A typical local area network installation configuration example (first part all)
From: http://www.winmag.com.cn/forum/itemdisplay.asp? BoardId = 5 & ID = 205411 A typical LAN Installation Configuration Instance During the May 1st, a friend asked to help the network, the network is not big, but Basically, the network installation client, domain structure is established, the group policy design and network anti-virus, etc., other networks can be expanded on this basis, I hope to help everyone. Let's talk about the basic situation: Friends' company is a joint venture factory, now during the preparation, he belongs to the role of the general management, except for technology, and the mixed matter of the mixed part is homing. The company is now indispensable, about 60 sets. Very intuitive, the company's departments have a very complete configuration, but the boss does not want to recruit IT support staff. Therefore, he asked to minimize the chance of making changes to the computer, and can access each other, print the file, and go online (hey, this is what he is prepared for himself). Let's do it ... Note: Please don't do the number in the text, I can't decide anything, the key is to design ideas and implementation methods) 1. Domain's assembly 1. Server configuration because only local office, so only need single fields enough . The server is three IBM servers. The operating system is Windows 2000 Server version (not necessarily three, actually to complete these services, as for you with you without the advanced server version). Server (192.168.0.1): Main domain controller, domain name final.com, IP192.168.0.1; and configured as a main DNS server (forward DNS request to ISP DNS server IP, so when the client's DNS point to Server You can access the Internet normally; install the WINS service. Server2 (192.168.0.2): Backup domain controller, DHCP server, establish a scope 192.168.0.0.0/24, provides 192.168.0.0-92.168.0.100 (How much IP address is provided, please customize as needed, please leave a part IP to the server); configure a scope option, where the gateway is 192.168.0.254 (broadband shared router), DNS, WINS server address is 192.168.0.1. Server3 (192.168.0.3): Alternate. If you are configured as stable, you can configure the backup area and GC of DNS on Server2, so that even if Server is debugging or failing temporarily cannot be used, the client can still use the network. Please don't ask me how to install DC, DNS, DHCP, WINS service, Microsoft's design is simply a foolish installation. 2. The establishment of the company has five departments of the Administration, the Ministry of Finance, the Department of Engineering, and the Marketing Department (virtual). For the convenience of management and configuration strategies, the following OU level is established. Establish a level of OU name "Final", "Final" to build three secondary OUs, "administrators", "company leaders", "department". Five sectors OUs are established in the department name under the department name. The security groups and users are separately established under each secondary OU and Levels OU, and the user will join the corresponding security group. User account establishment principle: Taking the company's flower name, the employee number is established to establish a user account to the login name, and then move to the corresponding department OU, and join the corresponding security group, the employee's account is the Domain User Group.
If you build a "management group" in the "Admin" OU, create the user "000", join the user "000" to the security group "management group"; in the OU "department" - "004" under the "Personnel Department" , Join the security group "personnel group". Please enter the user's name information when establishing a user account, so that you will use it if you install Exchange in the future. Please note: At this time, there is no computer account in the OU, because the client is not installed when designing the OU, please see the client installation. 3. Group Policy and Network Use the OU hierarchy designed to design the corresponding group policies in the company, management level, and functional sector. The following two instances are given for reference. Example 1: Restricting client login user clients After joining the domain (after the client's installation and configuration), any domain account can be logged in to the domain client by default. But the people of my friend don't accept this point of view. It is not safe to open every person. It is not safe. To add CMOS boot passwords to each computer. At that time, I almost squatted six holes and blooddown (I was eating KFC at the time, and I won't spit in my mouth). In my few patient explanations, telling them "Computer should be a company shared office equipment, rather than a single-use computer. Any device (computer, printer) is part of the network, It is the company's resources. " Finally reached the following agreement, people in each department can only log in to the department's computer. This increases the security of the client to a certain extent. Create a group policy at the Levels of the "Personnel Department", in "Computer Settings" - "Local Policy" - "User Rights Assign" - "Local Local", set the Domain Admin group, and "personnel group" effective, so Only managers and personnel talents can log in to the Personnel Department. Other departments add corresponding group strategies separately. Example 2: Network sharing design and folder redirection Since the user is Domain User permissions, users cannot share local files, so how to solve user file sharing? This requires that there is an administrator unified on the server. Sharing on the server: Create a folder "DATA" on Server3 and completely shared, shared "DATA" named by default. Create a "Share Docunt" folder under the "Data" folder, set up the folder of each department and set NTFS permissions. Where Data, Share Document folder Set the domain admin group, System complete control, Everyone read-only; NTFS permissions of department folders are set to Domain Admin Group and this department security group has full control permissions, and Everyone is read-only. User account configuration: When establishing a user account, configure the Primary Folder for the User to connect to the owner folder on the server. The sector folder path should be a complete UNC, such as "// Server3 / Data / Share Document / Personnel Department". This setting is to map the Z disk in "My Computer" after logging in, mapped to the user's department shared folder, and the user can copy the file you need to share to the Z disk, and other users can share access. Put the document in the shared, the department has full control, and other sectors have read-only privileges. Users can further establish their own folders in this section folder and set more stringent permissions. Some users may have no fixed computers, and individual files will have some problems in the department sharing folder. First, safety needs further design, and Second, users are not familiar with sharing, and most people will not set the folder security attribute.
