There are four ways to install Active Directory.
- Installation by means Active Directory Setup Wizard(Active Directory Installation Wizard); suitable in most cases.
- Answer file installation, unattended installation method (allows you to install AD remotely).
- Install using a network or archive source (used when installing Active Directory on additional domain controllers).
- Installation using Server setup wizards(Configure Your Server Wizard). (This method is only applicable when installing Active Directory on the first domain controller on the network).
All four paths allow you to assign a computer to the role of a domain controller, install Active Directory, and optionally install and configure a DNS server.
However, the first method is universal, and we will consider it in more detail, using the example of installing Active Directory on the first domain controller on the network ...
Installing Active Directory using the Active Directory Installation Wizard.
- To open the Active Directory Installation Wizard, type in the dialog box Run command dcpromo.
- After the wizard page appears under the name Active Directory Setup Wizard click the button Further.
- On the page System Compatibility Check also click the button Further.
- On the page Domain controller type select Domain controller in new domain; then click the Next button.
- Once on the page Create a new domain, select an item New domain in a new forest, then click the Next button.
- In field Full DNS name of the new domain On the page New domain name enter the domain name, and click the button Further.
- After a short delay, the page will appear NetBIOS domain name. We do not recommend changing the default NetBIOS name. Click Further.
- After opening the page Database and log folders specify the location of the Active Directory database and log in the text boxes DB Location Folder And Log location folder respectively. Keep in mind that it is recommended that the database and the log file be placed on separate hard drives with the NTFS file system. Clicks the button Further.
- In field Folder location pages Sharing a system volume you need to specify the location of the folder Sysvol. As you understand, the system volume must be located in a partition or volume with the NTFS file system. After completing the settings, click the button Further.
- When the page appears on the screen DNS Registration Diagnostics, read the detailed diagnostic test instructions. Set the switch to one of the three positions (in our case, DNS on the network is not yet configured, so we select the second option). Click Further.
- Render per page Permissions, select any standard permissions you want on user and group objects, and then click Further.
- In a text box Recovery mode password pages Directory Services Restore Mode Password enter the password for the administrator account, intended for the situation when the computer starts in Directory Services Restore Mode. Confirming password click Further.
- On the page Summary All settings made so far are listed. For a list of them, click Further. (The process of configuring the Active Directory Components Wizard takes some time. If the computer does not have a static IP address set in the settings, you will be prompted to do so.
- When the wizard completes, the page will appear. Completing the Active Directory Installation Wizard. Click the button Ready and right after that - Reload Now.
To centrally manage the faculty network, you need to create a domain based on Microsoft Windows Server 2003.
Note. As part of the installation process, you may be prompted to insert the Windows Server 2003 installation CD into your drive. You can use a physical CD or iso- an image of the installation disk of the operating system.
Exercise 1. Install the Active Directory directory service on the server, create the mydomain.ru domain.
Instructions for implementation
1. Run the Active Directory Installation Wizard Start - Run - dcpromo.
2. Following the installation wizard, select the following installation options:
In the window Domain Controller Type (Type of domain controller) - switch Domain controller for a new domain (Domain controller in a new domain);
In the window Create New Domain (Create a new domain) - switch Domain in a new forest (Domain in the new forest);
In the window Install or Configure DNS (Installing or configuring DNS) - switch No, just install and configure DNS on this computer (No, DNS is already installed and configured on this computer) if the DNS service is already installed on the server, or Yes, I will configure the DNS client(Yes, I will configure the DNS client);
In the window New Domain Name (New domain name) dial mydomain.com in line Full DNS Name For New Domain (Full DNS name of the new domain);
In the window NetBIOS Domain Name (NetBIOS domain name) an entry should appear MYDOMAIN;
Make sure the path is selected to host the database and protocol C:\WINDOWS\NTDS, and to place the directory SYSVOL specified path C:\WINDOWS\SYSVOL;
In the window Permissions (Permissions) select Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems (Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems);
In the window Directory Services Restore Mode Administrator Password (Administrator password for recovery mode) enter the password you want to assign to this Administrator server account in case the computer boots into Directory Services Restore mode;
In the Summary window, examine the list of your selected parameters installation and wait for the Active Directory installation process to complete.
3. In the Completing The Active Directory Installation Wizard window, click the Finish button and then the Restart Now button.
Task 2. View the created domain in one of the ways.
Instructions for implementation
1st way.
Open My Network Places - Entire Network – Microsoft Windows Network (My Network Places - Entire Network - Microsoft Windows Network). Make sure that there is an entry for the mydomain domain, which contains one computer - Server.
2nd way.
1 From the Start - Programs - Administrative Tools menu, select Active Directory Users And Computers. The tool of the same name will open.
2 In the snap-in tree, double-click mydomain.ru (or your domain name) to see the contents of the mydomain.ru node.
3 In the Domain Controllers section of the snap-in tree, view the name of the domain controller and its fully qualified DNS name (for example, if the stand-alone server name was server, then server.mydomain.ru should become server.mydomain.ru after the domain is set).
4 In the Users section, view the list of built-in user accounts and domain user groups.
5 Enable the built-in Guest account and try logging in. Has the attempt been successful? Only domain administrators are allowed to log on to domain controllers.
6 Close the Active Directory Users And Computers console.
Task 3. Verify that the DNS service is running using the DNS snap-in.
Instructions for implementation
1. Open the DNS console with the command Start - Programs - Administrative Tools - DNS (Start - Programs - Administrative Tools - DNS).
2. In the DNS console tree, right-click your server name and select Properties. The SERVER properties window will open (if the server has a different name, it will appear in the title of the window).
3. Click the Monitoring tab.
4. In the Select A Test Type list, check the A Simple Query Against This DNS Server and A Recursive Query To Other DNS Servers checkboxes and click Test Now (Test). In the Server properties window, the list of test results should show PASS (Passed successfully) or FAIL (Not passed) in the Simple Query and Recursive Query columns. Explain your results.
Task 4. Delete the Active Directory service.
Instructions for implementation
Run the Active Directory Installation and Removal Wizard Start - Run - dcpromo.
Independent work
According to the project task, set up a domain named faculty.ru, where the domain controller is server.faculty.ru, whose IP address is 192.168.1.1.
Questions for self-control
1. Describe the differences between a workgroup and a domain.
2. What is the main difference between Windows XP and Windows Server 2003?
3. Is it possible to create a domain on a network where all computers on the network are running Windows XP?
4. Define a domain controller.
5. List the built-in accounts of users and groups of domain users known to you and describe their purpose.
6. What does the term "isolated" server mean?
7. Describe the differences between a workgroup and a domain.
8. Why is the built-in Guest account usually disabled?
Literature
Lab #4
Topic: Creating and administering user and group accounts
Exercise 1. Create a dean's domain account:
- has access to all network resources,
- can log on to any computer.
Instructions for implementation
1. Run the command start–All programs–Administrative Tools–Active Directory Users and Computers (Start–Programs–Administration–Active Directory Users and Computers).
2. Expand the folder faculty.ru Users.
3. Menu action (Action) select command New–User (Create–User).
4. Enter the required user information. In section User logon name (Login username) enter dean (dean). Please note that when creating a domain account, unlike a local account, after the username, the domain name is displayed, separated from the last by the sign @ . So the full username ( user logon name)–[email protected] .
5. When defining a user password, be sure to check the box User must change password at next logon (The user must change the password at the next login).
6. Complete the account creation.
7. In the right pane, find the account. Double-click on it to enter additional information (address, organization, etc.).
8. Make sure that the dean can log in at any time (tab account–Logon Hours (Account–entry hours)).
9. Try logging into the domain with the dean's account. Why did the attempt fail?
10. Log in to the system as an administrator.
11. View the dean account property by running the command again start–All programs–Administrative Tools–. In the account properties window, select the tab Member of (Group membership) and add the dean account to the global group Domain Admins with the following commands Add...–Advanced...–Find now… (Add…–Additionally…–To find…) select from the resulting list Domain Admins (Domain Admins).
12. Try again to log in to the domain with the dean's account.
13. After logging in with an administrator account, change the dean's password and set the password to change again the next time you log in.
Task 2. In accordance with the requirements of the network security policy, it is not recommended to include other domain users in the Administrators group, except for persons directly performing administrative functions. Exclude the dean's account from the administrators group.
Instructions for implementation
1. Run the command start–All programs–Administrative Tools–Active Directory Users and Computers.
2. Expand the folder faculty.ru in the left pane of the window. In subfolders select Users.
3. In the right pane, find the account. Double click on it and go to the tab Member of (Membership in groups). From the list of groups select Domain Admins and press Remove.
Task 3. Allow the dean's account to log on to a domain controller without making it a member of the administrators group.
Instructions for implementation
1. Add a dean account to a group Print Operators A whose members can log on to a domain controller.
2. Log in to the domain with the dean's account
3. Suggest another way to allow logon to the domain controller.
Task 4. Create a global group teachers (teachers):
– group type – security group;
- teachers can log on to any computer on the network, except for the server;
- for each of the teachers there is a personal account and settings that are configured personally by the teacher.
Instructions for implementation
1. Run the command start–All programs–Administrative Tools–Active Directory Users and Computers.
2. Expand the folder faculty.ru in the left pane of the window. In subfolders select Users.
3. Menu action select a team New–Group (New–Group).
4. In the field group name (Group name) enter teachers.
5. In the area Group Scope (Group Scope) click the radio button Global (Global), and in the region Group Type (Group type) - switch security.
6. Click OK.
Task 5. Add to group teachers (teachers) group member - dean's account.
Instructions for implementation
1. Make sure the snap is open Active Directory Users and Computers and selected container Users.
2. In the group properties window teachers select tab Members (Group members), and then sequentially the buttons Add...–Advanced...–Find now… select the dean's account from the resulting list.
3. In the dean's account properties window, find the group membership information teachers.
Task 6. Make lists of built-in local, domain global, domain local groups, and study the description of each built-in group.
Task 7. Complete the tables containing information about domain members. The tables should help plan and create domain accounts.
An example of filling tables for a group of users Deanery and account Student see below.
Table 8
Group planning
Table 9
Login Schedule
Table 10
Password Planning
@ Think of at least three users from each group and complete Tables 8-10 as required by the project. Enter the tables in the report.
Task 8. Create, in accordance with your options for tables 8-10, the user accounts and user groups necessary for the project.
Task 9. Test your accounts. For example, change the system time to 6:00 and try to log on to the domain with a student account. Try changing the password for this account.
Questions for self-control
1. Describe the differences between local and domain accounts.
2. What is the purpose of creating user groups?
3. Explain the purpose of local, global, and universal groups.
4. Explain the purpose of security groups and distribution groups.
5. Define and give examples for the following terms: "user rights", "user privileges", "user access permissions".
6. List the built-in accounts of users and groups of domain users known to you and describe their purpose.
7. Which built-in user group, other than the Administrators group, must the account be included in so that the user can log on to the workstation? Are there other ways to do this?
8. How to disable login during weekends and non-working hours?
9. How do I limit my account expiration date?
10. How to disable an employee's account, for example, during his illness?
12. How to change the user's password?
13. How to prevent the user from changing the password?
14. What are the consequences of deleting a group?
Literature
Lab #5
Initial situation - there is a domain, testcompany.local. To simplify, it will have one domain controller running Windows Server 2003, named dc01. The DNS server is also on it, the main zone is integrated into Active Directory.
Controller network settings:
IP address - 192.168.1.11
Mask - 255.255.255.0
Gateway - 192.168.1.1
DNS server - 192.168.1.11
A task- install a domain controller on another server running Windows Server 2008 R2, downgrade the old controller to a member server (and then possibly delete it altogether), and transfer all the functions of the old controller to the new one.
Preparatory work
As a preparatory work, you should run the commands netdiag(this command only exists in 2003 Server, Support Tools) and dcdiag, make sure that there are no errors, and if there are any, correct these errors.
First of all, we determine the holder of FSMO roles in the domain with the command:
Utility netdom.exe Windows Server 2003 is not included by default, so you need to install Support Tools(http://support.microsoft.com/kb/926027). In the case under consideration, it makes no sense, since there is only one domain controller and the FSMO roles are all on it anyway. For those who have more than one domain controller, it will be useful to know which roles and where to transfer. The result of the command will be something like this:
IP address - 192.168.1.12
Mask - 255.255.255.0
Gateway - 192.168.1.1
DNS server - 192.168.1.11
and enter it into an existing domain, testcompany.local in our case.
Updating the Forest and Domain Schema
The next step is to update the forest and domain schema to Windows Server 2008 R2, which we will do using the utility adprep. We insert the installation disk with Windows Server 2008 R2 into the server dc01. On the disk, we are interested in the X:\support\adprep folder (X: is the drive letter of the DVD-ROM). If you have 32-bit windows Server 2003, you should run adprep32.exe, in case of 64-bit - adprep.exe .
There are no requirements for the functional mode of the forest to run the command. To execute a command adprep /domainprep the domain requires a domain functional level of at least Windows 2000 native.
We enter the command:
X:\support\adprep>adprep32.exe /forestprep
After a warning that all Windows 2000 domain controllers must be at least SP4, type FROM and press Enter: 
The command works for quite a long time, several minutes, and should end with the following phrase:
Adprep successfully updated the forest-wide information.
After that, enter the command:
X:\support\adprep>adprep32.exe /domainprep /gpprep
Which will work faster than an example:
It is also worth executing the command adprep /rodcprep. Even if you do not intend to use Read Only Domain Controllers (RODCs) on your network, this command will at least remove unnecessary error messages in the event log.
After the schema upgrade commands complete, you can proceed to promote the new server to a domain controller.
On server dc02 go to Server Manager, add a role Active Directory Domain Services. After installing the role, going to Server Manager > Roles > Active Directory Domain Services, we will see a yellow prompt "Run the Active Directory Domain Services Installation Wizard (dcpromo.exe)". We launch it. Or you can type on the command line dcpromo, which will be equivalent to the above action.
Since coverage of the process of installing a domain controller is not included in this article, I will focus only on some key points. On the move Additional Domain Controller Options check both boxes DNS Server And global catalog.
If checkbox Global Catalog And DNS Server do not install, you will have to transfer them separately. And when migrating from 2003 to 2003, this will have to be done anyway, since there is no such possibility in Windows 2003. About the transfer of the global catalog and DNS server will be a little lower.
We complete the installation of the domain controller, restart the server. We now have two domain controllers running at the same time.
Transfer of FSMO roles
Transfer of roles FSMO can be done both through the graphical interface and using the utility ntdsutil.exe. This article will describe a method using a graphical interface, as a more visual one, for those who are interested in another way, it is at this link: http://support.microsoft.com/kb/255504. The transfer of FSMO roles will consist of the following steps:
We go to the server dc02, to the one to which we will transfer the roles. To access the snap Active Directory Schema, you need to register the library first schmmgmt.dll. This is done with the command:
regsvr32 schmmgmt.dll
In the snap-in tree, right-click on an item Active Directory Schema and select item Change Domain Controller. There we change the controller to dc02.
Next, right-click the element again. Active Directory Schema and choose the item Operations Master. The following window appears:
Click change > Yes > OK and close all these windows.
Open the snap-in, right-click on the element Active Directory Domains and Trusts and choose a team Change Active Directory Domain Controller. This step is required if you are not working from a domain controller that is being transferred the role. Skip it if the connection to the domain controller whose role is being transferred is already established. In the window that opens, select the domain controller to which the role is assigned ( dc02 in our case), in the list and press the button OK.
Right-click an element in a snap-in Active Directory Domains and Trusts and choose the item Operations Master. In the window that appears, press the button change.
To confirm the role transfer, click the button OK, and then - close.
Opening the tool. Right-clicking an element Active Directory Users and Computers and choose a team Change Domain Controller. Skip it if the connection to the domain controller whose role is being transferred is already established. In the window that opens, select the domain controller to which the role is assigned ( dc02 in our case) in the list and click OK.
Right-click an element in a snap-in Active Directory Users and Computers, select the item All Tasks, and then Operations Master.
Select the tab corresponding to the transferred role ( RID, PDC or Infrastructure Master), and press the button change.
To confirm the role transfer, click the button OK, and then - close.
Transferring the global catalog
If we are migrating not to 2008, but to 2003, in which, when adding an additional domain controller, the global catalog is not set, or you did not check the Global Catalog in step 2, then you must manually assign the global catalog role to the new domain controller. To do this, go to the tooling Active Directory Sites and Services, open Sites > Default-First-Site-Name site > Servers > DC02 > right click on NTDS Settings > Properties. In the window that opens, check the Global Catalog > OK checkbox.
After that, a message will appear in the Directory Service logs that the promotion of the controller to the global catalog will be delayed for 5 minutes.
Event Type: Information
Event Source: NTDS General
Event Category: (18)
Event ID: 1110
Date: 07/12/2011
Time: 22:49:31
User: TESTCOMPANY\Administrator
Description:
Promotion of this domain controller to a global catalog will be delayed for the following interval.Interval (minutes):
5This delay is necessary so that the required directory partitions can be prepared before the global catalog is advertised. In the registry, you can specify the number of seconds that the directory system agent will wait before promoting the local domain controller to a global catalog. For more information about the Global Catalog Delay Advertisement registry value, see the Resource Kit Distributed Systems Guide.
http://go.microsoft.com/fwlink/events.asp.
We wait five minutes and wait for event 1119 that this controller has become a global catalog.
Event Type: Information
Event Source: NTDS General
Event Category: (18)
Event ID: 1119
Date: 07/12/2011
Time: 22:54:31
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: dc02.testcompany.local
Description:
This domain controller is now a global catalog.For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp .
Interface reconfiguration, DNS, and other post-installation tasks
Further, since the DNS server on dc02 we have installed, now you need to specify yourself as the primary DNS server in the properties of the network interface, i.e. address 192.168.1.12. And on dc01 change accordingly to 192.168.1.12.
In the properties of the DNS server on dc02 check tab forwarders, on 2003, unlike 2008, it is not replicated. After that, you can demote the domain controller dc01 to a member server.
If you need to leave the old name and IP address for the new controller, then this is also done without problems. The name is changed as for a regular computer, or with a similar command netdom renamecomputer.
After changing the IP address, run the commands ipconfig /registerdns And dcdiag /fix.
After rebooting the server, you need to make sure that the Basic permission mode (mode Windows server 2003) established. To do this, you need to open the "Active Directory- domains and trust", "stand" with the mouse on the name of your domain and select "Change the mode of operation of the domain" from the menu.
If Basic Permission Mode is not installed, it must be installed.
Setting DNS
To configure a domain controller automatically created during installation DNSyou need to load the toolDNS, right-click on the "Reverse Lookup Zones" tab and select "Create New Zone" from the menu provided.
The New Zone Creation Wizard will start.
In the Zone Type window, you need to specify which zone will be created. Since the first server is being configured DNSin the domain, you must select Primary Zone, and it is recommended that you select the Keep zone in ActiveDirectory».
Selection in the "Replication area of the zone integrated in theActiveDirectory"It is recommended to stop at the point" For allDNS- servers in the domain created_domain_name . local ". This will allow zones to be transferred only within a specific domain if there is a forest.
The "Reverse Lookup Zone Name" box specifies a description for which IP-addresses will be the accumulation of information and the provision of names at the request of customers. For simplicity, it is recommended to enter exactly the network code, which is the number of significant octets in the addresses of the local network (For example: 192.168.1).
In the "Dynamic update" form, you need to choose how the information stored DNS-server. For networks that include clientsWindows2000 and older, you can only allow secure dynamic updates. In general, it is recommended to select the "Allow any dynamic updates" option.
After that, the creation of a new reverse lookup zone will be completed, and an information window will appear with a brief description of the zone being created. If necessary, you can go back and make the necessary changes.
After the reverse lookup zone has been created, you can view its contents and verify that the zone is named correctly.
Then you need to configure the live view zone. To do this, "inserting" in the "Forward lookup zones" branch on the zone with the name of the created domain, you need to right-click to open the menu and select the "Properties" item.
On the "General" tab, as was done when creating the reverse lookup branch, it is also recommended to set the "Dynamic update" option to "Insecure and secure".
On this server setupDNSends, and now you need to create entries for network devices and active network equipment.
Creating an entry is done as follows: right-click on the zone with the domain name and select the "Create node" item from the menu. In the form for entering information about the node being created, you must enter the name of the node (the fully qualified domain name is filled in automatically) and its IP-address, and then put a tick on the item "Create an appropriate PTR-record".
By pressing the "Add node" button, the record will be entered immediately into the forward and reverse lookup zones. If the checkbox is not checked, the record will have to be created separately in the reverse lookup zone.
It is strongly recommended that you do not create entries for computers and servers in a domain in DNSmanually. To correctly create an entry in the Start - Run menu, it is better to execute the command ipconfig / registerdns, which will registerDNS-server.
All domain-joined operating systems must be configured to use local DNS servers (usually domain controllers) as their preferred and alternate. If the TCP/IP protocol configuration is configured correctly, operating systems create records in domain zones automatically (with the exception of Windows 9X).
Installation and setupDHCP
Service ApplicationDHCPsimplifies network administration and ensures the uniqueness of those used in the domain IP-addresses. To install a serviceDHCPjust go to the "Control Panel", run "Add or Remove Programs", and select the tab "Install components Windows”, “stand” on the line “Network Services”, and click “Composition”.
You need to install the componentDHCP».
(Component " DNS» was added automatically during installationAD And you can't uncheck it).
Upon completion of component installationDHCPyou need to download the tool "DHCP”, go to the entry containing the name of the installed server, and, expanding the menu with the right mouse button, select the “Create area” item. The Area Creation Wizard will start.
In the "Region name" window, you need to enter the name of the created area of distributed addresses and a description for it. This information is entered for convenience, and the data entered is of no fundamental importance.
In the "Address range" window, enter the start and end addresses of the range that will be available for automatic distribution between computers in the domain, and set the subnet mask selected at the network planning stage.
The dialog box specifies a range that includes all possible network address values. In order to prevent the issuance of used addresses (IP-addresses of servers, active network equipment and other devices with static addresses) it is necessary to specify the range of addresses to be excluded from the distribution in the "Add exclusions" form. You can list the addresses to be excluded from the distribution by entering them one at a time in the "Start IP-the address".
After specifying each excluded address or range, it is required to confirm the entry by pressing the "Add" button, after which the entry will be added to the list of exclusions.
The "Address lease validity period" window is used to specify the period of time after which the address issued by the server IP-address can be issued to another recipient of dynamic addresses. For a network whose architecture and composition changes are quite rare, it is recommended to set a sufficiently long lease period.
To reduce the total time for creating a domain, it is recommended to agree to the proposal of the domain creation wizard to configure the settings DHCP .
The "Router (default gateway)" window is filled in if there is one in the network.
If there is no such device, then the window must be left blank. Adding a default gateway also requires clicking on the "Add" button, after which the entered router address will be added to the list.
The "Domain name andDNSservers" requires special attention. In the column "Parent domain" you need to enter the full name of the created domain without any abbreviations (for example: "domain 1. local"). A mistake or incomplete entry of the domain name will cause network problems, such as difficulties connecting a computer to a domain.
Addresses are entered here.DNSnetwork servers. It is recommended to enter not an addressDNS-server, and its name, when you click on the "Match" button, the server address will be entered automatically, after which you also need to click on the "Add" button. If the name match fails DNS-server or an invalid one was returnedIP-address, this may indicate a problem either in the serviceDNS, or in the network connection settings.
Multiple addresses can be entered.DNS-servers, if several are used simultaneously in the networkDNS-servers.
If there are no servers on the networkWINS, then the window WINS-servers" should be left blank.
The "Activate area" window allows you to postpone the activation of the created area for an arbitrary time (for example, when the server is configured in a different local network, or addresses are issued by another zone, and the zone being created is not yet used). If the server is configured first, you must select the item "Yes, I want to activate this area now."
This completes the work of the Zone Creation Wizard. If necessary, you can return and make the required changes in the parameters of the area being created.
After completing the zone creation wizard, you need to authorize DHCP in AD. If this is not done, addresses will not be issued to clients.
To do this, in a snapDHCPyou need to "get up" on the name of the server being configured, expand the menu with the right mouse button, and select the "Authorize" item.
For that so that the addresses issued by the server are automatically transferred to DNS, additional server configuration should be performedDHCP. To do this, in a snapDHCPyou need to "get up" on the name of the server being configured, expand the menu with the right mouse button, and select the "Properties" item.
On the Service tabDNS» it is recommended to set the same parameters that were used earlier. This setting will simultaneously ensure the transfer of information to DNSabout all issued addresses, regardless of the type of client, and will automatically delete obsolete information when the address lease expires.
Client work Windows9x in the domain Windows server 2003
In the domain Windows server2003, the default security level was increased, which led to certain difficulties in the operation of legacy client systems, such as Windows 95, 98, NT 4.0.
For that to allow these operating systems to work in the domain, it is recommended to install on client machines ActiveDirectoryDSCLIENT.EXE(located on distributionsWindows 2000 serverin the CLIENTS\WIN9X folder) and make some modifications to the security policies.
To perform modifications, you must run the "Domain Controller Security Policy" snap-in,
then "Domain Security Policy", and disable the security options shown.
According to information Microsoft, it is sufficient to disable the parameter "Network serverMicrosoft: digitally sign (always)" in domain security policy Windows 2003.
After finishing editing these security policies, it is recommended to reboot the server.
This article focuses on the Active Directory directory service, the new features and mechanisms that it has gained with the advent of Windows Server 2003, as well as the use of all these improvements in practice.All the material presented is divided into six topics. We'll talk about Active Directory implementation and integration with existing directories, service administration, replication, cross-forest trust, group policy management, and software restrictions.
Implementation and integration
In this chapter, we will look at the new features of Active Directory from several perspectives: implementing this service, integrating it with other directories, migrating from a previous version (either upgrading from Windows NT 4.0, or just installing Active Directory from scratch). First of all, it should be noted that the new features of Windows 2003-based Active Directory are largely incompatible with Windows 2000-based Active Directory. For example, the ability to rename a domain or restore a previously deactivated object in a schema can only be used when the directory is the highest functional level possible: the domain level is Windows Server 2003 and the forest level is Windows Server 2003. To gain access to these and other features, you must upgrade the forest to the maximum functional level. Let's consider what these very functional levels are.Functional levels
The administrator manually raises the functional level
I note that such a classification was specifically introduced to ensure compatibility at the level of backward-incompatible features. Even if you install Active Directory from scratch, without performing any updates and without worrying about integration, that is, simply installing a new server, and on it the first controller in the forest, you will get a system that initially falls on the lowest level. In other words, the domain level is Windows 2000 Mixed (mixed) and the forest level is Windows 2000. Thus, in this mode, the installed system fully corresponds to all the features that are in Windows 2000 Active Directory. To upgrade to a higher level, certain conditions must be met, for example, a domain can only be promoted to the Windows Server 2003 level after all domain controllers have been promoted to this operating system. When it comes to migrating from Windows 2000, the process of migrating naturally is to upgrade existing controllers in stages. It is not possible to transfer all controllers at once from Windows 2000 to Windows 2003, this can only be done in turn. Until the controller translation process is complete, the domain functional level remains at the Windows 2000 Mixed level. As soon as all controllers are translated, you can go to the next level. The administrator switches the functional level using a special Active Directory Domains Trusts console. The administrator is not able to downgrade, he can only upgrade it to a higher level where the system will remain. Once an administrator has upgraded a domain to a new functional level, there are certain new features available in Active Directory.
Let's consider these features for simplicity of presentation in the pure forest mode - Windows 2003 and all domains - Windows 2003. In other words, the maximum possible levels and, accordingly, the maximum range of new features. The first thing to stop at is a feature called Application Partitions (in Russian - Application Partitions).
Sections for applications
The fact is that Active Directory was originally developed as a directory service not just to provide, for example, network customer service or to store the accounts of these customers, but also as a storage for network applications. Therefore, there is a lot of information in Active Directory that comes from applications. Thus, on Windows 2000, no matter how many applications we install in filtering mode with Active Directory, all information about them will fall into a single directory and, accordingly, is replicated between all controllers equally.
Windows 2003 allows you to differentiate and separate information that belongs to network applications from the rest of the directory by creating partitions for applications. For example, the information that the DNS server stores may not be distributed to all controllers that are in the domain, but only to those that have been explicitly specified. In fact, this is what partitioning means. First, you can create a section "directories", as if separating it from the general structure, and then specify that this section, as a replica, should be stored on the name controllers. The same goes for any other application. Through this mechanism, the administrator managing the system can most optimally separate and store directory and application information. For example, if it is known that some application will use the directory only on this particular controller (will not access other controllers), then it is possible to reduce the catalog storage only to this controller in this way by creating a unique partition for this application.
The next feature is support for the InetOrgPerson object class (RFC 2798). It only appeared in Windows 2003, and Windows 2000 does not support this object class. InetOrgPerson is needed for integration with other LDAP directories (Novell, Netscape). Active Directory can work with this class, create objects of this class, and transparent and smooth migration of objects of the InetOrgPerson type from other Active Directory directories is also possible. Accordingly, it becomes possible to migrate applications written for other LDAP directories. If applications use this class, then they can be painlessly, transparently ported to Active Directory, retaining all functionality.
Further, there was a possibility of renaming of domains. In this case, it should be clearly understood that the renaming of the domain means not just a change in the name of the domain (the domain used to be called "abcd", but now it is called "xyz"). In fact, the directory structure is a tree, there are many domains in it, and the domains themselves are combined into a hierarchy. Renaming a domain is actually a restructuring of the forest. You can rename a domain so that it appears in a different tree.
Domain rename. rendom.exe utility
Consider the Contoso domain, which is subordinate to the Sales domain in the WorldWideImporters.com tree. You can rename it and call it Contoso.Fabrikam.com. This is not just a rename, it is a transfer of a domain from one tree to another, that is, a rather non-trivial procedure. It is logical to assume that renaming a domain can lead to the creation of a new tree. You can rename the Contoso domain that was under the Sales domain to Contoso.com. Then the domain will become the ancestor of another tree in the same forest. That is why the process of renaming a domain can be considered a very complex and non-trivial procedure.
In Windows 2000, there was no such possibility as to rename the domain in the above context. Once a domain is created, it will remain with its name for the rest of its life. The only way to change the situation is to delete the domain and then recreate it with a new name.
Windows 2003 comes with a utility called Rendom, literally from the words Rename Domain. The Rendom.exe utility is a command line utility that can be used to rename a domain. True, this process consists of six stages. Detailed information about it can be found in Windows 2003 Help, specific white papers for Microsoft .NET, on the MSDN site. It details how to model, design, and run the domain rename process using the rendom utility. In any case, this is a complex, multi-stage process that requires careful preparation: there are too many links and pointers, names and other interdependencies that are formed when domains are created. It is impossible to simply take it all in one fell swoop.
In the Active Directory implementation plan, a mode for installing a domain controller from removable media has appeared. What is meant? Very often there is a situation when an enterprise implements Active Directory in remote offices: communication with the remote office is weak, poor communication lines between head offices and branches. However, you must install a new domain controller in the branch office. When a new controller is created in an already existing domain, the DCPromo utility contacts the existing, working controllers and downloads the entire database and replicas that can be collected from its domain controller. If this database occupies several tens or hundreds of kilobytes, that is, it is empty (it occupies several hundred kilobytes by default), then there are no problems. But if we talk about a working system in which the database can take tens or hundreds of megabytes, then its transfer may simply be an impossible task. Therefore, in this situation, you can solve the problem in a very simple way. Using Windows NT Back-up, make an archive in the "system state" mode, that is, select the Back-up->SystemState option in the Windows NT Back-up console. After that, write the entire created Back-up to media, for example, on a CD or DVD, take this disk and come with it to a remote office, restore all the information from the archive using the same Windows NT Back-up. Only you need to restore not to the default, but to another directory, so that the files themselves are simply laid out on disk. Naturally, you do not need to replace the system information that is on the existing computer. Next, run the DCPromo utility with the "/adv" key and specify the path to the repository where the unpacked file is located. After that, the process of installing a new controller will create its own replica based on information from the removable media. This will still require a connection with the head office, because in addition to transferring the replica, it is also necessary to establish certain relationships with the existing domain. Therefore, there should be a connection, but the requirements for it are significantly reduced: even a very weak line will do. In the above scenario, 95% of the information that needed to be transferred to the new controller was transferred to the system media, and the communication line between the head office and the branch office did not have to be overloaded.
It's important to note that customers continue to use Windows NT 4.0 very frequently. Windows 2003 makes moving from existing directories (whether from NT 4 or from Windows 2000) faster, more painless, and more efficient. The Active Directory Migration Tool (ADMT) serves this purpose. ADMT will help with migration from Windows NT to Windows 2003, as well as from Windows 2000 to Windows 2003 in case some kind of domain restructuring, account transfer, etc. is required.
Active Directory Migration Tool (ADMT) v.2 wizards
The Active Directory Migration Tool is a set of wizards. Each wizard performs a specific task (see picture above). It is important that most of the wizards have a mode called "Test migration settings and migrate later" - simulation of the process without actually performing operations. In other words, the migration process is emulated, and the administrator can see what the result will be and how everything will work out. Real actions are not performed in this mode. In the case when the results of the test mode are satisfactory, you can ask the Active Directory Migration Tool to perform a full migration.
Administration
This chapter is about instrumental administration. In principle, it cannot be said that many new very useful features have appeared here. However, there is still something. For example, Drag&Drop support: Before Windows 2003, there was no Drag&Drop support. Now you can click on the "user" object and drag it with the mouse to the new container. It is very convenient. It is a pity that there was no such mechanism in previous versions.There was an additional console for storing requests to the directory. It is known that Active Directory is an LDAP directory. This means that you can query LDAP directories using the standard query language. If these requests are made and not remembered, then this is an additional burden on the administrator: each time he needs to rewrite the request or copy it from some document. To simplify this process, a section called Saved Queries is provided. It actually saves those requests that the administrator or user entered in the console.
Directory Saved Requests Console
Now, when this request is needed again, just select it from the list. Moreover, the results of the query are displayed on the right side of the console: on the left, you can select the query of interest and click on it, and on the right, the result of processing will already appear.
Windows Server 2003 contains a lot of command line programs. This seems strange and perhaps even contradictory. It would seem that Microsoft has been promoting the graphical interface all these years, the convenience of managing with the help of the graphical interface, but at the same time, it turns out that it is releasing new command line utilities. Here are just six of them for Active Directory.
Command line utilities
There is, in fact, no contradiction in this. The fact is that it is more convenient to do a lot of operations that an administrator has to perform in the form of batch files. For example, when it comes to modifying the same or similar objects of some attribute, it is often more convenient to do it on the command line by writing the appropriate script. If you need to change some parameter, for example, the phones of users who are registered in the account (everyone in the department can change the phone), you can go to each account and change the phone. If this is done through the graphical interface, then at least one hundred operations will have to be performed to change the "Account" object. You can also take one simple command called DSMod (object modification), form a line to record new information, then write a script with search conditions and execute everything as a single command. For such operations (and there are many of them in the daily work of an administrator), command-line utilities and scripts should be used.
replication
Replication issues are very relevant when implementing Active Directory, designing and planning infrastructure.Windows 2000 has certain limits on the number of sites in which a topology can be automatically generated. There is a service called Inter-Site Topology Generator (ISTG) . When two or three, and preferably five or even ten sites are created, the ISTG service automatically generates a replication topology between sites, selects host servers, and determines how this replication script will be executed. Everything is fine, but if there are about two hundred sites, then the ISTG service cannot cope with the amount of information and gets stuck in a loop. Therefore, for Windows 2000 there is a very clear recommendation - the number of sites should not exceed two hundred, if necessary, so that the replication topology between sites is automatically generated. If there are more sites, automatic generation must be disabled and all this must be configured manually.
The problem may not seem obvious, but it's a real problem people face when it comes to deploying Active Directory on multi-site systems. Windows Server 2003 removes this issue. This system implements a completely new Inter-Site Topology Generator, which works in a fundamentally different way and generates a topology using a new algorithm. The number of sites that can now be automatically generated (whose topology can be automatically generated using the ISTG service) was several thousand in tests alone. It is not known who may need so many sites, but, nevertheless, one can forget about any limitation just by modifying the ISTG mechanism.
Additionally, you can disable traffic compression between sites, if, of course, this makes sense. Enabling compression increases the load on host server processors. If the network allows, then it might make sense to disable compression in order to transfer more data over the network, but then the controllers will be less loaded. You can do the opposite: if you need to save on network traffic, it makes sense to enable compression.
There is another limitation in how Windows 2000 Active Directory replicates groups. It's about the security team. When it comes to assigning rights to access some objects, it is usually good administrative practice to assign rights to groups. Users are either included in the group or excluded. A group is exactly the same object in Active Directory as all other objects. An object has attributes. The peculiarity of the group is that the list of group members is not several attributes, it is one attribute with a large number of values, the so-called "Multi Value Attribute" (in fact, this is one attribute that has many values). The Active Directory replication mechanism is granular down to the attribute level. If an object is modified, then the system will replicate these changes exactly for those attributes that have changed, and not for the entire object. Now let's return to the group, which has an attribute consisting of, for example, one hundred values. If there are 100 people in the group, then this attribute has 100 values. And if 5 thousand? The limitation is as follows: if the group membership is 5 thousand objects, then replication of such an object became impossible. As soon as 5001 group members appear, the process of replicating this group on Windows 2000 is immediately destroyed. a group of 5,000 members. Then there are problems with directory replication. Windows Server 2003 Active Directory introduces an additional mechanism called "Linked Value Replication".
In this case, the mechanism is solely for replicating attributes that have many values. That is, now, when using this mechanism, group membership is replicated at the level of individual members. If you include a new person in the group, then not the entire list will be replicated, as an attribute, but only the values due to the Linked Value Replication mechanism.
Another issue related to replication was related to the global catalog. The difficulty was how the global catalog behaves when the administrator modifies the so-called Partial Attribute Set (PAS) - the list of attributes that should be placed in the global catalog.
Perhaps it makes sense to explain. Each attribute has a status value: whether to put it in the global catalog or not. The global catalog is an additional catalog that contains information about all objects that are in the catalog, but not completely, but exactly the lists of those attributes that are marked as exportable to the global catalog. Thus, for example, about each user in the global catalog is placed his name, his email address, perhaps some other additional parameter. Literally a few parameters so that you can quickly find this user in the directory.
The problem arises when the administrator modifies the schema and changes the status for some other attribute by switching it to this mode. There was an attribute that did not get into the global catalog, the administrator went and changed the schema, included this attribute in PAS, after that, in addition to replicating the entire schema, on Windows 2000 there will be a complete resynchronization of all servers that store the global catalog. This will cause quite a lot of network traffic and some even internal directory service downtime.
Windows Server 2003 removes this problem. Replication and synchronization of the global catalog will be carried out solely to the extent of the added attribute. That is, when the operation of adding an attribute to PAS is performed, information is simply collected from those objects that have this attribute. And then it [the attribute] is added to the global catalog. Full synchronization does not occur.
Another additional feature related to the global catalog is the universal group caching mechanism. Let me remind you that there are three types of groups in Active Directory: local, global and universal. Local and global groups are stored with the replica on the controller, universal groups are stored in the global catalog. When a remote office employee wants to log on to the network, the system will register the user on the network and create his security context. To do this, she needs to find out which groups the user belongs to. Windows 2000 can learn about local and global groups on its nearest controller, but on the network device, the global directory is located at the head office. You can only check a user's membership in universal groups by querying the global catalog. Therefore, at the time of registration, it is necessary to send a request to the head office. If the connection is down and the global catalog is not available, then the user will be denied registration (the default in this situation). Setting the registry value to "ignore universal group membership errors" opens a security hole.
Windows Server 2003 introduces a universal group caching mechanism. Now, a connection to the global catalog is required only at the very first user login. These groups get to the controller and are saved there. Each subsequent user registration will not require a call because universal group membership is already known. At the same time, the caching of information is updated in a certain way: at specified intervals, global catalog information is requested to update information about user membership in universal groups.
Trust between forests
Trust between forests allows the integration of completely independent organizations. Active Directory is a structure that can have a tree of domains with a root domain, or it can be a forest consisting of several trees. The characteristic of the forest is that for all the domains included in it, for all those trees, there are three identical entities - this is a single schema, single configuration containers and a common global catalog for the forest. Naturally, they have a different namespace, although you can name the entire forest. If this is not done, then each tree will have its own naming hierarchy. You can make it so that all the trees in the forest will be lined up in the same naming system.
Trust between forests
When it comes to integration and interaction between two different forests, there are usually two different systems built independently of each other. However, users in one forest (defined in only one forest) must be able to access objects defined in another forest. To do this, you need to establish a trusting relationship.
Windows 2000 allows you to make direct and transitive relationships between specific domains from different forests, but this will only work for these domains. Windows Server 2003 introduces a new type of trust called Cross-Forest Domain Relationship. These relationships are transitive for the domains that are part of each of the forests. That is, when two forests are connected by a trust relationship, users from any domain in one forest can see and access objects in another forest with absolute transparency from any domain.
You can make a chain, for example, of three forests A, B, C. A trusts B, and B trusts C. It does not follow from this that a trust relationship has also been established between forest A and C. It's like in Windows NT 4: non-transitive relationships in the sense that they are not transitive between forests. But between the domains that link two forests, the relationship is transitive.
Group Policy Management
Group Policy is the main tool that is used to control almost all subsystems and components within Windows. Whether it's a workstation and its settings, whether it's a server and its network services, Active Directory, security settings - all this is configured through group policies.The Group Policy engine allows you to assign policies to containers, that is, organizational units, sites, and domains. Group Policy cannot be assigned to a specific user. At the same time, since the structure of containers in Active Directory is hierarchical, it is possible to assign different group policies at different levels. Therefore, inheritance mechanisms work. The administrator has certain functions to block inheritance or, conversely, to enforce the inheritance policy. The administrator has the ability to filter the application of group policies through access rights. In any case, a large number of tasks are solved with the help of no fewer tools. There is a specific tool for every task. Thus, in order to manage group policies in Windows 2000, you need to know about six tools and use them for various tasks.
Windows Server 2003 allows you to significantly simplify the life of the administrator due to the appearance of a special tool called the Group Policy Management Console. This is an integrated or consolidated console that includes an interface for performing absolutely all tasks related to group policies. You no longer have to puzzle over where this operation is done - everything is in the Group Policy Management Console, while the console groups information in a very logical, intuitive way.
In addition to being a consolidated graphical toolkit, the Group Policy Management Console adds a number of new features to group policy management. For example, group policy backup and restore functions, group policy copy functions between domains in the same forest, and group policy import/export.
There is no Group Policy Management Console as part of Windows Server 2003. It must be downloaded from the Microsoft web server ( http://www.microsoft.com/downloads). You can install the console on either Windows Server 2003 or Windows XP if you have Service Pack 1 and the .NET Framework. Thus, using the Group Policy Management Console, you can manage group policies without even being directly on the domain controller. You can install the console directly on a Windows XP workstation and centrally manage all group policies in the forest from that workstation. In addition, the Group Policy Management Console includes two wizards that allow you to analyze and model the process of applying Group Policy. The first one is called the "Group Policy Results Wizard" and it shows which policies were applied to this particular computer, which values have changed, and from which policies these values have been retrieved. If something didn't apply, the wizard shows why it didn't apply.
It is clear that this mechanism requires connection to the computer that is being analyzed. That is, in remote connection mode, the administrator, of course, can connect to any workstation and ask to analyze how group policies were applied to this machine. You can do it the other way: before deploying and implementing a group policy system, you can simulate what will happen to the user, or to the computer, when group policy is applied to it.
The process of such modeling is performed using the console, which is located in the Group Policy Management Console and is called Process Modeling. Simulation does not require connection to the computer under study. It only works with information that is stored in Active Directory. Simply having access to a Windows Server 2003 Active Directory controller is sufficient. You can, for example, imagine what will happen if a user enters some kind of security group, you can conditionally put the user in some kind of container and see what happens.
There are some other new features of the Group Policy Management Console - archiving and restoring group policies. The objects themselves can be saved as a file in a specific directory. Then they can be restored back in case of some kind of problem or when experimenting with the domain, Active Directory, or group policies. It is important that you can only restore a Group Policy to the same domain where it was backed up. Only the GPO itself is restored: what was additionally attached to it cannot be archived, and therefore cannot be restored either.
Let's move on to Windows Management Instrumentations (WMI). This is the technology that is now the mainstay in systems management. WMI is used almost everywhere: any service uses WMI in one way or another.
Using WMI, you can get information about all the objects that exist in the system, whether they are hardware devices or some software components. Absolutely any information can be obtained by querying the WMI database. Since such a mechanism exists, Microsoft has developed additional functionality to apply group policies. Now you can filter the application of group policies based on access to the WMI database. That is, you can literally assign a filter in Group Policy. For example, if the response to a query that is sent to WMI is positive, then the group policy is applied, and if it is negative, then the group policy is not applied.
Software Restriction Policy
This is a centralized policy that can be implemented at the level of the entire enterprise. With its help, the administrator has the ability to limit the list of programs that users can run on their workstations. The administrator can, on the contrary, specify a list of programs that users cannot run on their machines under any circumstances.To implement this mechanism, the principle is used: a base level, plus an exception. Accordingly, the base levels can be of two types for different scenarios. The first basic level is called "Disallowed": all programs are disabled by default, except for those allowed in exceptions, in additional rules. The second is called Unrestricted: all programs are allowed, but the list of additional rules contains exceptions, that is, a black list of programs that cannot be run.
Rules can be of four types (ranked by priority): Certificate (highest priority), Hash, Path and Zone. Priority is relevant when there are several policies defining the same application with different rules. For example, one policy allows you to run all programs that are located in the "ABCD" directory, and another policy prohibits the launch of programs that have such and such a hash. If it turns out that this program, which is forbidden to run, is located in the allowed directory ABCD, then the prohibition rule will be stronger, because the hash rule "beats" the rule on the path. That's what priority is for.
