Win2000 Active Directory and Installation Configuration

  

After understanding the principle of Active Directory, we can now install and configure Active Directory. The installation and configuration process of Active Directory is not very complicated. Because WIN2K provides installation wizard, just follow the prompts step by step. The system requires setting. However, the preparation work before installation is more complicated, and the Active Directory can be correctly installed only if the Active Directory is fully understood. Below I will introduce in detail the installation and configuration of the Active Directory and its preparation.

First, the preparation of the Active Directory before installation

In the previous we know that "Active Directory" is a key service in the entire WIN2K system, it is not isolated, it is associated with many protocols and services It has a very close relationship and relates to the system structure and security of the entire WIN2K system. Installing Active Directory is not as simple as installing a normal Windows component. A series of planning and preparation is required before installation. Otherwise, you will not be able to enjoy the advantages of Active Directory, and you will not be able to properly install the Active Directory service.

1. Before installing Active Directory, you must ensure that there is already a machine with WIN2K Server or Advanced Server installed, and at least one NTFS partition, and DNS protocol has been configured for TCP/IP, and DNS service is provided. Support for SRV records and dynamic update protocols.

2, followed by planning the domain structure of the entire system, Active Directory can contain one or more domains, if the entire system's directory structure is not well planned, the level can not be played well The superiority of the Active Directory. Choosing the root domain here (that is, the basic domain of a system) is a key. The choice of the root domain name can be as follows:

1) You can use an already registered DNS domain name as the active destination root domain name. The advantage is that the corporate public network and the private network use the same DNS name.

2) We can also use a subdomain of a registered DNS domain name as the root domain name of Active Directory.

3) Select a domain name that is completely different from the registered DNS domain name for Active Directory. This allows the corporate network to present two completely different naming structures internally and on the Internet.

4) Name the public part of the corporate network with an already registered DNS domain name, and the private network uses another internal domain name to separate the two parts from the namespace, so that each part is accessed. The other part must use the other's namespace to identify the object.

3, another one is to do domain and account naming planning, because one of the meaning of using Active Directory is to make the internal and external networks use a unified directory service, using a unified naming scheme to facilitate network management And business contacts. The Active Directory domain name is usually the full DNS name of the domain, but to ensure backward compatibility, each domain preferably has a name of a previous version of WIN2K for use on a computer running a pre-WIN2K operating system. The user account is in the Active Directory. Each user account has a user login name, a user login name of the previous version of WIN2K (the account name of the Security Account Manager), and a user primary name suffix. When creating a user account, the administrator enters their login name and selects the user's primary name. Active Directory recommends that user logins prior to WIN2K use the first 20 bytes of this user's login name. The Active Directory naming strategy is the first step in the enterprise planning network system. The naming strategy directly affects the basic structure of the network and even affects the performance and scalability of the network. Active Directory provides a good reference model for modern enterprises, taking into account the multi-level structure of the enterprise, taking into account the distributed nature of the enterprise, and even providing a completely consistent naming model for direct access to the Internet.

The so-called user principal name is composed of the user account name and the domain name of the domain in which the user account is located. This is the standard usage for logging into the WIN2K domain. The standard format is: (like a personal email address). But don't include the @ sign in the user login name or the user's primary name. Active Directory This symbol is automatically added when the user's primary name is created. User primary names with multiple @ signs are invalid.

In Active Directory, the default user primary name suffix is ​​the DNS name of the root domain in the domain tree. If the user's organization uses a multi-level domain tree consisting of departments and regions, the domain name for the underlying user can be very long. For users in this domain, the default user primary name might be grandchild.child.root.com. The default login name for users in this domain may be. In this case, the user name to be entered when the user logs in may be too long, and it is very inconvenient to input. In order to solve this problem, WIN2K stipulates that after the main name is created, the user only needs to add the corresponding user name after the root domain. Let the same user log in with a simpler login name instead of the long list mentioned above.

4, the last is to pay attention to set the trust relationship between the planning domain, for WIN2K computers, through the two-way, transitive trust relationship based on Kerberos V5 security protocol to enable account authentication between domains. When a domain is created in a domain tree, trust relationships are automatically established between adjacent domains (parent and child domains). In the domain forest, trust relationships are automatically established between the forest root domain and the root domain of each domain tree added to the forest. If these trust relationships are transitive, you can authenticate users and computers between the domain tree or any domain in the domain forest.

If you upgrade a Windows domain from a previous version of WIN2K to a WIN2K domain, the WIN2K domain will automatically preserve the existing one-way trust relationship between the domain and any other domains. Includes all trust relationships for Windows domains from previous versions of WIN2K. If a user wants to install a new WIN2K domain and wants to establish a trust relationship with any domain prior to WIN2K, then an external trust relationship with those domains must be created.

Second, the installation of Active Directory

All new installations are installed as Member Server, if you choose to install the "Active Directory" option when you install WIN2K SERVER, the system will A prompt similar to "If you install Active Directory at this time, all domain names in the system cannot be changed again..." appears. In general, we do not choose to install Active Directory when we install the system, so that we have time to specifically plan the protocol and system structure related to Active Directory. Directory services need to be installed afterwards with the Dcprom o command. The directory service can also be uninstalled, instead of having to be a lifetime, as in the case of installing Windows NT 4.0, the system will distinguish between a domain controller and a member server, and the two cannot be converted.

Dcpromo is a graphical wizard that guides users through the process of building a domain controller step by step. It is very convenient to create a new domain forest, a domain tree, or just another backup of a domain controller. Many other network services, such as DNS Server, DHCP Server, and Certificate Server, can be integrated with Active Directory in the future to facilitate policy management. There is nothing special about this graphical interface wizard. As long as we understand the meaning of Active Directory in the front and have a series of plans before installation, it is easy to complete all installation tasks.

After the Active Directory installation, there are mainly three active directory Microsoft Management Interface (MMC), one is Active Directory user and computer management, mainly used to implement domain management; one is Active Directory domain and The management of domain trust relationships is mainly used to manage multi-domain relationships; there is also a site management of Active Directory, which can place domain controllers at different sites. In the general LAN range, for a site, replication between domain controllers within the site is automatic; replication between domain controllers between sites requires administrator settings to optimize replication traffic and improve scalability. Sex. From the Active Directory management interface, you can also right-click on the site, domain, and organizational unit to start the Group Policy management interface and implement detailed management of the object.

For sites, domains, and organizational units, administrators can also easily manage authorizations. Right-click on them to launch the Manage Authorization Wizard, which sets which administrators have administrative rights to which objects. For example, the administrator of the internal technical support center of the enterprise only has the right to reset the user password and has no permission to create and delete user accounts. This more detailed management method has become "granularized."

In addition, Active Directory also fully considers the need to back up and restore directory services. WIN2K backup tool has the option of backing up Active Directory. In the event of an accident, you can press F8 when the machine starts. Safe recovery mode ensures that the vicious impact of disasters is reduced.

Copyright © Windows knowledge All Rights Reserved