some data-multi-master replication patterns that can cause difficult data conflicts or resolve conflicts that require too much cost, Active Directory uses a single-master replication mode that allows only one DC to update data and then replicate to other DCs. This data is primarily performed by 5 operations master roles, which can be assigned to different DCs in the forest, which are also known as flexible single master operation roles (flexible-operation, FSMO), respectively:
Forest level (only one DC in the forest has the role):
- Schema master: The schema is the definition of all objects and properties in the forest, and the domain controller (DC) with the schema master role allows the schema to be updated. Schema updates are replicated from the schema master to other domain controllers in the forest. There can be only one schema master in the entire forest.
- Domain naming master: domain controllers that have the domain naming master role are allowed to add and remove domains or external references to new and deleted domains in the forest. Only one domain naming master can be used throughout the forest.
Domain level (only one DC in the domain owns the role):
- PDC Emulator (PDC Emulator): domain controllers in Windows Server 2000 and later versions no longer differentiate between PDC (Primary domain controller) and BDC (Backup domain control), However, to be compatible with legacy systems and to implement some of the functions on the PDC, the PDC emulator needs to work. These include: real-time password updates, intra-domain time synchronization, and compatibility with legacy systems such as NT4 and Win98.
- RID Masters (RID Master): In Windows systems, the unique identity of security principals (such as users and user groups) depends on SIDS (such as users with different usernames but the same SID) that Windows still considers to be the same user. The SID consists of the domain sid (as in the same domain) and the RID. The RID master is responsible for generating a unique RID for the security principal. To avoid the security principal Sid duplication, which creates a security issue, the RID unification is generated from the RID pool allocated by the RID master.
- Infrastructure master (Infrastructure Master): The role of the infrastructure master is to be responsible for updating cross-domain object references to ensure consistency across all inter-domain operand objects. In the Active Directory, it is possible for some users to transfer from one OU to another OU, then the DN name of the user changes, and the other domain is changed for this user reference. This change is done by the infrastructure master. If the schema master is on the same DC as the GC, the schema master will not update any objects because the GC already has copies of all objects and attributes. Therefore, in multi-domain scenarios, it is recommended that you do not set the schema master as a GC.
5. Functional Level
When you create a new forest in Active Directory, you need to determine the functional level of the forest and the domain, which determines the functionality of Active Directory Domain Services (AD DS), and also determines which Windows server operating systems can be supported as domain controllers by the forest and domain. Windows Server has been revamped, has also improved Active Directory, formed different functional levels, a higher functional level to provide more features, currently has a functional level includes: Windows 2000 native mode, Windows Server 2003 , Windows Server 2008, Windows Server 2012, and so on.
On an operating system that is running Windows Server 2008, you can set the forest and domain functional level for Windows Server 2003, and a server that is running the Windows Server 2003 operating system can join as a domain controller. However, setting the functional level of the forest and domain to Windows Server 2008, a server running the Windows Server 2003 operating system cannot join the domain controller, but a server running the Windows Server 2012 operating system can.
Additionally, the functional level can not be reduced, and the domain functional level cannot be lower than the forest functional level.
6. Domain trusts
Domain trusts are the establishment of a relationship between domains so that users in one domain can authenticate on a domain controller in another domain, but establishing trust is only a possibility to achieve cross-domain access to resources, and the user is only authorized on the resource to ultimately achieve cross-domain access.
Domain trusts are divided into unidirectional and bidirectional, one-way is I trust you but you do not trust me or vice versa, two-way is mutual trust. In addition, domain trusts can be configured to have transitive, that is, I trust you to trust (third-party), transitive trust eliminates the task of configuring trust relationships in a complex domain environment.
The parent domain and subdomain in the same forest have a two-way transitive trust by default. There is a two-way transitive trust (tree trust) between domain trees by default, and a shortcut trust (Shortcut) can be established between domains in two different domain trees to speed up the validation process. Forest trusts can be established between different forests (Forest trust).
Domain trusts can be established with other directory systems that use Kerberos to authenticate. External trusts can be established with older NT4 systems (External Trust).
650) this.width=650; "Style=" background-image:none; border-right-0px; padding-left:0px; padding-right:0px; border-top-width:0px; border-bottom-width:0px; border-left-width:0px; padding-top:0px "title=" forest, domain tree, and subdomain-trust "border=" 0 "alt=" forest, domain tree, and subdomain-trust "src=" http://s3.51cto.com/wyfs02/M01/83/05/ Wkiom1dozurre-j6aaeby8yflbs942.jpg "width=" "height=" >
7. Site
In theory, the Windows domain is independent of the physical network topology, and multiple domain controllers in a domain can either be in the same subnet or belong to different subnets as long as they meet the conditions that can communicate with each other, either in the same physical location or in different physical locations. However, communication between domain controllers and computers in a domain is ultimately constrained by physical network topologies, such as replication between domain controllers and account validation, which are closely related to physical locations.
A site can be seen as a set of computers in a domain that is connected at high speed, and the domain controllers and computers deployed in different sites by physical location can improve the efficiency of replication and account validation between domain controllers in the domain. For example, in a domain, the Beijing site has two domain A and B, the Shanghai site has two domain-controlled C and D, the replication between them if in accordance with the order of BCDA replication, it will be inefficient. In the ABCD order, the domain control within the same site is replicated to each other, as long as the site is replicated once.
III. Testing and Maintenance domains
1. Modify the domain controller computer name
Modifying a domain controller computer name can not simply open the computer properties directly to modify, involving intra-domain name resolution, improper modification may cause the domain controller can not find the trouble. It is recommended that you modify the computer name and restart the computer before upgrading to a controller, as you do need to modify the domain controller computer name to use the netdom command. At the PowerShell command line prompt:
# Show All computer names of a DC
NETDOWM ComputerName Dc02.cloud.z.com/enumerate
from///remove:dc02.cloud.z.com
2. Migrating FSMO Roles
The previous article describes the 5 FSMO roles in AD, and we need to consider migrating the FSMO role to properly deploy these roles across multiple DCs in the domain, or to migrate DCs. There are two ways to transfer FSMO roles, the first of which is through the GUI:
In Windows 2012, open Active Directory users and computers in the Server Manager menu tools. By default, connected to a domain, right-clicking on the domain name "operations master", where you can migrate RID, PDC, and infrastructure masters.
In Active Directory domains and trust relationships, right-select operations master, where you can migrate domain naming masters.
In the Active Directory schema, right-click the operations master, where you can migrate the schema master. However, the Active Directory schema does not appear in Server Manager, we need to register regsvr32 schmmgmt.dll in advance and then add the Active Directory Schemas snap-in from the menu "file" in the MMC console. And then follow-up management.
The second use of the Ntdsutil command, you can enter the "?" Process To query for help:
from DC01 to Dc03ntdsutilrolesconnectionsconnect to server Dc03.cloud.z.comquit
Transfer schema Mastertransfer naming mastertransfer infrastructure mastertransfer Pdctransfer RID Masterquit
Quit
3. Clean up the ad meta-data
When the DC is demoted, you need to manually clear its information in AD, you can use the Utdsutil command:
# Remove metadata of a DC that need to being deletedntdsutilmetadata cleanupconnectionsconnect to server Dc03.cloud.z.comquit Select operation Target
List site
Select Domain 0
List domains
Select Domain 0
List severs for domain in site
# Select The DC that need to be deleted
Select Server 0remove Select Serverquitquit
4. Migrating Domain Controllers
Migration domain control from DC01 to DC03 mainly consists of the following steps:
- Promote DC03 as a domain controller (WS2012 previously used command Dcpromo), and the global catalog, DNS server selection is consistent with DC01.
- If DC01 is a DNS server, configure the DC03 network DNS server address to point to DC01, waiting for DNS data synchronization on DC03 and DC01.
- Migrate FSMO roles to DC03 on DC01.
- Demoting DC01 (WS2012 previously using command dcpromo/forcemoval), removing the AD DS role in Server Manager prompts you to demote the domain controller.
- Cleans up DNS records and uses Ntdsutil to clean up DC01 ad metadata.
5. Other Maintenance tools
Ntdsutil.exe. Ntdsutil.exe is a command-line tool that provides management capabilities for Active Directory Domain Services (ad DS) and Active Directory Lightweight Directory Services (AD LDS). You can use the Ntdsutil command to perform AD DS database maintenance, management, and control of FSMO roles and to remove metadata for domain controllers that are not properly uninstalled.
Netdom.exe.
Dcdiag.exe.
Adsiedit.msc. ADSIEdit is used to edit a single object or a small number of objects in Active Directory. In WS2012 Server Manager, the AD DS server right-click menu can be found.
Ldp.exe. Ldp.exe for managing Active Directory Lightweight Directory Services (AD LDS)
Replmon.exe.
Repadmin.exe.
Windows Server 2012 Virtualization Combat: Domain