Windows Server AD Domain management creation

Source: Internet
Author: User
Tags administrator password domain server to domain gpupdate


An introduction to AD domain management and its partitioning of permissions:

1. The ad domain originates from Microsoft, and is suitable for Windows, which provides strong protection for centralized management and information security for enterprises.

2. Provide folder sharing in the domain, but at the same time have no permissions for different users.

3. By restricting the USB interface to the device, the network accesses the specific website to realize the protection of the information inside the enterprise and prevent the loss.

4. Personal Folders can be redirected to the server folder, enabling real user data in the same domain to be not subject to fixed PC restrictions both data follow and go.

5. The user's privileges do not need to be customized, only need to add several fixed groups with different permission attributes to obtain the corresponding permissions function.

We follow to create the first domain in the first forest. Create a method to install a Windows Server first, and then upgrade it to a domain controller. Then create a second domain controller, a member server with a domain-joined WIN8 computer.


Network Subnet Mask gateway






Prerequisites for creating a domain
    • DNS domain name : First think of a DNS-compliant domain name, such as
    • DNS server : The domain needs to register itself in the DNS server, the other computer through the DNS server to find this machine, so you need an ad-capable DNS server, and Support dynamic update (if there is no DNS server, you can create a domain in the process, Select this domain control to install the DNS server)

Note: AD requires a SYSVOL folder to store domain shared files (such as Domain Group Policy-related files), which must be located on an NTFS disk, which is created by default on the system disk, and is recommended for performance in other partitions.

Create the first domain controller in the network modify the machine name and IP

The IP address is modified first, and the DNS is directed to itself, and the machine name is automatically changed to after you upgrade to domain control by modifying the computer name DC1

Install domain features

Select Server

Select Domain Service

Promote to a domain controller

Add a New Forest

The forest root domain name should not be the same as the DNS name of the external server, if the DNS URL for the external service is, the internal forest root domain name cannot be, or there may be compatibility issues in the future.

    • Select the forest functional level, domain functional level. 、

      Here we choose to win 2012, the domain functional level can only be win 2012, if you choose a different forest functional level, you can also select a different domain functional level

    • DNS servers are installed directly on this server by default
    • The first domain controller must be the role of a global catalog server
    • The first domain controller cannot be a read-only domain controller (RODC) This role is a feature of win 2008
    • Set the directory restore password.

      Directory Restore Mode is a safe mode that repairs the ad database when booting into safe mode, but this password must be used

      This warning does not need to be ignored

      The system automatically creates a NetBIOS name that can be changed.

      Legacy systems that do not support DNS domain names, such as Win98 Winnt need to communicate through NetBIOS names

    • Database folder: Using the storage AD database
    • Log files folder: A record of changes to the storage ad that can be used to repair the ad database
    • Sysvol folder: Shared files with a storage domain (for example, Group Policy)

      If you have more than one hard disk in your computer, it is recommended that you set the database and log folder to a different hard disk, two hard drives can provide operational efficiency, and separate storage can avoid the problem of two copies of data at the same time, to improve the ability to repair AD. (But I think it's now a RAID mode, no need to separate, and the operating system partition can be separated)

      Smooth pass inspection, direct installation

      Installation Complete reboot

Check that the records within the DNS server are complete

Domain control registers its role in the DNS server so that other computers can find domain control through the DNS server. Therefore, first check whether these records already exist in the DNS server. A domain administrator account is required to log in to Contoso\Administrator.

Check Host Records

Select Management Tools-dns

By default there is a zone, and the host record indicates that the domain control has correctly registered its hostname with the IP address within the DNS server.

If the domain controller has properly registered the home to the DNS server, there should also be folders such as _tcp _udp. When you click the _tcp folder, you see a _ldap record of the data type service location (SRV), indicating that is properly registered as a domain controller. You can also see that the _GC record global catalog is also played by

Troubleshoot issues with registration failures

If the domain member itself is set up or a network problem occurs, data cannot be registered to the DNS server.

If you have a member computer with IP dollars correctly registered to the DNS server, you can run Ipconfig/registerdns on this machine to register manually. When you are finished, check to the DNS server if you have the correct records, such as,ip address, if the zone has corresponding A records and IPs.

If a domain controller does not register its role with a DNS server, that is, no _tcp folders and records are found, the Netlogon service is restarted to the server

To create more domain controllers

If there are multiple domain controllers within a domain, the following benefits can be found.

    • Improve the efficiency of user login: If there are more than one domain controller to provide service to customers, can share the burden of audit user login identity (account and password), make the user login more efficient.
    • Troubleshooting: If a domain controller fails, another normal domain controller can continue to provide the domain server at this time.

We upgraded the to a domain controller

First Rename, change IP

The back is the same as the previous installation function

Different here, add the domain control to the existing domain, enter the domain name, and enter the existing permissions to add the password for the domain-controlled account contoso\administrator.

Only users within Enterprise Admins and Domain Admins have permission to create additional domain controllers.

Select Copy from other domain controls

After the installation is complete, the machine restarts, and then checks the DNS records.

Modify DNS Pointing

Modify the DNS of DC1 and DC2 to point each other's preferred DNS to the other domain control

Join or detach a Windows computer from a domain

After Windows joins the domain, you can access the AD database and other domain resources. Computers that can be added to the domain:

Windows Server (R2)

Windows Server (R2)

Windows Server 2003 (R2)

Windows 8

Windows 7

Windows Vista

Windows XP

Join a Windows computer to a domain

We're going to join the machine to the domain.

Change the machine name to IP first.

Enter domain name and domain account password

If it is an error, check that DNS is pointing to domain control.

Once completed we can log on to this server using a domain account

The domain name is automatically added after the computer name

Out of Domain

Just enter the workgroup and click OK

Ad management tools within member computers

Sometimes the administrator can not manage to be able to open the account of the authority to delegate to other departments of the administration, delegated to them, of course, they can not log on to the domain control, it is necessary to install AD management tools on their computers

Windows Server 2012

Add features, add remote server Administration Tools

Windows8 and Windows7

Go to the official website. Download Remote Server Administration Tools for WINDOWS8/7

Create an organizational unit with a domain user account

You can create a user account within any container or organizational unit (OU). Create the OU for the business unit first and then create the user.

Create an organizational unit

Click Active Directory Admin Center

Enter a name

Create user

Business Unit-New user

    • User UPN Login : Users can log in to the domain using the same name ([email protected]) as the domain e-mail format, which is known as the user Principal name (UPN). This name is unique in the forest.
    • User name sAMAccountName login : The user can also use this name (Contoso\wang) to log in. Where Wang is the NetBIOS name. This name must be unique within the same domain. Legacy systems such as Windows NT Windows 98 do not support UPN, so you can only use this login when you log on on those computers.
Sign in to a domain with a new account

We use 2 ways to log in to a domain

Log in to domain control with a new user account

In addition to members in a few groups such as domain administrators, other general domain accounts cannot be logged on to the domain control by default unless otherwise open.

Give the user domain-controlled logon permissions

The general user must have permission to allow local logons on the domain control to log on on the domain control. This permission can be opened with Group Policy.

System Administration Tools-Group Policy Management

Computer Configuration-Policy-windows Settings-security settings-Local Policies-User rights assignment-allow log on locally and then add users or groups to the list

Group Policy configuration completion requires application to domain control to be effective, there are three ways to apply:

    • Restart the domain controller
    • This policy is automatically applied by the domain controller and may take up to 5 minutes or longer
    • Manual application: Run gpupdate or gpupdate\force on a domain controller
Scenarios for multiple domain controllers

If there are more than one domain controller in the domain, the security setting value that is set is first stored in the domain controller of the PDC operations master role, which is played by the first domain controller by default.

Active Directory Users and Computers-select right-click operations master

They will not apply these setting values until they have been copied from the PDC operations master to other domain controllers waiting to be set. When to apply in two different situations:

    • Automatic replication : The PDC operations master defaults to 15 seconds to automatically replicate it, so other domain controllers may need to wait 15 seconds or longer to accept this setting value.
    • Manual Replication : Select Active Directory Sites and Services on any one of the domain controllers-sites-default-first-name servers Click the domain controller that you want to receive Settings-ntds settings-replicate now. If the DC1 is the operations master, DC2 is the domain control that needs to be received

If it is a Group Policy setting, his ancestors are stored in the PDC operations master, but if the Active Directory user account or other objects are changed, those changes are first stored on the connected domain controller, and the system automatically replicates the change data to other domain controllers after 15 seconds by default.

If you are querying a domain controller that is currently connected, you can display the connected domain controller as if you were pointing the mouse at Contoso in the diagram in the Active Directory Admin Center Console. If you want to change the connection to another controller, click Change Domain controller.

Settings for domain user personal data

Each domain user account has some related property data, such as address phones, that can be used by domain users to find users in Active Directory, so the more complete the data is, the better.

Limit logon time to log on to the computer

We can limit the user's logon time to use some computers to log on to the domain.

If you can only allow users to log on to the computer during normal working hours

The default user can log on to all member computers that are not domain controllers, but you can restrict them from using only certain computers to log on to the domain. You can only log on to the server computer if you restrict.

Active Directory Lightweight Directory Service

In order for applications that support directory access to enjoy the benefits of directory services in environments without domains, Active Directory Lightweight Directory Services AD LDS is available in Windows Server 2012, which allows you to create multiple directory server environments within your computer. Each link is referred to as an AD LDS instance, with each instance having a separate directory setting, schema, and database.

Active Directory Recycle Bin

In older versions of the operating system, if the system administrator mistakenly deletes the ad object, it needs to go into Directory Services Restore mode. Restore trouble, and the domain cannot provide services when the restart is restored.

Although Windows Server R2 new ad Recycle Bin, so that the system administrator does not need to enter the directory Services Restore mode, you can save the deleted objects, but it is not very useful, such as the need to pass complex commands and steps.

The ad Recycle Bin for Windows Server 2012 has been further improved by providing easy-to-use image interface management tools.

To enable the ad Recycle Bin, the forest and domain functional level must be above the Windows Server R2 (inclusive) level. Note that once the Recycle Bin is enabled, it cannot be disabled, so the domain and forest functions are basically not degraded.

Enable Active Directory Recycle Bin

Open Active Directory Admin Center, click the domain name Contoso on the left, click Enable recycle bin on the right

An error.

Because there are multiple domain controllers within the domain, the ad Recycle Bin feature is fully functional after the setting values are replicated to all domain controllers. (I do experiments, save performance and a secondary domain control does not open)

Turn on the secondary domain control and copy the settings value again to open the Recycle Bin.

Delete an organizational unit

Try to remove the business unit, but first remove the option to prevent deletion

Uncheck the box to prevent accidental deletion.

Then delete the business unit

Restore organizational units

Next, to save the organizational unit through the Recycle Bin, double-click deleted objects.

Select the organizational unit you want to save back, click Restore

Removing domain controllers and domains

You can remove a domain controller by downgrading it, that is, removing Actice directory from the domain controller. Note the following before you downgrade:

If another domain controller exists in the domain, it is demoted to a member server for that domain.

If this domain controller is the last domain controller in this domain, no other domain controllers exist in the domain, so the domain will be deleted and the domain controller will be downgraded to a separate server.

Note: It is recommended that the member server be from the domain first, because after the domain is deleted, the server's account cannot log on to the domain (after the domain is removed, the member server can also be detached from the domain).

You must be a member of the Enterprise Admins group to have permission to delete the last domain controller in the domain. If there are subdomains below this domain, delete the subdomain first.

    • If this domain controller is a global catalog server, check to see if there are other global catalog servers in its site, and if not, specify another domain controller to act as a global catalog server, or it will affect user logons. Active directory Sites and Services-site-defalut-first-site-name–server-ntds Setting and right-click-Properties-Tick global Catalog

    • If the deleted domain controller is the last domain controller in the forest, Lin Hui is removed together. Members of the Enterprise Admins group have permission to remove this domain controller from the forest.
To remove a domain controller step:

Uncheck the check box

Downgrade first

Select an account with permissions

If you cannot remove this domain controller because of a failure (for example, you need to be able to connect to an attempt domain controller while it is being deleted), you can check the force removal of this domain controller at this point.

Local administrator password that belongs to the downgrade

Server restarts after demotion and logs back in

Although the server is no longer domain-controlled, the domain service component still exists or continues to be deleted.

Remove the last domain control

When there are no more domain controllers in the domain, this option is more than the last one to delete.

Removing DNS zones and application partitions

Remove the administration tool when finished

Reprint Blog Park great god: Brother Wang elder brother

Windows Server AD Domain management creation

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.