After understanding the principles of the activity directory, we can now install and configure the activity directory. The installation configuration process of the active directory is not very complicated because Win2k is available.
The installation wizard is required to be set according to the system requirements according to the prompt step. However, the preparation before installation is more complicated, and only the configured activity directory can be properly installed only if fully understand the activity directory. Here I will introduce the installation and configuration of the active directory in detail and prepare it.
First, preparation before the installation of the event directory
In front, we know that "Active Directory" is a key service in the entire Win2K system, it is not isolated, it has a very tight and relationship with many protocols and services, and also involves system structure and security of the entire Win2k system. Installing the "Active Directory" is not equally simple to install a general Windows component, and you should make a series of planning and preparation before installation. Otherwise, light is not allowed to enjoy the superiority of the activity directory, and the "Active Directory" service cannot be installed correctly.
1. First, before installing the active directory, it must be guaranteed that there is already a machine installed Win2K Server or Advanced Server, and at least one NTFS partition, and has been configured with the DNS protocol for TCP / IP, and DNS service supports SRV records and dynamic updates. protocol.
2, followed by planning the domain structure of the entire system, the active directory can contain one or more domains, if the directory structure of the entire system is not good, the level is unclear, it is unclear to play the superiority of the activity directory. Select the root field here (the basic domain of a system) is a key, the choice of root domain name can have the following programs:
1) You can use a registered DNS domain name as the root domain name of the active purpose, such a benefit of the company's public network and private network use the same DNS name.
2) We can also use a subnad name of a registered DNS domain as the root domain name of the active directory.
3) Select a domain name with a registered DNS domain name for the active directory. This will enable enterprise networks to present two completely different naming structures internally and the Internet.
4) Naming the public part of the corporate network with a registered DNS domain name, and private networks use another internal domain name, separated from the two parts, so that each part must be used to access the other side. Name space to identify icon.
3. One is to perform domain and account naming planning, because one of the sense of the active directory is to make internal and external networks use a unified directory service to adopt a unified naming scheme to facilitate network management and business. Active Directory domain name is usually the full DNS name of the domain, but to make sure it is compatible, each domain has the name of the previous version of Win2K, so that you can use it on a computer that runs Win2K previously versions. User Account In the active directory, each user account has a user login name, a Win2K previous version of the user login name (Security Account Manager account name) and a user's main name suffix. When creating a user account, the administrator enters its login name and select the user's main name. The active directory recommends that Win2K previously versions of the user login uses the first 20 bytes of this user login. Active Directory Naming Policy is the first step in the enterprise planning network system, named strategies direct the basic structure of the network, and even affect the performance and scalability of the network. The Activity Directory provides a good reference model for modern companies, taking into account the multi-level structure of the company, also taken into account the distributed characteristics of the company, even providing a fully consistent naming model for direct access Internet.
The so-called user main name is a domain name consisting of a user account name and a domain where the user account is located. This is a standard usage for logging in to Win2k domain. The standard format is:
User@domain.com (like a personal email address). But don't join @ 号 in the user login name or user's main name. Active Directory automatically adds this symbol when creating a user's primary name. The main name containing multiple @ 号 is invalid. In the active directory, the default user main name suffix is the DNS name in the root domain in the domain tree. If the user's unit uses a multi-layer domain tree consisting of department and area, the domain name of the underlying user may be very long. For users in this domain, the default user main name may be grandchild.child.root.com. The user's default login name in this domain may be
User@grandchild.child.root.com. This should be used to enter the user name to enter, it is very difficult to enter, it is very inconvenient. Win2k is in order to solve this problem, and the user is in order to solve this problem. After the main name is created, the user will add the corresponding username after the root field. Make the same user using a simpler login user@root.com to log in, not the long string mentioned earlier.
4, the end is to pay attention to setting the trust relationship between planning, for the Win2K computer, through the two-way, pass-based, transfer trust relationship, enabled account verification between domains. When creating domains in the domain tree, the phase neighborhood (parent domain, and subdomain) is automatically established. In the domain forest, trust relationships are automatically established between the roots of the woods and the roots of each domain tree added to the woods. If these trust relationships are deliverable, the authentication of users and computers can be performed between any domains in the domain tree or domain.
If you upgrade Win2K previous version of Windows domain to Win2k domain, the Win2k domain will automatically reserve the existing one-way trust between domains and any other domain. Includes all trust relationships of Win2K previous version of Windows domain. If the user wants to install a new Win2k domain and want to establish a trust relationship with any Win2K previous version, you must create an external manner.
Department trust relationship.
Second, the installation of the activity directory
All new installations are installed as a Member Server. If you select the Active Directory option when you install Win2k Server, the system will appear similar to "if you install the active directory at this time, all the domain names in the system Can't change again ... ". In general, we do not choose to install the active directory when new installation systems so that we have time to specify protocols and system structures related to the Active Directory. Directory services need to be specially installed with DCPROM O afterwards. Directory services can also be uninstalled, not like Windows NT 4.0, you will set up life, and the system will district the domain controller or Member Server, and the two are not convertible.
DCPROMO is a graphical wizard program that guides the user step by step to create a domain controller step by step, which can create a domain forest, a domain tree, or is only another backup of a domain controller, which is very convenient. Many other web services, such as DNS Server, DHCP Server, and Certificate Server, you can integrate installments with the Active Directory in the future, facilitate policy management. This graphical interface is not particularly special, as long as we understand the meaning of the active directory in front, and perform a series of plans before installation, you can easily complete all installation tasks.
After installing the active directory, there are three Microsoft Management Interface (MMCs) of three active directories, one is the active directory user and computer management, mainly used to implement the management of domains; one is the management of the domain and domain trust relationships of the activity directory. Mainly used to manage the relationship between multi-domain; there is a site management of the active directory, which can place a domain controller in different sites. In the general local area network, it is a site. The copy between the domain controllers within the site is automatically carried out; the replication between the domain controllers between the site requires administrator settings to optimize copy traffic, improve retractable Sex. From the active directory management interface, you can also use the mouse button in the site, domain, and organizational unit to initiate a meticulous management of the object. For sites, domain, and organizational units, administrators can easily manage authorization. Right click on them to launch the Administrator Wizard, step by step, which administrators have what kind of administrative privileges for which objects have. For example, the administrator of the internal technical support center, only the permissions of the reset user password, no permission to create and delete user accounts. This more detailed management method becomes "granulated".
In addition, the active directory also fully takes into account the needs of backup and recovery directory services. In the Win2k backup tool, there is an option to back up the active directory in the Win2k backup tool. When an accident occurs, you can press F8 to enter the security recovery mode when the machine starts, and guarantees a reduction The vicious impact of disaster.