Scribd Logo
Загрузить

Добро пожаловать в Scribd!

  • Instalacion y Configuracion de Active Directory

    Загружено:

    Manuel Razo
    13 просмотров31 страница
    Instalacion y Configuracion de Active Directory para Windows Server 2008

    Авторское право

    © © All Rights Reserved

    Доступные форматы

    PDF или читайте онлайн в Scribd

    Этот документ был вам полезен?

    Это неприемлемый материал?

    Пожаловаться на этот документ
    Instalacion y Configuracion de Active Directory para Windows Server 2008

    Авторское право:

    © All Rights Reserved
    Скачайте в формате PDF или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    13 просмотров31 страница

    Instalacion y Configuracion de Active Directory

    Загружено:

    Manuel Razo
    Instalacion y Configuracion de Active Directory para Windows Server 2008

    Авторское право:

    © All Rights Reserved
    Скачайте в формате PDF или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    из 31
    Implementing Active | tssson Directory OBJECTIVE DOMAIN MATRIX ceaery Pars orc) re Y qi iin Arecord forward lookup zone rostartable Active Directory Active Directory Lightweight fully qualified domain name raverse lookup zone Directory Services (AD LDS) (FQDN) scavenging ‘Admin Role Separation global catalog Server Coro aging ineremental zone transfers Server Manager binaries instance staged installation depromo latency sysvoL Directory Services Restore netdom time-to-live ‘Mode (DSRM) nslookup, unattended installation domain netB10$ name Object Identifier (01D) User Principal Name dynamic updates Paseword Replication Policy Flexible Single Master pointer (PTR) Operations (FSMO) priority 22 | Lesson 2 After completing ths lesson, you will understand the necessary prerequisites for installing the Active Directory Domain Services (AD DS) role on a Windows Server 2008 computer. You will also learn the procedures involved in creating a new Active Directory forest, domain tee, and domain. You will be able ro discuss an exciting new feature of AD DS in Windows Server 2008, the Read-Only Domain Controller (RODC). Finally, you will be able to discuss the requirements for modifying the Active Directory schema as well as installing and configuring the Active Directory Lightweight Directory Services (AD LDS), formerly known as ADAM in previous versions of the Windows operating system. Introducing the Server Manager Server Manager pando ne tad ohn @ say Bon @ owrmimarrene ondoFrent on G conigeetpate irdoatndoes Senne Buea anata entre Windows Server 2008 provides a new unified tool for administering all aspects of a particular server. When a Windows Server 2008 server boots for the frst time. you will see the Initial Configuration Tasks window that allows you to perform initial configuration tasks. such as setting the computer name and configuring the Windows Firewall. You can add roles to a 2008 server from the Initial Configuration Tasks (ICT) interface or from the Server Manager console in the Administrative Tools folder. From here, you can add and remove different serv- er roles (such as the DNS server role or the Active Directory Domain Services role). as well as perform system diagnostics: configure system services, such as the Windows Firewall: and drill down into specific administrative tools, such as the DNS Management Console or Active Directory Users and Computers. AB WindowsServer: Implementing Active Directory | 23 Keep in mind thar these ar minimum inal ee ea sufficient 0 =a. ‘ments as well as any future expansion. “This eson focuses on the proces used 10 insall and configure Active Directory, including the imporant points you must understand to prepate for installation and key postinsallation tasks. In pariculas this lesson describes the key concep involved in deploying the Microsoft ‘Windows Server 2008 Active Directory forest. Understanding the Requirements for Active Directory ‘You will install Active Directory by configuring one or more domain controllers within your Windows Server 2008 network and then configuring your clients to authenticate ‘against these domain controllers. Before you begin, you need to understand the hard~ ‘ware requirements for installing Active Directory. In addition, you need to be able to size your domain controller hardware appropriately to support the size and scope of your ‘organizations Active Directory requirements. Generally speaking, you can configure Active Directory on any server that has been config- ured with a Windows 2000, Windows Server 2003, or Windows Server 2008-based operat- ing system that has been secured with che most up-to-date service packs and hot fixes. The Active Directory Installation Wizard, depromo, will guide you through any of he following installation scenarios: + Adding a domain controller ro an existing environment * Creating an entirely new forest structure ‘+ Adding a child domain to an existing domain * Adding a new domain tree to an existing forest + Demoting domain controllers and eventually removing a domain or forest Before installing a Windows Server 2008 Active Directory, consider the following hardware, software, and administrative requirements: + A server running Windows Server 2008 Standard Edition, Windows Server 2008 Enterprise Edition, or Windows Server 2008 Datacenter Edition. You can install Active Directory on the fll version of Windows Server 2008 as wel as Server Core, a new installation option in Windows Server 2008, + An administrator account and password on the local machine. + An NT file system (NTFS) partition for the SYSVOL folder structure. The SYSVOL. shared folder exists on all domain controllers and is used to store Group Policy Objects, login scripes, and other files that are replicated domain-wide. + 200 MB minimum free space on the previously mentioned NTFS partition for Active Directory database files. + 50 MB minimum free space for the transaction log files. These files can be located on the same partition as the database Files or elsewhere. However, to achieve optimal pee formance, these files should be located on physical drive other than the one holding the operating system. Placing the database and log files on separate hard drives results in better performance beeauze they do not need to compete for the inpur/ousput (VO) processes of a single drive. + Transmission Control Protocol/Incernet Protocol (TCP/IP) must be installed and contig- ured t0 use DNS. + An authoritative DNS server for the DNS domain that supports service resource (SRV) records. Microsoft also recommends that the server providing DNS for Active Directory be able to support incremental zone transfers and dynamic updates. A zone transfer is the process of replicating DNS information from one DNS server to another. Wich an 24 | Lesson 2 Windows Server 2008 peg aoe Active Directory ‘Ste ihe 0 nids.dit cod me ‘without rebooting the domain controller out- right. incremental zone transfer, bandwidth is conserved because the entire zone does not have 1 be transferred. Only the changes are transferred. When the Internet Protocol (IP) address of a host changes, dynamic updates allow the DNS database to be updated with the changed information. This allows more efficiency in the maintenance of the data- base, resulting in fewer resolution problems for clients. Before you can install Active Directory, you will also need to know the potential size of the Active Directory database. Active Directory space requirements per object are much smaller than you might think. The approximate sizes of objects and attributes in Active Directory are as follows: Security principal (User, Group. Computer) = 3,600 bytes *+ Organizational unit (OU) = 1,100 bytes * Security certificates mapped to a user = 1,500 bytes * Object attributes = -100 bytes * Access Control Entry (ACE) = 70 bytes per ACE ‘Taking these sizing requirements into consideration, a user account having 20 attributes and, a certificate will take up approximately 7100 bytes of space. When planning space require- ments, you need to know the approximate number and types of objects you need to accom- ‘modate. After doing some simple math, you will find that the Active Directory database takes up relatively litle space considering the amount of information it contains. Always be pre- pated to pad your final number to ensure that you are not caught short in case you need to expand beyond your original projections. Prior to running the Active Directory Installation Wizard, you should gather all of the infor- ‘mation you will need during the installation process, which includes the following: * Local administrator password * Domain controller type + Domain name * Location for the Active Directory database and log files. This defaults to CAWINDOWSINTDS, but for larger Active Directory installations you can improve performance by moving these files wo separate disk controller. * Desired location for the SYSVOL folder structure, which is used to store administrative items such as Group Policy Objects and login scripts. This defaults to C:\WINDOWS\ SYSVOL, but can also be moved to improve performance on larger install. * DNS information, such as whether DNS will be installed on the same server as Active Directory. If nor, then you need to have the IP addresses of one or more DNS servers. * Directory Services Restore Made (DSRM) password. This isa separare password thar is used to access Active Directory during data restore or disastertecavery scenarios. + The installation CD-ROM or the location of the installation files f you are installing from a nctwork folder. ‘+ Ensure chat you have installed the most up-to-date service packs and hot fixes on the server. After yout have gathered this prerequisite information, you can start the installation process 3s described in the following section Installing a New Active Directory Forest ‘The fitst Active Directory domain on the network is the forest root domain. The forest root domain is critical to the functioning of Active Directory because it needs to remain confine and in place for the lifetime of an Active Directory installation. You can add and. remove child domains and additional domain trees as the needs of your organization grow and change, but the forest root domain must remain in place. ME windowsServersne Implementing Active Directory | 25 You can launch the Active Directory Installation Wizard using the depromo.exe command- {ine tool or from the Server Manager utility that’ installed in the Administrative Tools folder of each Windows Server 2008 server. The Server Manager utility launches automatically at startup after you close the Initial Configuration Tasks utility, or you can access it manually through the shortcut provided in the Administrative Tools folder or directly from the Start menu, The advantage of the Server Manager interface i that it will allow you to view any ‘other roles the server might be performing. However, using depromo will allow you to script ‘or automate the installation process. ‘The first domain controller installed in a new Active Directory forest will hold all of the Flexible Single Master Operatians (FSMO) voles, which are specific server roles that work together to enable the multimaster functionality af Active Directory. The deproma process assigns per-forest and per-domain FSMO roles in each new domain thar you add to Active Directory: By defauly, all forest-wide FSMOs will he configuted on the first demain contral- ler installed in the entire forest, and all domain.wide FSMOs will he configured om the first domain controller installed in a new domain. For example, modifying the schema isa per- forest role hecause the Active Directory schema is shared among all domains in a forest. The server holding the Schema Master operations role must he accessible to all domains in the for- fest. After the initial domain controller ereation, additional domain controllers can be installed and the roles can he transferred to the new domain controllers © INSTALL A NEW ACTIVE DIRECTORY FOREST GET READY. Yon must he lagged an as a member of the lacal Administrarars gra this process: he server computer should be configured with a staric IP address 1. lick the Start menu and select Server Manager. 2. Wick Roles and then click Add Roles under the Koles Summary section. 3. Read the Before You Begin window and click Next. On the Select Server Roles window, select Active Directory Domain Services, as shown in Figure 2-2. Figure 2.2, Select server role 26 | Lesson 2 Figure 2-3 ‘Active Directory Domain Services role installed but not «configured 1B. Click Next to continue. You are presented with an intraduction to Active Directory Domain Services that provides a number of helpful hints for installing and admin- ‘storing Active Directory. The tips include the following points: * De sure to install more than one domain controller in each Active Directory domain so that clients can log on even if a single domain controller fails. ‘+ Active Directory requites an available UNS server on the network. + Installing Active Directory will also add the following prerequisite services to the server: DFS Namespace, DFS Replication, and the File Replication Service. G6. Click Next after you read the Introduction to AN Domain Services window. 7. Click Install to begin the installation process. The Server Manager will appear to pause for a few minutes because the actual executable files or binaries that are needed to install Active Directory are being copied to the system drive, A significant security improvement in Windows Server 2008 is that these binaries (installation files) are not actually installed until you choose to install Active Directory; this prevents any viruses or worms from targeting these files if the server is not configured as a domain controller because the files in question are not present on the hard disk. Atter the AD DS binaries have installed, click Close. You are returned to Server Manager, which will now resemble the window shown in Figure 2-3. Notice that the Active Directory Domain Services role 1s Usted, but it has a red next to it. This indicates that the AD DS binaries have been installed on the server, but Active Directory has not been completely configured. ABZ WincowsServersos Implementing Active Directory | 27 8. Drill down to the Active Directory Domain Service role, which will take you to 2 window similar to the one shown in Figure 2-4. Figure 2-4 ‘Active Directory Domain Services summary shee shoe heme ere 10. Follow the instructions you see on the window and click Run the Active Directory Domain Services Wizard. The Active Directory Domain Services Installation Wiz- ard will launch as shown in Figure 2-5. Place a checkmark next to Use Advanced Mode Installation. Figure 2-5, ‘Active Directory Domain Services Wizard 28 | Lesson 2 11. Read the information and click Next in two windows to display the window shown in Figure 2-6. Ce Choose a deployment congue | SETA a meinctrrminn Lh ration ‘12. Io create the first domain controller in a new Active Directory forest, select Create a new domain in a new forest and click Next. 13, You are prompted to enter the domain name of the Active Directory forest root domain. In this case, key lucernepublishing.com and click Next. 14. You ate prompted to fill in the damain netBI0S name for this domain. The domain netRIOS name js limited to 15 characters and is maintained for legacy compatibitity with older applications that cannot use ONS for their name resolu- tion, In most cases, this name will simply be the first partion of the fully qualified domain name (FQDN)—LUCFRNFPUBLISHING in the case of the lucernepublishing.com FODN of SALES in the case of sales.lucernepubliching. cam. However, hecause LUCERNFPURITSHING is longer than 15 characters, you must select a shorter name, Enter LP as the domain netBI0S name as shown Figure 2-7 and click Next Figure 2-7 Entor the Domain NetBIOS One rhea c anemia eta name ee 18. You are prompted to select the forest functional level (FFL) and domain functional level (OFL) of the new domain and the new forest. As discussed in Lesson 1, the FFL and DFL are used to control what operating systems can be installed as domain controllers within a domain or forest. Raising the DFL or FFL will enable AZ WindowsServerzxcs Implementing Active Directory | 29 ‘more functionality within Active Directory because it reduces the need to coexist with legacy operating systems. Sclect Windows Server 2003 as the forest func- tional level and then click Next. 16, Select Windows Server 2003 as the domain functional level and then click Next. 17. Next, you could select one or more of the following domain controller options for this domain controller: ‘© DNS Server. This option is checked by default and will allow the domain controller to perform DNS name resolution. Leave this box selected. ‘+ Global Catalog. This option is selected and grayed out forthe first domain con- troller in a new domain because Active Directory requires that at least one global catalog be installed in each domain. ‘* Read-Only Domain Controller (RODC). This option fs unavallable for the first ‘domain controller in a new domain because the fist domain controller cannot be an RODC. ‘As shown in Figure 2-8, the DNS Server option is selected by default. Click Next without making any changes, Figure 2 ‘Choose additonal domain ou)

    Вам также может понравиться