The main element of effective corporate network is the controller Active domain Directory that manages many services and provides many benefits.
There are two ways to build an IT infrastructure - standard and casual, when minimally sufficient efforts are made to solve emerging problems, without building a clear and reliable infrastructure. For example, building a peer-to-peer network throughout the organization and opening public access to all necessary files and folders, without the ability to control user actions.
Obviously, this path is not desirable, because in the end you will have to disassemble and properly organize a chaotic jumble of systems, otherwise it will not be able to function - and your business along with it. So the sooner you accept the only correct solution building a corporate network with a domain controller - the better for your business in the long run. And that's why.
“Domain is the basic unit of IT infrastructure based on OS Windows families, the logical and physical association of servers, computers, hardware, and user accounts.”
Domain controller (DC) - a separate server with Windows Server operating system, which runs Active services Directory making possible job a large number Software that requires a CD for administration. Examples of such software are mail server Exchange, cloud Office package 365 and others software environments corporate level from Microsoft.
In addition to providing correct operation of these platforms, the CD provides businesses and organizations with the following benefits:
- Deployment terminal server . allows you to significantly save resources and effort by replacing constant update office PCs as a one-time investment in hosting “ thin clients” to connect to a powerful cloud server.
- Enhanced Security. The CD allows you to set password policies and force users to use more complex passwords than your date of birth, qwerty or 12345.
- Centralized control of access rights. Instead of manual update passwords on each computer separately, the CD administrator can centrally change all passwords in one operation from one computer.
- Centralized Group Policy Management. Facilities Active Directory allow you to create group policies and set access rights to files, folders and other network resources for certain user groups. This makes it much easier to set up new user accounts or change settings for existing profiles.
- through entrance. Active Directory supports pass-through sign-in, where when entering their username and password for the domain, the user is automatically connected to all other services such as mail and Office 365.
- Create Computer Setup Templates. Setting up each separate computer when added to a corporate network, it can be automated using templates. For example, with the help of special rules, CD drives or USB ports can be centrally disabled, certain network ports etc. Thus, instead of manual setting new workstation, the administrator simply includes it in a specific group, and all the rules for this group will be applied automatically.
As you can see, setting up an Active Directory domain controller brings numerous conveniences and benefits to businesses and organizations of all sizes.
When to deploy an Active Directory domain controller in a corporate network?
We recommend that you consider setting up a domain controller for your company already when you have more than 10 computers connected to the network, since it is much easier to set the necessary policies for 10 machines than for 50. In addition, since this server does not perform particularly resource-intensive tasks, a powerful desktop computer may well be suitable for this role.
However, it is important to remember that this server will store passwords for accessing network resources and a database of domain users, a rights scheme and group policies users. Need to deploy backup server with constant copying of data to ensure the continuity of the domain controller, and this is much faster, easier and more reliable using server virtualization provided when hosting a corporate network in the cloud. This avoids the following problems:
- Wrong DNS server settings, which leads to resource location errors on the corporate network and on the Internet
- Misconfigured Security Groups, leading to errors in user access rights to network resources
- Incorrect OS versions. Each active version Directory supports certain versions Windows desktop OS for thin clients
- Absence or wrong setting automatic copy data to the backup domain controller.
A domain controller is a server computer that manages a domain and stores a replica of the domain directory (a local domain database). Since there can be multiple domain controllers in a domain, they all store full copy the part of the directory that belongs to their .
The following are the features of domain controllers.
- Each domain controller maintains a complete copy of all Active Directory information related to its domain and manages and replicates changes to that information to other domain controllers in the same domain.
- All controllers in a domain automatically replicate all objects in the domain among themselves. Any changes that are made to Active Directory are actually made on one of the domain controllers. This domain controller then replicates the changes to the rest of the domain controllers within its domain. By setting the frequency of replication and the amount of data that Windows will transfer with each replication, you can control network traffic between domain controllers.
- Important updates, such as disabling a user account, domain controllers replicate immediately.
- Active Directory uses multimaster replication, in which none of the domain controllers is master. All controllers are equal and each contains a copy of the catalog database that is allowed to be modified. In short periods of time, the information in these copies may differ until all controllers are synchronized with each other.
- Having multiple controllers in a domain provides fault tolerance. If one of the domain controllers is unavailable, the other will do everything necessary operations, such as writing changes to Active Directory.
- Domain controllers manage interactions between users and the domain, such as finding Active objects Directory and recognize network logon attempts.
There are two operations master roles that can be assigned to a single domain controller in a forest (forest-wide roles):
- Schema Master. The first domain controller in the forest assumes the schema master role and is responsible for maintaining and propagating the schema to the rest of the forest. It maintains a list of all possible object classes and attributes that define the objects that are in Active Directory. If the schema needs to be updated or modified, Schema Master is a must.
- Domain Naming Master. Logs the addition and removal of domains in the forest and is vital to maintaining the integrity of domains. The Domain Naming Master is requested when new domains are added to the forest. If Domain Naming Master is not available, then adding new domains is not possible; however, if necessary, this role can be transferred to another controller.
There are three operations master roles that can be assigned to one of the controllers in each domain (domain-wide roles).
- RID Master (Relative Identifier (RID) Master). Responsible for allocating relative identifier (RID) ranges to all controllers in the domain. The SID in Windows Server 2003 has two parts. The first part is common to all objects in the domain; to create a unique SID, a unique RID is added to this part. Together they uniquely identify an object and indicate where it was created.
- Primary Domain Controller (PDC) Emulator. Responsible for Windows emulation NT 4.0 PDC for client machines that have not yet been migrated to Windows 2000, Windows Server 2003, or Windows XP and do not have the Directory Services client installed. One of the main tasks of the PDC emulator is to register legacy clients. In addition, the PDC emulator is called if client authentication fails. This allows the PDC emulator to validate recently changed passwords for legacy clients in the domain before denying a login request.
- Infrastructure Master. Logs changes made to controlled objects in the domain. All changes are first reported to the Infrastructure Master before being replicated to other domain controllers. The Infrastructure Master handles group and membership information for all objects in the domain. Another task of the Infrastructure Master is to communicate information about changes made to objects to other domains.
Rice. 3.4. Default assignment of forest operations master roles
The "Global Catalog Server" (GC - Global Catalog) role can be performed by any individual domain controller in a domain - one of the server functions that can be assigned to a domain controller. Global catalog servers perform two important tasks. They enable users to log on to the network and find objects anywhere in the forest. The global catalog contains a subset of the information from each domain partition and is replicated between the global catalog servers in the domain. When a user tries to log on to the network or access some network resource from anywhere in the forest, the corresponding request is resolved through the global catalog. Another purpose of the global catalog, useful no matter how many domains you have on your network, is to participate in the authentication process when a user logs on to the network. When a user logs on to the network, their name is first checked against the contents of the global catalog. This allows you to log on to the network from computers in domains other than where the desired username is stored. Account.
In this note, we will consider in detail the process of introducing the first domain controller in the enterprise. And there will be three of them:
1) Primary domain controller, OS - Windows Server 2012 R2 with GUI, network name: dc1.
Select the default option, click Next. Then select the default protocol IPv4 and click Next again.
On the next screen, set the network ID (Network ID). In our case, 192.168.0. In the Reverse Lookup Zone Name field, we will see how the address of the reverse lookup zone is automatically substituted. Click Next.
On the Dynamic Update screen, select one of the three options dynamic update.
Allow Only Secure Dynamic Updates. This option is only available if the zone is Active Directory integrated.
Allow Both Nonsecure And Secure Dynamic Updates. This switch allows any client to update its DNS resource records when there are changes.
Deny dynamic updates (Do Not Allow Dynamic Updates). This option disables dynamic DNS updates. It should only be used if the zone is not integrated with Active Directory.
Select the first option, click Next and complete the configuration by clicking Finish.
One more useful option, which is usually configured in DNS, are forwarders or Forwarders, the main purpose of which is to cache and redirect DNS requests from a local DNS server to an external DNS server on the Internet, for example, the one located at the ISP. For example, we want to local computers in our domain network, in network settings who have a registered DNS server (192.168.0.3) were able to access the Internet, it is necessary that our local dns server was configured to allow dns requests from the upstream server. To configure forwarders (Forwarders), go to the DNS manager console. Then, in the server properties, go to the Forwarders tab and click Edit there.
Specify at least one IP address. Several are desirable. We press OK.
Now let's configure the DHCP service. Let's start the tool.
First, let's set the full working range of addresses from which addresses will be taken to issue to clients. Select Action\New Scope. The Add Area Wizard starts. Set the name of the area.
Next, specify the start and end address of the network range.
Next, add the addresses that we want to exclude from the issuance of customers. Click Next.
On the Lease Duration screen, specify a non-default lease time, if required. Click Next.
Then we agree that we want to configure DHCP options: Yes, I want to configure these option now.
Sequentially specify the gateway, Domain name, DNS addresses, we skip WINS and at the end we agree with the activation of the scope by clicking: Yes, I want to activate this scope now. Finish.
For safe work DHCP services, you need to set up a special account for dynamic updates DNS records. This must be done, on the one hand, in order to prevent dynamic registration of clients in DNS using the domain administrative account and its possible abuse, on the other hand, in the event of a DHCP service reservation and a failure of the main server, it will be possible to transfer backup zones to the second server, and this requires the account of the first server. To fulfill these conditions, in the Active Directory Users and Computers snap-in, we will create an account named dhcp and assign an indefinite password by selecting the option: Password Never Expires.
Assign to user strong password and add it to the DnsUpdateProxy group. Then we remove the user from the Domain Users group, after assigning the primary user the DnsUpdateProxy group. This account will be solely responsible for dynamic update records and not have access to any other resources where basic domain rights are sufficient.
Click Apply and then OK. Open the DHCP console again. Go to the properties of the IPv4 protocol on the Advanced tab.
Click Credentials and specify our DHCP user there.
Click OK and restart the service.
Later we will return to configuring DHCP, when we configure the DHCP service reservation, but for this we need to raise at least the domain controllers.
Domain controllers are servers that support Active Directory. Each domain controller has its own copy of the database Active Data Directory that is writable. Domain controllers act as the central security component in a domain.
All security and account verification operations are performed on the domain controller. Each domain must have at least one domain controller. For fault tolerance, we recommend that you install at least two domain controllers per domain.
In the Windows NT operating system, only one domain controller supported writing to the database, that is, a connection to a domain controller was required to create and change user account settings.
This controller is called primary domain controller (Primary Domain Controller - PDC). Beginning with operating system In Windows 2000, the architecture of domain controllers was changed to allow updating the Active Directory database on any domain controller. After updating the database on one domain controller, the changes were replicated to all other domain controllers.
Although all domain controllers support writing to the database, they are not identical. In Active Directory domains and forests, there are tasks that are performed by specific domain controllers. Domain controllers with additional responsibilities are known as operation masters. Some Microsoft materials refer to these systems as Flexible Single-Master Operations (FSMO). Many people believe that the term FSMO has been used for so long only because the abbreviation sounds very funny.
There are five operations master roles. By default, all five roles are assigned to the first domain controller in Forest Active Directory. The three operations master roles are used at the domain level and are assigned to the first domain controller in the created domain. The Active Directory utilities discussed next allow you to transfer operations master roles from one domain controller to another domain controller. In addition, you can force the domain controller to take on a specific role as the operation master.
There are two operations master roles that operate at the forest level.
- Domain naming master- These operations masters must be contacted each time naming changes are made within the forest's domain hierarchy. The task of the domain naming master is to ensure that domain names are unique within the forest. This operations master role must be available when creating new domains, deleting domains, or renaming domains
- schema master ( schema master) - The schema master role belongs to the only domain controller within the forest where schema changes can be made. Once changes are made, they are replicated to all other domain controllers within the forest. As an example of the need to make changes to the circuit, consider installing a software Microsoft product Exchange Server. This changes the schema to allow an administrator to manage both user accounts and mailboxes at the same time.
Each of the forest-level roles can belong to only one domain controller within the forest. That is, you can use one controller as the domain naming master and a second controller as the schema master. In addition, both roles can be assigned to the same domain controller. This distribution of roles is used by default.
Each domain within the forest has a domain controller that performs each of the domain-level roles.
- Relative ID master (RID master)- The master of relative identifiers is responsible for assigning relative identifiers. Relative identifiers are the unique part of a security identifier (Security ID - SID) that is used to identify a security object (user, computer, group, etc.) within a domain. One of the main tasks of a relative identifier master is to remove an object from one domain and add an object to another domain when moving objects between domains.
- Infrastructure master- The task of the infrastructure master is to synchronize group memberships. When changes are made to group membership, the infrastructure master communicates the changes to all other domain controllers.
- Primary Domain Controller Emulator (PDC Emulator)- This role is used to emulate a Windows NT 4 Primary Domain Controller to support Windows NT 4 Backup Domain Controllers. Another task of the Primary Domain Controller Emulator is to provide a central point of administration for user password changes and user lockout policies.
The word "policies" is used quite often in this section to refer to group policy objects (GPOs). Group Policy Objects are one of the main useful features of Active Directory and are discussed in the corresponding article, the link to which is provided below.
