Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 50 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
50
Dung lượng
1,47 MB
Nội dung
7. When you click Next, the wizard determines the available Active Directory sites. On the Select A Site page, select the site in which you want to locate the domain controller and then click Next. 8. When you click Next, the wizard examines the DNS confi guration and attempts to determine whether any authoritative DNS servers are available. As shown in Figure 33-4, the number of authoritative DNS servers in the domain will be listed on the Additional Domain Controller Options page as shown in the fi gure. As permitted, select additional installation options for the domain controller and then click Next. Figure 33-4 Set additional options for the domain controller. 9. If you are installing the DNS Server service as an additional option and the server doesn’t have static IP addresses for both IPv4 and IPv6, you see a warning prompt regarding the server’s dynamic IP address or addresses. Click Yes only if you plan to use the dynamic IP address or addresses despite the possibility that this could result in an unreliable DNS confi guration. Click No if you plan to change the IP confi guration before continuing. Installing Active Directory Domain Services 1117 Chapter 33 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Note During installation of the operating system, Windows Setup installs and confi gures IPv4 and IPv6 if it detects networking components. If you’ve confi gured a static IPv4 address but haven’t confi gured a static IPv6 address, you also see this warning. You can ignore this warning if your network uses only IPv4 (but keep in mind that you may need to make changes to DNS records later if your organization starts using IPv6 addresses). 10. If you are installing the DNS Server service as an additional option, the wizard next attempts to register a delegation for the DNS server with an authoritative parent zone. If you are integrating with an existing DNS infrastructure, you should manually create a delegation to the DNS server and then click Yes to continue. Otherwise, you can ignore this warning and click Yes to continue. Note Before continuing, make sure you check for encrypted fi les and folders as discussed earlier in “Active Directory Installation Options and Issues” on page 1112. If you don’t do this and there are encrypted fi les and folders present, you will no longer be able to decrypt them. 11. If you are performing an advanced installation and are adding a domain controller to an existing domain, you can specify whether to replicate the necessary Active Directory data from media or over the network, as shown in Figure 33-5. When you are installing from media, you must specify the folder location of the media before continuing. 12. If you are performing a basic installation or you choose to replicate data over the network, you’ll see the Source Domain Controller page when you click Next. This page allows you to choose a replication partner for the installation. When you install a domain controller and do not use backup media, all directory data is replicated from the replication partner to the domain controller you are installing. As this can be a considerable amount of data, you typically want to ensure that both domain controllers are located in the same site or connected over reliable, high-speed networks. Note During installation of the operating system, Windows Setup installs and confi gures IPv4 and IPv6 if it detects networking components. If you’ve confi gured a static IPv4 address but haven’t confi gured a static IPv6 address, you also see this warning. You can ignore this warning if your network uses only IPv4 (but keep in mind that you may need to make changes to DNS records later if your organization starts using IPv6 addresses). Note Before continuing, make sure you check for encrypted fi les and folders as discussed earlier in “Active Directory Installation Options and Issues” on page 1112. If you don’t do this and there are encrypted fi les and folders present, you will no longer be able to decrypt them. Chapter 33 1118 Chapter 33 Implementing Active Directory Domain Services Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Figure 33-5 Specify whether to replicate over the network or from media. 13. On the Location For Database, Log Files, And SYSVOL page, shown in Figure 33-6, select a location to store the Active Directory database folder, log folder, and SYSVOL. Keep the following in mind when confi guring these locations: The default location for the database and log folders is a subfolder of %SystemRoot%\NTDS. As discussed in “Hardware and Confi guration Con- siderations for Domain Controllers” on page 1108, you’ll get better perfor- mance if these folders are on two separate volumes, each on a separate disk. The default location for the SYSVOL folder is %SystemRoot%\Sysvol. In most cases, you’ll want to accept the default as the replication services store their database in a subfolder of the %SystemRoot% folder anyway, so by keeping the folders on the same volume, you reduce the need to move fi les between drives. Note When the domain functional level is Windows 2000 Server or WindowsServer 2003, the File Replication Service (FRS) is used to replicate the SYSVOL. FRS enables interoperability with Windows 2000 Server and WindowsServer 2003 but does not support the latest replication enhancements. When the domain functional level is WindowsServer 2008, the Distributed File System (DFS) service is used to replicate the SYSVOL and the latest replication enhancements are available, including replication of changes only within fi les, bandwidth throttling, and improved replication topology. Note When the domain functional level is Windows 2000 Server or WindowsServer 2003, the File Replication Service (FRS) is used to replicate the SYSVOL. FRS enables interoperability with Windows 2000 Server and WindowsServer 2003 but does not support the latest replication enhancements. When the domain functional level is WindowsServer 2008, the Distributed File System (DFS) service is used to replicate the SYSVOL and the latest replication enhancements are available, including replication of changes only within fi les, bandwidth throttling, and improved replication topology. Installing Active Directory Domain Services 1119 Chapter 33 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Figure 33-6 Set the storage locations for Active Directory data. 14. Click Next. Type and confi rm the password that should be used when you want to start the computer in Directory Services Restore mode. Be sure to track this password carefully. This special password is used only in Restore mode and is different from the Administrator account password. 15. Click Next. Review the installation options. Optionally, click Export Settings to save these settings to an answer fi le that you can use to perform unattended installation of other domain controllers. When you click Next again, the wizard will use the options you’ve selected to install and confi gure Active Directory. This process can take several minutes. Keep the following in mind: If you specifi ed that the DNS Server service should be installed, the server will also be confi gured as a DNS server at this time. If you are installing an additional domain controller in an existing domain, the domain controller will need to obtain updates of all the directory par- titions from other domain controllers and will do this by initiating a full synchronization. The only way to avoid this is to make a media backup of Active Directory on an existing domain controller, start the Active Directory Domain Services Installation Wizard in Advanced mode, and then specify the backup media to use during installation of Active Directory. 16. When the wizard fi nishes confi guring Active Directory, click Finish. You are then prompted to restart the computer. Click Restart Now to reboot. Chapter 33 1120 Chapter 33 Implementing Active Directory Domain Services Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. After installing Active Directory, you should verify the installation by doing the follow- ing (in no particular order): Examine the log of the installation, which is stored in the Dcpromo.log fi le in the %SystemRoot%\Debug folder. As shown in the following screen, the log is very detailed and takes you through every step of the installation process, including the creation of directory partitions and the securing of the Registry for Active Directory. Check for DNS updates in the DNS console shown in the following screen. If you added a domain controller to an existing domain, DNS is updated to add SRV records for the server. If you created a new domain, DNS is updated to include a forward lookup zone for the domain. Check for updates in Active Directory Users And Computers. For example, check to make sure the new domain controller is listed in the Domain Controllers OU, as shown in the following screen. Installing Active Directory Domain Services 1121 Chapter 33 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. If you created a new domain, the following containers are created and populated as appropriate: Builtin contains the built-in accounts for administration, including Admin- istrators and Account Operators. Computers contains computer accounts for the domain. Domain Controllers contains the domain controller accounts and should have an account for the domain controller you installed. ForeignSecurityPrinicipals is a container for security principals from other domain trees. Users is the default container for user accounts in the domain. Additionally, if you created a new domain, you also need to confi gure DNS so that name resolution works appropriately with any existing domains. To enable name resolution for computers within the new domain, you typically want to create secondary zones for all existing domains in the new domain and set up zone transfers. To enable name resolution into the new domain from existing domains, you typically want to create a secondary zone in existing domains for the new domain and set up zone transfers. Creating New Domains in New Forests To create a new domain in a new forest, follow these steps: 1. Start the Active Directory Domain Services Installation Wizard as discussed previously. If you haven’t installed the AD DS binaries, the wizard installs them. Additionally, keep in mind that the currently logged on local administrator account will be created as a user account in the new domain with full administrator permissions. This means the account will be a member of the Users, Domain Users, and Domain Admins groups. 2. By default, the wizard uses Basic Installation mode. If you want to set the NetBIOS name of the domain, select Use Advanced Installation Mode before clicking Next to continue. 3. f the server doesn’t have an appropriate IP address, you’ll see the Confi gure TCP/ IP page. This page displays a warning about the invalid IP address or improper network confi guration and you’ll need to correct the issue before you can continue. Chapter 33 1122 Chapter 33 Implementing Active Directory Domain Services Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 4. On the Choose A Deployment Confi guration page, select Create A New Domain In A New Forest as shown in Figure 33-7. Figure 33-7 Create a new domain in a new forest. 5. Click Next to display the Name Of The Forest Root Domain page. Type the full DNS name for the new domain. Domain names are not case-sensitive and use the letters A to Z, the numerals 0 to 9, and the hyphen (-) character. Each component of the domain name must be separated by a dot (.) and cannot be longer than 63 characters. 6. When you click Next, the wizard will determine whether the name you’ve entered is already in use on your network. If the name is already in use, you will need to enter a different name or go back and make a different confi guration selection. 7. After the wizard validates the domain name, it uses the name to generate a default NetBIOS name. If you are using Advanced Installation mode or the wizard has detected a confl ict, you will be able to accept the wizard-generated name or type a new NetBIOS name of up to 15 characters and then click Next to continue. 8. On the Set Forest Functional Level page, choose the desired functional level for the new Active Directory forest. The forest functional level can be set to Windows 2000, Windows 2003 or Windows2008. See “Domain Design Considerations” on page 1059 for a complete discussion on forest functional levels. 9. If you set the forest functional level to Windows 2008, the domain functional level is set automatically to Windows2008 and you do not see the Set Domain Functional Level page. Otherwise, on the Set Domain Functional Level page, Installing Active Directory Domain Services 1123 Chapter 33 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. choose the desired functional level for the new domain. The domain functional level can be set to Windows 2000 native, Windows 2003, or Windows2008. See “Domain Design Considerations” on page 1059 for a complete discussion on domain functional levels. 10. When you click Next, the wizard examines the network environment and attempts to register the domain and the domain controller in DNS. If the wizard detects that a DNS server is not available, DNS server will be selected as an additional option on the Additional Domain Controller Options page and the descriptive text also will recommend that you install the DNS Server service. Click Next to continue. Note If you choose to let the wizard install DNS, the DNS Server service will be installed and the domain controller will also act as a DNS server. A primary DNS zone will be created as an Active Directory–integrated zone with the same name as the new domain you are set- ting up. The wizard will also update the server’s TCP/IP confi guration so that its primary DNS server is set to itself. 11. If you are installing the DNS Server service as an additional option and the server doesn’t have static IP addresses for both IPv4 and IPv6, you’ll see a warning prompt regarding the server’s dynamic IP address or addresses. Click Yes only if you plan to use the dynamic IP address or addresses despite the possibility that this could result in an unreliable DNS confi guration. Click No if you plan to change the IP confi guration before continuing. Note During installation of the operating system, Windows Setup installs and confi gures IPv4 and IPv6 if networking components are detected. If you’ve confi gured a static IPv4 address but haven’t confi gured a static IPv6 address, you’ll also see this warning. You can ignore this warning if your network only uses IPv4 (but keep in mind that you may need to make changes to DNS records later if your organization starts using IPv6 addresses). 12. If you are installing the DNS Server service as an additional option, the wizard next attempts to register a delegation for the DNS server with an authoritative parent zone. If you are integrating with an existing DNS infrastructure, you should manually create a delegation to the DNS server and then click Yes to continue. Otherwise, you can ignore this warning and click Yes to continue. Note If you choose to let the wizard install DNS, the DNS Server service will be installed and the domain controller will also act as a DNS server. A primary DNS zone will be created as an Active Directory–integrated zone with the same name as the new domain you are set- ting up. The wizard will also update the server’s TCP/IP confi guration so that its primary DNS server is set to itself. Note During installation of the operating system, Windows Setup installs and confi gures IPv4 and IPv6 if networking components are detected. If you’ve confi gured a static IPv4 address but haven’t confi gured a static IPv6 address, you’ll also see this warning. You can ignore this warning if your network only uses IPv4 (but keep in mind that you may need to make changes to DNS records later if your organization starts using IPv6 addresses). Chapter 33 1124 Chapter 33 Implementing Active Directory Domain Services Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CAUTION ! Before continuing, make sure you check for encrypted fi les and folders as discussed in “Active Directory Installation Options and Issues” on page 1112. If you don’t do this and there are encrypted fi les and folders present, you will no longer be able to decrypt them. 13. The rest of the installation proceeds as previously discussed. Continue with steps 13–16 and the post-installation checks discussed in the previous section, “Creating Additional Domain Controllers for an Existing Domain.” Creating a New Domain or Domain Tree Within an Existing Forest To create a new domain or domain tree within an existing forest, follow these steps: 1. Start the Active Directory Domain Services Installation Wizard as discussed previously. If you haven’t installed the AD DS binaries, the wizard installs them. 2. On the initial wizard page, select the Use Advanced Installation Mode check box before clicking Next to continue. If you don’t use Advanced Installation mode, you can create new child domains in an existing forest but cannot create a new domain tree in an existing forest. 3. If the server doesn’t have an appropriate IP address, you see the Confi gure TCP/ IP page. This page displays a warning about the invalid IP address or improper network confi guration and you’ll need to correct the issue before you can continue. 4. On the Choose A Deployment Confi guration page, you need to choose one of the following: Choose Existing Forest and then choose Create A New Domain In An Exist- ing Forest Choose this option to establish the fi rst domain controller in a domain that is a child domain of an existing domain. By choosing this option, you are specifying that the necessary parent domain already exists. For example, you would choose this option if the parent domain cpandl. com had already been created and you wanted to create the tech.cpandl. com domain as a child of this domain. When you click Next, you see the Network Credentials page. In the fi eld provided, type the full DNS name of any domain in the forest where you plan to install the domain controller. Preferably, this should be the name of the forest root domain, such as cpandl.com. If you are logged on to a domain in this forest and have the appropriate permissions, you can use your current logged on credentials to perform the installation. Otherwise, select Alternate Credentials, click Set, type the user name and password for an enterprise administrator account in the previously specifi ed domain, and then click OK. CU O ! Installing Active Directory Domain Services 1125 Chapter 33 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Click Next again to display the Name The New Domain page. In the fi eld provided, type the full DNS name for the parent domain, such as cpandl. com, or click Browse to search for an existing domain to use. In the next fi eld, type the single name component of the child domain, such as tech. Choose Existing Forest, choose Create A New Domain In An Existing For- est, and then choose Create A New Domain Tree Root Instead Of A New Child Domain Choose this option to establish a new domain tree that is separate from any existing trees in the existing Active Directory forest. By choosing this option, you specify that there isn’t an existing parent domain with which you want to associate the new domain. For example, you should choose this option if the cohowinery.com domain already exists and you want to establish the cohovineyard.com domain in a new tree in the exist- ing forest. When you click Next, you see the Network Credentials page. In the fi eld provided, type the full DNS name of any domain in the forest where you plan to install the domain controller. Preferably, this should be the name of the forest root domain, such as cpandl.com. If you are logged on to a domain in this forest and have the appropriate permissions, you can use your current logged on credentials to perform the installation. Otherwise, select Alternate Credentials, click Set, type the user name and password for an enterprise administrator account in the previously specifi ed domain, and then click OK. Click Next again to display the Name The New Domain Tree Root page. Type the full DNS name for the new domain. The domain name you use should not be a subdomain of an existing parent domain in any tree of the forest. 5. The rest of the installation proceeds as previously discussed. Continue with steps 7–16 and the post-installation checks discussed in “Creating Additional Domain Controllers for an Existing Domain” on page 1114. Note that you do not have the option to install from media so the Install From Media page does not appear. Performing an Active Directory Installation from Media Whenever you install an additional domain controller in an existing domain, you should consider whether you want to perform an installation from media rather than creating the domain controller from scratch. Doing so allows the Active Directory Domain Services Installation Wizard to get the initial data for the Confi guration, Schema, and Domain directory partitions and optionally the SYSVOL from backup media rather than performing a full synchronization over the network. Not only does this reduce the amount of network traffi c, which is especially impor- tant when installing domain controllers in remote sites that are connected by low- bandwidth WAN links, it can also greatly speed up the process of installing an additional domain controller and getting the directory partition data synchronized. This means that rather than having to replicate the full data across the network, the domain controller needs to get only the changes made since the backup media was Chapter 33 1126 Chapter 33 Implementing Active Directory Domain Services Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. [...]... running WindowsServer2008 or WindowsServer 2003 Configuration DC running WindowsServer2008 or WindowsServer 2003 Domain DC running WindowsServer2008 Application DC running WindowsServer2008 or WindowsServer 2003 DNS DC running WindowsServer2008 or WindowsServer 2003 with Active Directory–integrated DNS zones Global catalog DC running WindowsServer2008 or WindowsServer 2003 Generally... computers running any of the following operating systems are supported for use with RODCs: Microsoft Windows 2000 Microsoft Windows XP Microsoft WindowsServer 2003 Microsoft Windows Vista Member servers running WindowsServer2008 RODCs support the same features as RWDCs and can be used in both core server and full server installations Except for passwords and designated, nonreplicated attributes, RODCs store... deploying the RODC includes domain controllers running WindowsServer 2003 and domain controllers running WindowsServer2008 The domain controller that holds the PDC emulator operations master role is running WindowsServer2008 and the RODC can communicate over a secure channel with the PDC emulator At least one domain controller running WindowsServer2008 for the same domain must be located in the site... from a domain controller running WindowsServer 2003 or WindowsServer2008 However, it can only replicate updates of the domain partition from a domain controller located in the same domain and that is running Windows Server2008 Table 34-1 lists the specific partitions that can be replicated and the permitted replication partners Only an RODC also configured as a DNS server can obtain the application... rather than several gigabytes, and on a busy or low-bandwidth network this can be very important Note In Windows Server 2008, you can create installation media by restoring a System State backup of another domain controller This process works the same as it did for Windows Server 2003 WindowsServer 2008 also gives you the option of performing an installation from media backup A media backup is preferred... RODCs can pull information from domain controllers running WindowsServer 2003, RODCs can only pull updates of the schema, configuration, and application partitions from a writable domain controller running WindowsServer 2003 or later in the same domain; pull updates of the domain partition from a writable domain controller running Windows Server2008 or later in the same domain; and pull a partial attribute... running Windows Server2008 and domain controllers running WindowsServer 2003 can perform inbound and outbound replication of all available partitions Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark Design Considerations for Read-Only Replication 1147 Table 34-1 Replicating Directory Partitions with RODCs Directory Partition Replication Partner Schema DC running Windows Server. .. the RODC attempts to contact and pull the user credentials or computer credentials from a writable domain controller that is running WindowsServer2008 in the hub site The hub site can be any Active Directory site with writable domain controllers running WindowsServer2008 The writable domain controller recognizes that the request is coming from an RODC because of the use of the special Kerberos Target... new forests with only domain controllers that run WindowsServer2008 or when you are not using Active Directory–integrated DNS in the existing forest Note To use Adprep /rodcprep, log on to a domain controller using an account that is a member of the Enterprise Admins group Next, copy the contents of the \Sources\Adprep folder on the WindowsServer2008 installation DVD to the schema master Finally,... does not register name server (NS) resource records for any Active Directory–integrated zone that it hosts When a client attempts to update its DNS records on an RODC, the RODC returns a referral to another DNS server and the client can then attempt the update with this DNS server In the background, the DNS server on the RODC will then attempt to pull the updated record from the DNS server that made the . 2000 Server and Windows Server 2003 but does not support the latest replication enhancements. When the domain functional level is Windows Server 2008, . 2000 Server and Windows Server 2003 but does not support the latest replication enhancements. When the domain functional level is Windows Server 2008,