Domains are an important part of the Microsoft LAN solution. Almost every release of Windows Server has a significant improvement and enhancement in the domain. What kind of domain experience will Microsoft bring to us as the latest version of Windows Server 2008? Here I will share some new applications based on Windows Server 2008 domain with examples. I hope these new features will bring you different domain management. Experience.
1. Deploying read-only domain controllers
The security of domain controllers (DCs), especially their physical security, is a concern for administrators. A special domain controller, the Read-Only Domain Controller (RODC), has been added to Windows Server 2008. With RODC, we can deploy read-only domain controllers in network nodes that cannot guarantee physical security. This not only improves security, but also enables faster logins and more efficient access to network resources.
It is very simple to deploy a read-only domain controller (RODC) in Windows Server 2008. For example, if we want to deploy a Windows Server 2008 host in the jp.com domain as a read-only domain controller, we can do this by first logging in to the host as an administrator and then allowing the command prompt as an Administrator. Command “dcpromo /replicaornewdomain:readonlyreplica /installdns:yes /replicadomaindnsname:Woodgrovebank.com /sitename=default-first-site-name /safemodeadminpassword:ctocio!” Where /replicadomaindnsname:Woodgrovebank.com”specified domain name,“/safemodeadminpassword:ctocio!”Set the domain controller administrator's password to ctocio!.
It should be noted that during the installation of the directory (AD), DNS will be installed and configured at the same time, and the administrator password will be set for the recovery mode of Active Directory. In addition, during the installation process, be sure to mainly view the output of the Trojan copy strategy in the screen. In addition to this, we can keep the default settings. After the Active Directory is installed, the system will reboot and the host becomes a read-only domain controller (RODC) after the system is restarted.
2, separation of management roles
Management role separation is a major feature of read-only domain controllers (RODC), we can specify a domain user to the role of the RODC, and There is no need to grant the user any user rights to the domain or other domain controllers. In fact, these roles are very similar to local groups. With this feature, we can assign administrators to branch offices' RODCs for routine maintenance (such as disk defragmentation, etc.) without having to give him a domain administrator username and password. The benefits of doing this are very obvious: first, you can liberate the administrator and achieve the allocation of DC management tasks; in addition, it will greatly enhance the security of the domain, because authorized users can only perform specified operations without harming the domain. The rest of the security. At the same time, it also avoids the risk of damage caused by misuse of DC management at any time.
We perform a separate operation of the management role on a read-only domain controller (RODC): log in to the host as an administrator, run the command prompt of the administrator, and then execute the following commands in sequence:
NTDSUTIL
Local Roles
Add Woodgrovebank.com\\jp Administrators
Show Role Administrators
Quit
Quit
(Figure 2)
Figure 2 NTDSUTIL
Briefly explain the above command, the first line is to enter NTDSUTIL.exe The command line, the second line is to enter the local role setting state, the third line is the key command to add the user jp to the administrator (administrators) group of the Woodgrovebank.com domain, the fourth line command is to display the role of the administrator group, the first The sixth line command is to quit the NTDSUTIL tool.
3. Performing management operations with new accounts
Through the above operations, we have given jp users permission to operate the Woodgrovebank.com domain. Below we verify the effectiveness of the above operations. Log in as a read-only domain controller (RODC) named SFO-DC-01.Woodgrovebank.com as a jp user. We first open the command prompt tool and execute the command “whoami /user /groups |
Find "Administrators"” can see that the domain user jp has successfully hacked two to this read-only domain controller (RODC) and is already its local administrator. (Figure 3)
Figure 3 Read-only domain control
Below we perform a system management operation, such as formatting the F partition of the host. Execute a command "Command F: /q" in the command line to see that the fast format operation of the F partition of the read-only domain controller (RODC) is successfully completed. This shows that the separation of the management roles we just performed on the read-only domain controller (RODC) was successful. However, it should be noted that this user is only a normal domain user in the domain with only the general permissions granted by the domain policy. You can try, create such a user, and then log in to the domain controller, you will find that the login failed, because the general domain users can not log in to the domain controller.
4. Perform offline maintenance of Active Directory
We know that in previous versions of Windows Server, if you need to maintain Active Directory offline, you need to restart the domain controller and then press and hold F8. , enter the Active Directory restore mode to complete the operation. But doing so will affect other services running on the domain controller, such as file services, print services, etc., which is very inconvenient. But in Windows Server 2008, we can stop the Active Directory Domain Service without restarting, and then perform operations that require Active Directory offline to perform, such as defragmenting the Active Directory database, moving, and so on. Below, the author demonstrates in the test environment, you can experience the new features in Windows Server 2008.
At the command prompt, enter the command <quo;net stop NTDS”, then the implementation will prompt “Do you want to continue this operation?”, we enter y, then press Enter to stop the directory service. Let's take the following operations to perform offline maintenance of Active Directory:
MD C:\\compact
ntdsutil
Activate Instance NTDS
Files< Br>
Compact to C:\\compact
quit
quit
Del C:\\Windows\\NTDS\\*.log
Copy /y C:\\compact\ tds.dit C:\\Windows\\NTDS\ tds.dit
ntdsutil
Activate Instance ntds
files
integrity< Br>
quit
semantic database analysis
go fixup
quit
quit
exit
(Figure 4)
On the 14th of July, I did a <newbie server installation SERV-U graphic tutorial>, te
for Windows This article describes common methods for binding multiple IPs and multiple domain names
1 Installation Environment 1. Domain: itchenyi.com, domain functional level and forest func
Today they and I said that the website is very slow to open. I have no way to improve the speed of o
Configuration of multi-IP network segment of NAT network under Xen
Windows 2003 makes iis support PHP and MySQL
Win Server 2008 R2 builds a small error solution in the domain environment
How to set .NET pseudo-static in windows2003 IIS6 environment
Windows Server 2008 WDS Deployment Client System
Windows 2003 modified 3389 login port
Configuring Windows Server 2008 Network Center
SERVU server settings account and permissions
Zip password cracking tool Ziperello use method
Enjoy the wireless world, use Win7 to make the route charge
IE7 Https website access troubleshooting
Windows7 system optimization makes the system more secure (1)
What emoji expressions are added to win10 win10 new vertical middle finger emoji expression
Win7 registry can not open the registry editor can not open the solution
Win10 system installer can not start normally how to do
Experience exchange of Windows7 partitions as long as one can be
Win7 system blue screen and the error code 0x000000C5 causes and solutions