Windows Server 2003 AD 安裝設定與管理維護 林寶森

Reasons to Maintain a Single Domain Ease of Management Easier Delegation Fewer Members in Domain Admins Group Object Capacity Same as Multiple Domain Structure OUOU OUOUOUOU

Reasons to Create Multiple Domains Distinct domain-level policies Tighter administrative control Decentralized administration Separation and control of affiliate relationships Reduced replication traffic OUOU OUOUOUOU OUOU OUOUOUOU OUOU OUOUOUOU OUOU OUOUOUOU

Installing DNS During the Active Directory Installation The Active Directory Installation Wizard Prompts You to Install and Configure a Local DNS Server if It Does Not Find an Existing DNS Infrastructure Installs the DNS Server Service Creates a Forward Lookup Zone Configures the Zone As Active Directory Integrated To Implement DNS, the Active Directory Wizard: Enables Secure Dynamic Updates for the Zone

Installing and Configuring DNS To Install and Configure DNS Create a Forward Lookup Zone Must be authoritative for your DNS domain Enable dynamic updates Configure the DNS Primary Suffix Assign a Static IP Address Install the DNS Server Service Create a Reverse Lookup Zone (optional)

Establishing the Root Domain Start Installation Wizard Select Domain Controller and Domain Type Specify Required Information –Domain, DNS, and NetBIOS names –Database, log, and shared system volume locations –Select to weaken permissions Active Directory Is Installed Computer Is Domain Controller Active Directory Tools Added

Adding a Domain Controller to an Existing Domain Start Installation Wizard Select Domain Controller Type Specify Required Information –Network credentials –DNS name of domain to join –Database, log, and shared system volume locations Active Directory Is Installed

Creating a Child Domain Start Installation Wizard Select Domain Controller and Domain Type Specify Required Information –Network credentials –DNS names of parent and child domains –Database, log, and shared system volume locations –Select to weaken permissions Active Directory Is Installed

Creating a Tree in an Existing Forest Start Installation Wizard Select Domain Controller and Domain Type Specify Required Information –Network credentials –DNS names of new tree –Database, log, and shared system volume locations –Select to weaken permissions Active Directory Is Installed

The Active Directory Installation Process The installation process Starts the security protocol and sets the security policy Creates the: Active Directory partitions, database, and log files Forest root domain SYSVOL folder Configures the site membership of the domain controller Enables security on the directory service and the file replication folders Applies the password for restore mode Starts the security protocol and sets the security policy Creates the: Active Directory partitions, database, and log files Forest root domain SYSVOL folder Configures the site membership of the domain controller Enables security on the directory service and the file replication folders Applies the password for restore mode

What Are SRV Resource Records? SRV resource records are DNS records that map a service to the computer that provides the service Format of SRV records Example Find Netlogon.dns in systemroot/System32/Config _ldap._tcp.contoso.msft 600 IN SRV london.contoso.msft _Service._Protocol.Name Ttl Class SRV Priority Weight Port Target

Configuring Zones for Dynamic Updates DNS Dynamic Update Protocol –Allows clients to automatically update DNS servers –Can be used in conjunction with DHCP DNS Server Request for IP address 1 Assign IP address of Assign IP address of Zone Database Computer DHCP Server Windows XP / 2003 client updates forward resource record on DNS server Windows XP / 2003 client updates forward resource record on DNS server DHCP updates reverse resource record for Windows XP / 2003 clients and both resource records for other clients DHCP updates reverse resource record for Windows XP / 2003 clients and both resource records for other clients

What Are Active Directory Integrated Zones? Active Directory Integrated Zones Are primary and stub DNS zones that are stored as objects in the Active Directory database Can be stored in an application or a domain partition Offer the following benefits  Multimaster replication  Secure dynamic updates  Standard zone transfers to other DNS servers Are primary and stub DNS zones that are stored as objects in the Active Directory database Can be stored in an application or a domain partition Offer the following benefits  Multimaster replication  Secure dynamic updates  Standard zone transfers to other DNS servers

Removing Active Directory Remove Active Directory by: –Using the Active Directory Installation Wizard –Providing appropriate administrative credentials The Active Directory Installation Wizard Performs Specific Removal Operations Depending on the Type of Domain Controller Domain Controller Provide Credentials:  Enterprise Admins group member  Domain Admins group member Provide Credentials:  Enterprise Admins group member  Domain Admins group member Remove Active Directory

What Is a User Principal Name? A logon name that is used only for logging on to a Windows Server 2003 network Advantages –Unique in Active Directory –Can be the same as a user ’ s address

What Are Directory Partitions? Active Directory Database Configurable replication Domain Forest Schema Configuration Definitions and rules for creating and manipulating objects and attributes Information about the Active Directory structure Information about domain- specific objects Information about applications Contains:

What Is a Schema? A forest-wide definition of object classes and attributes that can be extended Schema changes can be redefined or deactivated Examples of object class User Computer Printer Examples of attributes accountExpires department distinguishedName directReports dNSHostName operatingSystem repsFrom repsTo firstName lastName

What Are Distinguished Names? Distinguished names identify an object's domain and path to reach it Contoso.msft Finance Sales Suzan Fine CN=Suzan Fine,OU=Sales,OU=Finance,DC=contoso,DC=msft Relative distinguished name

What Is the Global Catalog? A repository that contains a subset of the attributes of all objects in Active Directory Global Catalog Read Only

Creating a Global Catalog Server NTDS Settings Properties General ObjectSecurity NTDS Settings Description: Query Policy: Global Catalog Server OKCancel Apply Global Catalog Provides Universal group membership information for the account Domain information when using user principal names during logon Global Catalog Provides Universal group membership information for the account Domain information when using user principal names during logon

When to Customize a Global Catalog Server firstName lastName address accountExpires distinguishedName firstName lastName address accountExpires distinguishedName Common Attributes Global Catalog Server Create additional attributes Add only the additional attributes that you query or refer to frequently department firstName lastName address accountExpires distinguishedName department firstName lastName address accountExpires distinguishedName Changed Attributes

Adding Object Attributes to the Global Catalog company Properties General company Show objects of this class while browsing. Deactivate this attribute. Index this attribute in the Active Directory. Ambiguous Name Resolution (ANR) Replicate this attribute to the Global Catalog. Attribute is copied when duplicating a user. Company Company Unicode String 1 64 Common Name: Description: X.500 0ID: Syntax and Range Syntax: Minimum: Maximum: This attribute is single-valued. OKCancelApply

What Is Forest and Domain Functionality? Network environment Domain functional levels Forest functional levels Windows 2000 mixed-mode domain Windows 2000 native-mode domain Windows Server 2003 Domain Windows Server 2003 Interim Enable forest-wide or domain-wide Active Directory features