1. Trang chủ
  2. » Công Nghệ Thông Tin

The Best Damn Windows Server 2003 Book Period- P51 doc

10 207 0

Đang tải... (xem toàn văn)

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 10
Dung lượng 363,75 KB

Nội dung

Creating the Forest and Domain Structure The process of creating the forest and domain structure is centered on the use of the Active Directory Installation Wizard.This utility installs and configures DCs, which in turn provide the Active Directory directory service to networked computers and users.The first step is to install Windows Server 2003 as a member server or a stand-alone server. At this point, you should be familiar with that process, so it will not be covered here. Next comes the decision process leading to the installation of a DC. Essentially, there are two reasons to install a DC: to create a new domain, or to add an additional DC to an existing domain. Depending on your current forest structure, you will end up with one of four results: ■ A new forest ■ A new domain tree in an existing forest ■ A new child domain in an existing domain ■ A new DC in an existing domain Deciding When to Create a New DC Since a domain cannot exist without a DC, you must create at least one for each domain.The pro- cess of creating the first DC also creates the domain itself.The domain can be either a new child domain or the root of a new tree.The difference is in the namespace. See the section Domain Trees earlier in the chapter. Here are the four main reasons to create a new DC: ■ Creating the first domain in your network ■ Creating a new domain in your forest ■ Improving a domain’s reliability ■ Improving network performance between sites If you want to create a domain with a name that is not related to any other namespace in your forest, you will create a new tree. If you want to create a domain that will function as an additional subunit within an existing domain, you will create a child domain. To improve a domain’s reliability, you should always create at least a second DC in each domain. That way, if the first one fails, you will still be able to use the second. If your existing DCs are over- loaded, simply adding another DC to your domain will help spread the load. If any of your domains are divided by WAN links, then it is a good practice to place a DC in each site. Besides lowering WAN bandwidth utilization and improving logon response times, you also provide a level of fault tolerance. If the WAN link fails, users on both sides of the link will continue to be able to log on if your domain is at the Windows Server 2003 functional level. Active Directory requires DNS.The Active Directory Installation Wizard will look for an authoritative DNS server that accepts dynamic updates for the domain. If a DNS server that can accept dynamic updates is not available, the Active Directory Installation Wizard will optionally create one for you that is preconfigured for the name of your domain. When you restart the new DC, it will register itself with DNS. 466 Chapter 12 • Working with Forests and Domains 301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 466 Installing Domain Controllers You should know what type of domain you want to install before you begin, and the namespace it will use. Read the procedure for the type of domain you want to install and know what your responses will be. For example, if you want the shared system volume ( SYSVOL) on its own disk volume, you will need to prepare it ahead of time. Before you run the Active Directory Installation Wizard, make sure that the authoritative DNS zone allows dynamic updates and that your DNS server supports SRV records. As always, no matter how small the domain, it should always have two DCs for fault tolerance and availability. Creating a Forest Root Domain The initial DC that you install will provide your users with the Active Directory. Consider making this an empty root domain where your Enterprise Administrators have accounts, but no regular users. With the procedure that follows, you will simultaneously create your first domain, called the root domain, and your first forest. Create a new domain in a new forest 1. Log on as a local Administrator. 2. Click Start | Run. 3. Type dcpromo. 4. Click OK to start the Active Directory Installation Wizard. 5. In the Welcome to the Active Directory Installation Wizard window, click Next. 6. In the Operating System Compatibility window, click Next. 7. In the Domain Controller Type window, click Domain controller for a new domain | Next. 8. In the Create New Domain window, click Domain in a new forest | Next. 9. In the New Domain Name window, type the full DNS domain name for the new domain, and click Next. 10. In the NetBIOS Domain Name window, verify the NetBIOS name and click Next. The default name is generally the best one to use. 11. In the Database and Log Folders window, type or browse to the location where you want the database and log folders. Click Next. 12. In the Shared System Volume window, type or browse to the location where you want the SYSVOL folder. Click Next. 13. In the DNS Registration Diagnostics window, verify an existing DNS server to be authoritative for this new forest, or click Install and configure the DNS server on this com- puter, and set this computer to use this DNS server as its preferred DNS server. Click Next. Working with Forests and Domains • Chapter 12 467 301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 467 14. In the Permissions window, you have two options: Permissions compatible with pre- Windows 2000 server operating systems and Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems. Select one, and then click Next. 15. In the Directory Services Restore Mode Administrator Password window, input and confirm the password for the Directory Services Restore Mode. Click Next. 16. Read the Summary window. Click Next.The installation will continue for several min- utes. 17. Restart your new DC. 18. Verify that the installation was successful. Open a command prompt and enter the Net Share command. It should report the existence of the Netlogon and SYSVOL shares.To verify that the DNS service locator records for the new DC were successfully created, follow these steps: 1. Click Start | Administrative Tools | DNS to start the DNS administrator console. 2. Expand the server name. 3. Expand Forward Lookup Zones. 4. Expand the domain. 5. Verify that the _msdcs, _sites, _tcp, and _udp folders are present and contain records for your new DC.These service location records are crucial to the operation of the DC. See Figure 12.1 for a view of the DNS administrator tool used to view them. 468 Chapter 12 • Working with Forests and Domains Figure 12.1 The DNS Administrator Tool Used to Verify a Successful Forest-Root 301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 468 Creating a New Domain Tree in an Existing Forest This will often be the second domain that you install.This type of arrangement accommodates a forest comprised of two different company divisions, or two companies within a larger corporation. Domains are used as boundaries for security and administration. With the procedure that follows, you will simultaneously create your first nonroot top-level domain, and the second tree in your forest. Note that a new bidirectional, transitive trust is automatically created with the forest root. Create a new domain tree in an existing forest 1. Log in as a local Administrator. 2. Click Start | Run. 3. Type dcpromo. 4. Click OK to start the Active Directory Installation Wizard. 5. In the Welcome to the Active Directory Installation Wizard window, click Next. 6. In the Operating System Compatibility window, click Next. 7. In the Domain Controller Type window, click Domain controller for a new domain | Next. 8. In the Create New Domain window, click Domain in an existing forest | Next. 9. In the Network Credentials window, type in the username, password, and domain name of an Enterprise Administrator or Domain Admin in the forest-root domain. Click Next. 10. In the New Domain Tree window, type the full DNS domain name for the new domain, and click Next. 11. In the NetBIOS Domain Name window, verify the NetBIOS name and click Next. The default name is generally the best one to use. 12. In the Database and Log Folders window, type or browse to the location where you want the database and log folders. Click Next. 13. In the Shared System Volume window, type or browse to the location where you want the SYSVOL folder. Click Next. 14. In the DNS Registration Diagnostics window, configure an existing DNS server to be authoritative for this tree, or click Install and configure the DNS server on this computer, and set this computer to use this DNS server as its preferred DNS server. Click Next. 15. In the Permissions window you have two options: Permissions compatible with pre- Windows 2000 server operating systems and Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems. Select one, and then click Next. 16. In the Directory Services Restore Mode Administrator Password window, input and confirm the password for the Directory Services Restore Mode. Click Next. Working with Forests and Domains • Chapter 12 469 301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 469 17. Read the Summary window. Click Next.The installation will continue for several min- utes. 18. Restart your new DC. 19. Verify that the installation was successful. Open a command prompt and enter the Net Share command. It should report the existence of the Netlogon and SYSVOL shares.To verify that the DNS service locator records for the new DC were successfully created, follow these steps: 1. Click Start | Administrative Tools | DNS to start the DNS administrator console. 2. Expand the server name. 3. Expand Forward Lookup Zones. 4. Expand the domain. 5. Verify that the _msdcs, _sites, _tcp, and _udp folders are present and contain records for your new DC.These service location records are crucial to the operation of the DC. See Figure 12.1 for a view of the DNS administrator tool used to view them. Creating a New Child Domain in an Existing Domain This will often be the third domain that you install.This type of arrangement accommodates a tree comprised of two different company groups, sometimes in physically separate locations. Since domains are used as boundaries for security and administration, there are many reasons for segre- gating a subgroup. If a group requires higher or lower levels of security, or if a different group of administrators requires complete control, then a child domain is a good idea. Now that you have created a new domain (in the steps outlined earlier), you can easily create a new child domain in an existing domain. Once complete, you should verify that the installation was successful. Open a command prompt and enter the Net Share command. It should report the existence of the Netlogon and SYSVOL shares.To verify that the DNS service locator records for the new DC were successfully created, follow these steps: 1. Click Start | Administrative Tools | DNS to start the DNS administrator console. 2. Expand the server name. 3. Expand Forward Lookup Zones. 4. Expand the domain. 5. Verify that the _msdcs, _sites, _tcp, and _udp folders are present and contain records for your new DC.These service location records are crucial to the operation of the DC. See Figure 12.1 for a view of the DNS administrator tool used to view them. Creating a New DC in an Existing Domain This is the only situation where you will run the Active Directory Installation Wizard without cre- ating a new domain. We’ll step through using the AD Installation Wizard in the procedure that fol- 470 Chapter 12 • Working with Forests and Domains 301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 470 lows. Usually, you will need to perform this procedure when your domain has grown to the point that it needs additional DCs to spread the workload. Create a new domain controller in an existing domain using the conventional across-the-network method 1. Log in as a local Administrator. 2. Click Start | Run. 3. Type dcpromo /adv. 4. Click OK to start the Active Directory Installation Wizard. 5. In the Welcome to the Active Directory Installation Wizard window, click Next. 6. In the Operating System Compatibility window, click Next. 7. In the Domain Controller Type window, click Additional domain controller for an existing domain | Next. 8. In the Copying Domain Information window, click Over the network | Next. 9. In the Network Credentials window, type in the username, password, and domain name of an Enterprise Administrator in the forest-root domain, or a Domain Admin in the parent domain, and click Next. 10. In the Additional Domain Controller window, type in or browse to the top-level domain name where you are adding the new DC, and click Next. 11. In the Database and Log Folders window, type or browse to the location where you want the database and log folders. Click Next. 12. In the Shared System Volume window, type or browse to the location where you want the SYSVOL folder. Click Next. 13. In the Directory Services Restore Mode Administrator Password window, input and confirm the password for the Directory Services Restore Mode. Click Next. 14. Read the Summary window. Click Next.The installation will continue for several min- utes. 15. Restart your new DC. 16. Verify that the installation was successful. Open a command prompt and enter the Net Share command. It should report the existence of the Netlogon and SYSVOL shares.To verify that the DNS service locator records for the new DC were successfully created, follow these steps: 1. Click Start | Administrative Tools | DNS to start the DNS administrator console. 2. Expand the server name. 3. Expand Forward Lookup Zones. 4. Expand the domain. Working with Forests and Domains • Chapter 12 471 301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 471 5. Verify that the _msdcs, _sites, _tcp, and _udp folders are present and contain records for your new DC.These service location records are crucial to the operation of the DC. See Figure 12.1 for a view of the DNS administrator tool used to view them. Using the New System State Backup Method This final DC installation procedure covers the new method of installing the Active Directory database on your new DC from backups, as illustrated in Figure 12.2.You should use a healthy Windows Server 2003 DC as the source of the system state, and DNS should be working before you begin. The procedure that follows is an advanced procedure, and assumes certain skills such as installing Windows Server 2003 as a member server, the use of Windows Backup, and general Windows administrative abilities.You should also test this procedure in a lab environment before trying it on an operational network. In addition, this procedure will show you how to use an answer file to auto- mate the promotion process, making this the optimal procedure for unattended installations. Figure 12.3 shows a sample answer file.The /ADV switch with dcpromo is only necessary for promoting from a backup file. Create a new domain controller in an existing domain using the new system state backup method Steps 1 through 3 walk you through taking the snapshot. 1. Log in as a local Administrator on the healthy DC. 472 Chapter 12 • Working with Forests and Domains Figure 12.2 Using the New System State Backup Method DLT Tape Domain DC1 DC2 301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 472 2. Create a directory called C:\Backup. If the folder already exists, remove any files that it contains. 3. Using Windows Backup, save the system state. It is a good practice to name the file after your source DC, giving it a .bkf extension. You now must transport the file. Use the backup media of your choice, ensuring your ability to perform the restore at the other end. Remember that the backup file can be many GBs in size. If you choose to use the network to transport the file, you can perform the restore and the copy at the same time using the following steps.There are various ways to accomplish this. If you choose to use a third-party backup program to transport the file on physical media such as DLT tape, CD, or DVD, you will still need to use Windows Backup at the other end to extract the data from the backup file. Adjust the procedure to your preferences. 4. Log on as a local Administrator on the member server that you want to promote, and create a shared folder called C:\Restore. It might be on your LAN or across a WAN at this point, so you might need a helping hand at the other end. 5. Back at the DC, map a drive to the shared folder created previously if you choose to copy the file over the network. 6. You have two options, depending on your choice of transport. If you are copying the file across the network, use the Restore Wizard within Windows Backup from the existing DC to restore the domaincontrollername.bkf file to the shared folder in the member server. If you have created physical media for transport, use the Restore Wizard directly on the member sever using the local physical media. 7. Create a file on the member server containing the following settings. For this example, we call this file DCUnattend.txt. Examine the options in Figure 12.3.They allow for unat- tended Active Directory installations in other configurations such as directly across the net- work from an established DC. Remember to rename the member server before promoting it, or you will be faced with the opportunity to perform a domain controller rename proce- dure, which is another new feature of Windows Server 2003. Working with Forests and Domains • Chapter 12 473 301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 473 Figure 12.3 Sample DCUnattend.txt File [Unattended] Unattendmode=fullunattended [DCINSTALL] UserName=(domain or Enterprise admin account) Password=(password) UserDomain=(domain of the user account) DatabasePath=c:\Windows\ntds LogPath=c:\Windows\ntds SYSVOLPath=c:\Windows\sysvol SafeModeAdminPassword CriticalReplicationOnly SiteName= ReplicaOrNewDomain=Replica ReplicaDomainDNSName=(domain name, not including any server name) ReplicationSourceDC= ReplicateFromMedia=yes ReplicationSourcePath=c:\NTDSrestore RebootOnSuccess=yes 8. Open a command prompt and type the following command: Dcpromo /adv /answer:C:\DCUnattend.txt. After it is complete, the system will reboot. If dcpromo stops and asks for information, then some information was missing from the answer file. 9. Verify that the installation was successful. Open a command prompt and enter the Net Share command. It should report the existence of the Netlogon and SYSVOL shares.To verify that the DNS service locator records for the new DC were successfully created, follow these steps: 1. Click Start | Administrative Tools | DNS to start the DNS administrator console. 2. Expand the server name. 3. Expand Forward Lookup Zones. 4. Expand the domain. 5. Verify that the _msdcs, _sites, _tcp, and _udp folders are present and contain records for your new DC.These service location records are crucial to the operation of the DC. 474 Chapter 12 • Working with Forests and Domains 301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 474 Assigning and Transferring Master Roles The advantage of a single-master model is that conflicts cannot be introduced while the Operations Master is offline.The alternative involves resolving conflicts later, with possibly negative results.The disadvantage is that all Operations Masters must be available at all times to support all dependant activities within the domain or forest.The Active Directory supports five operational master roles: the Schema Master, Domain Master, RID Master, PDC Emulator, and the Infrastructure Master. Two of these operate at the forest level only, the Schema Master and the Domain Naming Master. Conversely, the RID Master, PDC Emulator, and Infrastructure Master operate at the domain level. Table 12.5 Valid Authorization Levels for Viewing, Transferring, and Seizing Operations Master Roles Domain Admin- Enterprise Domain Admin- istrator on the Administrator istrator on the Forest-Root Role Task Local Domain Domain Schema Master Viewing, trans- X (Plus Schema X ferring, or seizing Admins membership) Domain Naming Viewing, trans- X X Master ferring, or seizing Infrastructure Viewing, trans X X Master -ferring, or seizing RID Master Viewing, trans- X X ferring, or seizing PDC Emulator Viewing, trans- X X ferring, or seizing The forest level, therefore, has five roles—one of each. Each domain added after the forest root domain has three additional masters. With that information, we can determine the number of opera- tions master servers required in a given forest with the following formula: ((Number of domains * 3)+2) Given the formula, we can determine that a forest with three domains, needs a maximum of 11 server platforms to support the 11 FSMO roles (3*3=9, and 9+2=11), unless you assign multiple roles to a single DC. Often, small domains, empty root domains, or best practices will make com- bining several of these roles onto a single DC desirable. The first DC that you install in the forest root will automatically host all five roles.The first DC that you install in any additional domains will automatically host the three roles of PDC Emulator, RID Master, and Infrastructure Master. Working with Forests and Domains • Chapter 12 475 301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 475 . domain .The pro- cess of creating the first DC also creates the domain itself .The domain can be either a new child domain or the root of a new tree .The difference is in the namespace. See the section. to perform the restore at the other end. Remember that the backup file can be many GBs in size. If you choose to use the network to transport the file, you can perform the restore and the copy at the same. are copying the file across the network, use the Restore Wizard within Windows Backup from the existing DC to restore the domaincontrollername.bkf file to the shared folder in the member server. If

Ngày đăng: 04/07/2014, 23:21