Windows Server 2012 Virtualization test: Domain

In Windows Server systems, some services must be built in a domain environment, not only for unified authentication and resource sharing, but also for network security. To build a virtualization test, we need to build a domain environment first. Get to know the domain before you go.

When working with workgroups, computers are relatively independent, and workgroups are only one way to categorize computers in a network, and in a workgroup, access to network resources does not affect much. The workgroup is like a public car park that allows free access, you can park in zone A, or you can park in zone B. If parked in zone A, a loose combination is formed with the other cars in area A.

Unlike Windows domain, where domains are tightly organized, computers are joined to a domain and logged on with a domain account to access certain shared resources. At least one domain controller, or DC, in a domain is responsible for the validation of computers and users. A domain is like a private car park, which requires a swipe verification to get in and out (there can be more than one access control), but after verification, you can use the shared facilities inside and even other cars. For example, when your computer successfully logs on using a domain account with administrator privileges, you can use that domain account to log on to SQL Server on other computers in the same domain, then you can no longer use the SA account. Of course, domain-joined computers do not mean that they can only stay in the domain, and if they are only logged on with a local account instead of a domain account, the computer is not different from the workgroup. Your car can be parked in a private car park or parked in a public car park unless there are special restrictions on the car. Your computer is only logged on with a local account and you can't use Windows authentication when you want to access SQL Server on another computer, but you can still use SQL Server authentication to log in with the SA account.

First, the Domain test network

Next we deploy the domain in Window server, for future needs, we will connect the domain's network as the Management Network and configure the network as parameters.

Second, configure the domain controller

Installing a domain controller (DCS) on Windows Server is a simple matter, but before you install it, you need to confirm that the login account has local administrator rights, whether the operating system supports it, whether TCP/IP is configured correctly, Whether the disk has NTFS partitions and sufficient space to hold the active Directory database, whether the DNS server supports, and so on. It is also best to pre-modify the computer name and restart it to avoid the hassle of modifying the domain controller name after the installation is complete.

Both Windows Server 2008 and later versions can install active Directory Domain Services (AD DS) as a role and promote to a domain controller. You can also use the dcpromo command in Windows Server 2008 to install and promote AD Domain Services to domain controllers directly in the run. However, the DCPROMO command in Server 2012 has not been supported, so after installing the AD Domain service as a role, you can find a link promoted to a domain controller in the event prompt above the server management interface.

The steps for installing a domain controller are no longer mentioned, many pages in the network have been described in detail, but some of the proper nouns that appear during domain configuration need to be understood:

1, Forest (Forest), domain tree (tree), Domain, and subdomain (child domain)

These nouns have very vividly explained the relationship between them, but need some description to help understand: the first domain we established was the root domain, and at the same time it established the first domain tree and the first forest, so this root domain is both the forest root domain and the root domain. The root domain is also a domain, only a special status, only one forest root domain, but can have more than one root domain. Root domains and subdomains that have a common namespace form a domain tree, and a domain tree with different namespaces forms a forest. The name of the domain tree is the same as the first domain, the name of the forest is the same as the first domain tree, and the first domain is the same, so the selection of names is important.

For example, we established two forests according to the rules in assigning the Forest Root Domain Name article. If your organization has two generic domain names, one for the external Internet, such as the home page for your organization, the other can be used to organize the internal network as the name of the forest (that is, the name of the first domain), so that the established forest will resemble the forest x.com on the left. If you have only one generic domain name, for internal and external differences, you can create a two-level domain name for the inner network as the forest, so that the established forest will be similar to the forest cloud.z.com on the right. The common domain name is used to facilitate trust between forests and forests, but if you can use any name that matches the domain name rule in your tests, our lab environment will use cloud.z.com as the forest name.

2. DNS servers, global catalog servers (GC), and read-only domain controllers (RODC)

When you configure a domain controller, you experience the choice of these options: DNS service, Global catalog server (GC), and read-only domain controller (RODC)

• A DNS server is a domain name server. DNS service support is required for resolving names such as computers, clusters, etc. in a domain. Establishing a domain must provide the DNS service in the domain, and if the DNS server is ticked during the configuration domain, the native will be configured as a DNS server (the configuration program detects the current DNS infrastructure to determine whether the DNS service is checked by default).
• A global catalog server, a GC, can be understood as a read-only global cache in the forest, which stores all the properties of all objects in the forest in the domain and some properties of all objects in other domains. The global catalog enables users to search directory information on all domains in the forest, regardless of where the data is stored. The search will be performed in the forest at the maximum speed and lowest network traffic. "If you check the global catalog server in the configuration, it will make this domain controller a global catalog server at the same time."
• Read-only domain controllers (read only controller, RODC). A read-only domain controller (RODC) is a new type of domain controller in the Windows Server 2008 operating system. With an RODC, organizations can easily deploy domain controllers in locations where physical security is not guaranteed. The RODC hosts the read-only partition of the Active Directory Domain Services (AD DS) database. "" Insufficient physical security is the most common reason to consider deploying an RODC. An RODC provides a way to deploy a domain controller more securely in a location that requires fast, reliable authentication services but does not ensure the physical security of a writable domain controller. ”

3. ad database, log file, and Sysvol folder

Active Directory uses a file-based database, and the database engine is a jet-developed extensible Storage Engine (ESE), also known as Jet Blue. Jet Blue plans to upgrade the database engine for access to Jet red, but it is used in other Microsoft products, such as Ad,wins,exchange server. ESE has the ability to scale up to 16TB capacity, accommodating 1 billion of objects. All related files in the database are in the%systemroot%\ntds\ folder by default, mainly including:

• Ntds.dit the database file. You are interested in viewing Active Directory database file NTDS. DIT Learn more.

• Edb.chk the checkpoint file. Additions and deletions to the database, the checkpoint file records the transaction completion before committing the update to the database, and commits the update from the log file to the database if the transaction completes.
• Edb.log and Edbxxxxx.log are log files. After each log file 10mb,edb.log file is filled, it is renamed to Edbxxxxx.log and the filename number is increased. Additions and deletions to the database are written to the log file for transaction processing.
• Edbresxxxxx.jrs keep the file for the log. Takes up disk space for log files and is used only when there is not enough disk space for the journal file.
• Edbtmp.log temporary log files. When the current Edb.log is filled, Edbtmp.log will be created to continue logging, while the current Edb.log is renamed to Edbxxxxx.log, and Edbtmp.log is named Edb.log.

Active Directory uses the SYSVOL folder (which needs to be placed in an NTFS partition) to share common files between DCs, including logon scripts and policy profiles. Detailed reference to Sysvol and Netlogon share importance in Active Directory

4. FSMO Host role

Active Directory has two modes of data replication between multiple domain controllers (DCS): Single-master replication mode (Single-master model) and multi-master replication mode (multi-master model).

Multi-master replication mode for data replication between DCs, which allows data to be updated on any DC and then replicated to other DCs, with some algorithms resolved when data conflicts occur (e.g., whichever data is last written). Multi-host replication mode achieves the purpose of load balancing and high availability between DCs. However, for some data-multi-master replication patterns that can cause difficult data conflicts or resolve conflicts that require too much cost, Active Directory uses a single-master replication mode that allows only one DC to update data and then replicate to other DCs. This data is primarily performed by 5 operations master roles, which can be assigned to different DCs in the forest, which are also known as flexible single master operation roles (flexible-operation, FSMO), respectively:

Forest level (only one DC in the forest has the role):

• Schema master: The schema is the definition of all objects and properties in the forest, and the domain controller (DC) with the schema master role allows the schema to be updated. Schema updates are replicated from the schema master to other domain controllers in the forest. There can be only one schema master in the entire forest.
• Domain naming master: domain controllers that have the domain naming master role are allowed to add and remove domains or external references to new and deleted domains in the forest. Only one domain naming master can be used throughout the forest.

Domain level (only one DC in the domain owns the role):

• PDC Emulator (PDC Emulator): domain controllers in Windows Server 2000 and later versions no longer differentiate between PDC (Primary domain controller) and BDC (Backup domain control), However, to be compatible with legacy systems and to implement some of the functions on the PDC, the PDC emulator needs to work. These include: real-time password updates, intra-domain time synchronization, and compatibility with legacy systems such as NT4 and Win98.
• RID Masters (RID Master): In Windows systems, the unique identity of security principals (such as users and user groups) depends on SIDS (such as users with different usernames but the same SID) that Windows still considers to be the same user. The SID consists of the domain sid (as in the same domain) and the RID. The RID master is responsible for generating a unique RID for the security principal. To avoid the security principal Sid duplication, which creates a security issue, the RID unification is generated from the RID pool allocated by the RID master.
• Infrastructure master (Infrastructure Master): The role of the infrastructure master is to be responsible for updating cross-domain object references to ensure consistency across all inter-domain operand objects. In the Active Directory, it is possible for some users to transfer from one OU to another OU, then the DN name of the user changes, and the other domain is changed for this user reference. This change is done by the infrastructure master. If the schema master is on the same DC as the GC, the schema master will not update any objects because the GC already has copies of all objects and attributes. Therefore, in multi-domain scenarios, it is recommended that you do not set the schema master as a GC.

5. Functional Level

When you create a new forest in Active Directory, you need to determine the functional level of the forest and the domain, which determines the functionality of Active Directory Domain Services (AD DS), and also determines which Windows server operating systems can be supported as domain controllers by the forest and domain. Windows Server has been revamped, has also improved Active Directory, formed different functional levels, a higher functional level to provide more features, currently has a functional level includes: Windows 2000 native mode, Windows Server 2003 , Windows Server 2008, Windows Server 2012, and so on.

On an operating system that is running Windows Server 2008, you can set the forest and domain functional level for Windows Server 2003, and a server that is running the Windows Server 2003 operating system can join as a domain controller. However, setting the functional level of the forest and domain to Windows Server 2008, a server running the Windows Server 2003 operating system cannot join the domain controller, but a server running the Windows Server 2012 operating system can.

Additionally, the functional level can not be reduced, and the domain functional level cannot be lower than the forest functional level.

III. Testing and Maintenance domains

1. Modify the domain controller computer name

Modifying a domain controller computer name can not simply open the computer properties directly to modify, involving intra-domain name resolution, improper modification may cause the domain controller can not find the trouble. It is recommended that you modify the computer name and restart the computer before upgrading to a controller, as you do need to modify the domain controller computer name to use the netdom command. At the PowerShell command line prompt:

# Show All computer names of a DC


NETDOWM ComputerName Dc02.cloud.z.com/enumerate


from///remove:dc02.cloud.z.com

2. Migrating FSMO Roles

The previous article describes the 5 FSMO roles in AD, and we need to consider migrating the FSMO role to properly deploy these roles across multiple DCs in the domain, or to migrate DCs. There are two ways to transfer FSMO roles, the first of which is through the GUI:

In Windows 2012, open Active Directory users and computers in the Server Manager menu tools. By default, connected to a domain, right-clicking on the domain name "operations master", where you can migrate RID, PDC, and infrastructure masters.

In Active Directory domains and trust relationships, right-select operations master, where you can migrate domain naming masters.

In the Active Directory schema, right-click the operations master, where you can migrate the schema master. However, the Active Directory schema does not appear in Server Manager, we need to register regsvr32 schmmgmt.dll in advance and then add the Active Directory Schemas snap-in from the menu "file" in the MMC console. And then follow-up management.

The second use of the Ntdsutil command, you can enter the "?" Process To query for help:

 from DC01 to Dc03ntdsutilrolesconnectionsconnect to server Dc03.cloud.z.comquit

Transfer schema Mastertransfer naming mastertransfer infrastructure mastertransfer Pdctransfer RID Masterquit

Quit

3. Clean up the ad meta-data

When the DC is demoted, you need to manually clear its information in AD, you can use the Utdsutil command:

# Remove metadata of a DC that need to being deletedntdsutilmetadata cleanupconnectionsconnect to server Dc03.cloud.z.comquit Select operation Target

List site

Select Domain 0

List domains

Select Domain 0

List severs for domain in site


# Select The DC that need to be deleted


Select Server 0remove Select Serverquitquit

4. Migrating Domain Controllers

Migration domain control from DC01 to DC03 mainly consists of the following steps:

• Promote DC03 as a domain controller (WS2012 previously used command Dcpromo), and the global catalog, DNS server selection is consistent with DC01.
• If DC01 is a DNS server, configure the DC03 network DNS server address to point to DC01, waiting for DNS data synchronization on DC03 and DC01.
• Migrate FSMO roles to DC03 on DC01.
• Demoting DC01 (WS2012 previously using command dcpromo/forcemoval), removing the AD DS role in Server Manager prompts you to demote the domain controller.
• Cleans up DNS records and uses Ntdsutil to clean up DC01 ad metadata.

5. Other Maintenance tools

Ntdsutil.exe. Ntdsutil.exe is a command-line tool that provides management capabilities for Active Directory Domain Services (ad DS) and Active Directory Lightweight Directory Services (AD LDS). You can use the Ntdsutil command to perform AD DS database maintenance, management, and control of FSMO roles and to remove metadata for domain controllers that are not properly uninstalled.

Netdom.exe.

Dcdiag.exe.

Adsiedit.msc. ADSIEdit is used to edit a single object or a small number of objects in Active Directory. In WS2012 Server Manager, the AD DS server right-click menu can be found.

Ldp.exe. Ldp.exe for managing Active Directory Lightweight Directory Services (AD LDS)

Replmon.exe.

Repadmin.exe.

Windows Server 2012 Virtualization test: Domain