Through the previous articles, you may already have a general idea of Active Directory, and many people may have been eager to start deploying Active Directory in the company. Here I personally based on a little experience of managing the activity catalogues of these years, plus some people asked me some questions in the forum over the years, a little summary, enumerate the five common mistakes in Active Directory management, hope to start To the role of throwing bricks to attract jade. OK, now I am starting to get the axe:
First, install the Active Directory but do not install DNS;
Generally, this kind of error is seen on the Internet, there is an Active Directory such a thing, and then Start a do-it-yourself newcomer, if you have seen some of the official textbooks of Microsoft Active Directory or friends who have seen some of the more detailed Active Directory deployment articles, this is not the case. In fact, when you install Active Directory, if you do not have DNS installed, the system will give a warning, but the general novice will ignore the past. Someone once asked me, don't install DNS, but use WINS, can't you? The domain administrator who used to be NT4 often asks such questions. Anyway, the result of my experiment is, OK! However, you will find that the login is very slow. Although it can still use the Netbios name to access computers in the network neighborhood, it is actually unable to use domain resources. Why? Because in the domain environment network, DNS plays more than just a domain name resolution. If it is only this role, then you can directly use IP to access, so DNS server is not useless? More importantly, the DNS server plays a role in resource positioning. Everyone should have a deep understanding of the DNS A record, but I don’t know if you have noticed it. In fact, on the DNS server, not only the A record, but also a lot. Others such as SRV record, if you don't believe it, open your DNS server management console and have a look. And these resources can't be accessed directly by IP, nor can WINS servers do it. So please deploy DNS to deploy Active Directory, but I have done a test, and the results show that Active Directory and DNS can not be installed on the same server, which means that the domain controller does not have to be a DNS server, of course, if it is not forced In the case, it is recommended to put it together.
Second, install software on the domain controller at will;
Because the role of the domain controller in the domain architecture network is very important, the high probability of a domain controller is Required, but unfortunately many network administrators are not aware of this. I have seen no less than 30 miscellaneous software on the domain controller of a hotel network, even some software such as online games, such as wingers, legends, and some MP3 players, VCD players, etc. I really don't know what role his domain controller is doing. Is the web server still a personal PC? Anyone who uses Windows for a long time knows that Windows will be used more slowly and more unstable. Although it causes this phenomenon, Windows itself has certain responsibility, but it is undeniable that users are the main body, which is casual. The main reason for installing and removing software is that I don’t know if you have noticed it. If you install a software and then delete it after using it for a while, there will still be a lot of information about this software in the registry, and the general software manufacturing. The business will never tell you which items of the registry have been added to the software, and what is the use of this content. So it is very difficult to do this manually to completely delete the spam. Of course, it is theoretically possible, but it is almost impossible. Moreover, the general software will do a series of tests on the Windows system when it leaves the factory to ensure that the software can run normally on Windows, but it does not guarantee compatibility with other non-Windows software, so the software is installed more. More, the chances of conflict are greater. Many friends see this, they will definitely think, manual is impossible, but you can use third-party software, such as Super Rabbit, Optimization Master or something, these software have the function of cleaning the registry and speeding up. To be honest, I really don't know exactly how these software works, but the software is dead after all. If the problem is bitter, it can only be swallowed by yourself. If the software is used on a personal PC, I am really true. There is no comment, because the personal PC is not a big deal to reinstall the system, but the domain controller is definitely not as simple as reinstalling the system, especially when many networks have only one domain controller, and some even think that the domain controller is reinstalled. The original computer name and domain name can be the same as the original. Here I can tell you clearly that using the same name method will definitely not work. Do not believe that everyone can go back and try! Remember: prevention is always greater than first aid! My domain controller has only one SUS server installed except Active Directory and DNS. It has been running for a year and a half, and no software problems have occurred.
Speaking of this, I would like to criticize the Windows 2003 optimization and speed-up method that is very popular on the Internet. I have read these articles carefully. The result is that I am disappointed. Even if the service is improved, modify the key values of several registry, even if the shutdown starts to speed up, the function used by several personal PCs is optimized. I also did a test in accordance with the above content, and found that those services were closed. As a result, only about 4M of memory was saved. You said that the hardware price has plummeted now. Is it necessary to get these? There is also the improvement of the shutdown and boot speed, who's server has nothing to do to boot and shut down, even if the restart will let the following users complain, but also boot shutdown? Isn't this about throwing your own rice bowl? As for the activation of sound and hardware acceleration, it makes me laugh too big, that is a server, how? Ready to use as a personal PC? Anyone who uses the contents of these articles to modify the server, I don't know what role your server is doing, but I can be sure of two points: 1. This server software is definitely not for you to pay for; 2, your The network has no dependence on this server, which means that this server is optional. Microsoft has a big price difference between Windows server and client pricing. No one wants to spend the server's money, but it is used as a workstation. If there is such a person, then either the server software is not costing, or is not spending its own money. And if you do this optimization for the server for a long time, you will find that it will be counterproductive, because there are some modifications above, you can see the effect after restarting, when you do a series of changes and restart, and you find that the system is not correct. You don't even know which operation is causing it. It may even cause your system to crash. Here, I reiterate my point of view: for the server, stability is greater than everything!
Third, incorrect installation and deletion of domain controllers
Generally do the above title behavior Friends, you said that he is a newbie, he does not admit that he is a veteran, others do not recognize. Basically, their behavior is that today, an extra domain controller is added, and it is likely to be upgraded with their own PC. It will be happy tomorrow, and then add a sub-domain, which is because of system problems or unhappy mood. At the time, do not downgrade, directly format those subdomain controllers, extra domain controllers, and then reinstall the system. Then wait until the day is happy and loaded, unhappy and formatted, the direct active directory error, can not be added. I have seen such a network administrator. I went to check out the only domain controller on his network. I found that there are a lot of domain controllers in the world, but there are no such domain controllers on the network, and the Active Directory is often wrong. I check the logs and find that all the errors are reported. Some of them cannot be copied. Going to the corresponding domain controller, etc., it took me nearly an hour to clean up all the spam with Ntdsutil, and the problem has to be solved. So why can I solve this problem with Ntdsutil? What kind of operations are listed as error operations? Because I have encountered it, even if Ntdsutil clears the spam, the Active Directory is still not normal. The specific situation is that it can provide services for the client, but it is no longer possible to add additional domain controllers. One step prompts & ldquo; refusal to visit & rdquo;, I checked a lot of information did not find a solution, fortunately that the domain has just begun to build, no data, and finally re-doing things. If any of your friends have encountered such a situation and have a solution, please provide it to me, thank you!
IV. Arbitrary allocation of FSMO characters
I am in front As mentioned in the article, the five roles of FSMO generally do not need to be managed. Under normal circumstances, if we need to transfer the role of FSMO, then there are two situations: 1. Normal maintenance of the server; 2. The domain controller where the original FSMO role is located cannot be connected due to hardware or other reasons. However, many network management devices encounter the above two situations, and the extreme practice is to use the domain controller where the original FSMO role is located. Once offline, the FSMO role must be transferred to other domain controllers, which can be transmitted and transmitted without being transmitted. But I am here to suggest everyone a word: Wait! What do you mean? In addition to the role of the PDC emulator, if the domain controller of the other role is offline, I suggest that everyone wait, waiting for the domain controller to return, usually only a few days, because of the five roles of FSMO In addition to the PDC emulator is often used, other roles are not commonly used, let me give an example: in the Domain Naming Master, its main role is to manage the addition of deleted domains, but in general Who will have nothing to do on the network to delete the domain? So if the domain controller where the Domain Naming Master role is located is offline, and you are sure that the domain controller will not add or delete domains during the offline period, then there is no need to transfer the Domain Naming Master role. As for the capture, let alone the less than a last resort, it is absolutely impossible to use the seized operation, because once captured, the original domain controller is connected, the uniqueness of the FSMO role does not exist, Imagine a What is the phenomenon of two Domain Naming Masters in the forest? So when you take the FSMO role, please be clear about one thing and then operate, that is: the domain controller that originally occupied the FSMO role will never return to the network.
Five, GHOST
Many people may have opinions when they see the title. Is it thinking that I am writing an article to write silly? How do you even criticize GHOST for such excellent software? I am not stupid, I am not mistaken, I want to approve is GHOST. Although I admit that GHOST is a very good software, and is loved by the majority of computer users, even GHOST has saved me from the heat, but I still have to criticize it. Many people use GHOST to install the system, and then all the configurations are OK, make a backup to prevent future system crashes. This kind of method is understandable if it is used on a single machine and a peer-to-peer network, but it cannot be used in a domain environment. Why? Anyone who wants to deploy Active Directory knows that all domain users have an account and password, but does anyone know that the communication between the computer and domain controller in the domain is also password? Of course, this password is random and it is modified regularly, so when you restore a long-time GHOST backup, you will find that your system cannot contact the domain controller. Why, because the password has been changed, of course The solution to the situation is still very simple. Exit the domain and re-join it. So I can still tolerate the use of GHOST on the client in the domain network, because I have not seen a large-scale GHOST restore at the same time. Of course, there is a situation that should be avoided, that is, when the hardware configuration is the same, and then use GHOST to disk-to-disk copy, this will have security risks, because GHOST will cause SID to repeat. Although I can use some tools to clear it, I still feel a little uneasy, so I still don't recommend this method. Then let's talk about the case of GHOST used on the domain controller. I can't bear this situation unless you make a GHOST backup every day. In the Active Directory, there is a Tombstone lifetime. Chinese is generally translated into tombstone time. This time system The default is 60 days. If a domain controller goes offline for more than 60 days, then even if the domain controller is reconnected to the network, other domain controllers will not copy the information to it. It can be said that it Already out of this network. What's even more frightening is that the GHOST returned from this backup is likely to copy the outdated information on it to other domain controllers. You may send some accounts that you deleted a long time ago and actually come back. The strategy restores the inexplicable problem, and this kind of replication is catastrophic for the enterprise. To avoid this, you have to modify the registry to control its outbound replication, but Avoid, why bother to modify it? It can be seen that using GHOST to restore the backup of the previous domain controller is like this domain controller starting offline from the day of backup. In many cases, this backup recovery operation is equal to no, and sometimes it is better not to back up. Disaster recovery is better than it. Therefore: GHOST can be used without it! Sometimes GHOST = enough to die. Haha!
As usual, E-MAIL: [email protected], welcome to correct me!
In order to improve the management efficiency of the server system, network administrators often use
I. Introduction to Active Directory (1) Directory Service The directory is a database that stores
Some readers have reported problems with batch Windows auto-upgrade files. Some patch packages have
The computer has been used for a long time. A large number of files are stored on the disk. These fi
Windows 2000 and Windows Server 2003 time services are not enabled by access
Windows 2000 Management Documentation
Quickly recover the Windows 2000/XP forgotten administrator password
Windows Small Business Server 2003 Edition announced
Change the IP address of the Win 2003 network adapter
Configuring a NAT server in Win 2003
Use the win2003NAT function to configure the firewall
Windows 2000 server configuration guide
Change the Windows XP parameters to make the thumbnail display faster
How to urgently recover damaged Windows system
Let the program no longer remember the password
Why is the download progress going backwards? !
How to use NTFS partition permission to encrypt U disk
How to solve the problem of u disk cache write failure under Winxp system?
Win7 system uses Group Policy to delete the logout option.
Solve the problem of microphone and line input under Win8
After Win10 installs the patch, restart the card in "Configure Windows Update" how to deal with it?