Вы находитесь на странице: 1из 329

.

.
, .
I. Active Directory Windows Server 2003.
1. Active Director.
2. Active Directory.
3. Active Directory .
4. Active Directory .
II. Active Directory Windows Server 2003.
5. Active Directory.
6. Active Directory.
7. Active Directory.
III. Active Directory Windows Server 2003.
8. Active Directory.
9. Active Directory.
10. Active Directory. 11.
.
12.
. 13.
.
IV. Active Directory Windows Server 2003.
14. Active Directory.
15. .


Active Directory Microsoft Windows Server
2003, ,
Active Directory Windows Server 2003.
Active Directory Microsoft Windows 2000.
Active Directory, Windows 2000,
Windows Server 2003, , . ,
Active Directory,
, , Active
Directory . ,
, , Active Directory .


Active Directory Microsoft Windows Server 2003 ,
Active Directory.
Active Directory Windows 2000,
Active Directory .
, Active Directory.
, Active Directory,
.
, . I
Active Directory . II
, Active Directory .
Active Directory , III
, Active Directory,
Active Directory . IV, ,
Active Directory.
I, Active Directory Windows 2003,
Active Directory Windows Server 2003. Active
Directory , Microsoft.
Active Directory ,
, , . ,
Active Directory .
I, .
1, Active Directory, ,
Microsoft Windows 2000
Windows NT. Active Directory
.
, Windows Server 2003 ,
Windows 2000.
2, Active Directory,
, Active Directory.
Active Directory, Active
Directory, Active Directory, , .
3, Active Directory ,
Active Directory. Active Directory
(DNS - Domain Name System),

DNS,
Active Directory.
DNS, Active Directory DNS,
, DNS,
, Active Directory.
4, Active Directory ,
Active Directory. , Active Directory, ,
Active Directory .
Active Directory ,
,
.
Active Directory,
Active Directory
. II, Active Directory Windows Server 2003,
. Active Directory
. , , ,
(OU - Organizational Unit),
,
. Active Directory Windows Server
2003 , Active Directory. ,
Active Directory Windows Server 2003,
, Microsoft Windows NT 4. Active
Directory Windows Server 2003 Windows NT,
. II
.
5, Active Directory,
, Active Directory.
:
Active Directory.
, , , ,
OU.
6, Active Directory, ,
Active Directory. Active
Directory ,
.
7, Active Directory, ,
Microsoft Active Directory Windows
Server 2003. ,
Windows NT, Active Directory Windows 2000.
, , Windows NT
Active Directory Windows Server 2003, Active Directory Windows
2000.
Active Directory ,
. III,
Active Directory Windows Server 2003, ,
. III :
. ,
Active Directory,
Active
Directory. .
Active Directory ,

.

. - ,
. III
.

8, Active Directory, ,
Active Directory Windows Server 2003.
Kerberos,
Active Directory.
9, Active Directory,
Active Directory,
. Active Directory
,

. , Active Directory.
10, Active Directory,
Active Directory: ,
. Active Directory Windows Server 2003
, inetOrgPerson, , .
11, , .
,
Active Directory, ,
, ,
.
12,
, .

.
, .
,
, .
13, ,

. ,
, ,
,
. ,
.
,
Active Directory .
Active Directory.
, - ,
. , ,
Active Directory . IV,
Active Directory Windows Server 2003,
.
14, Active Directory,
, Active Directory,
Active Directory .
, Active
Directory.
15, , ,
Active Directory. Active
Directory ,
, .
, ,
Active Directory. Active Directory Microsoft
Windows Server 2003 - , , .
,
.

. , 5 , ,
, , 2. ,
(.
12), , 11.

,
, .
, ,
, .
. ,
.
. ,
, - ,
.
. ,
. ,
.
.
.
.
. ,
.
.
. ,
.
. , ,
. , .

I.
Active Directory Windows
Server 2003
Active Directory Microsoft Windows Server 2003 ,
Microsoft. Active Directory
, ,
. ,
Active Directory , .
. 1, Active Directory, ,
Active Directory Windows Server 2003. 1 2
, Active Directory. Active Directory
(DNS - Domain Name System), 3
, DNS
Active Directory. , , Active
Directory, , Active Directory
. 4 , .

1. Active Directory
Microsoft Windows Server 2003
, Microsoft - Active Directory.
Microsoft Windows 2000, Active Directory, Windows Server 2003,
, .
. Windows Server 2003
Microsoft Windows Server 2003,
Active Directory: Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise
Edition; Windows Server 2003, Datacenter Edition.
,
Active Directory Windows Server 2003, .
Active Directory , -
, Windows Server 2003.
Active Directory Active Directory,
.
, ,
Active Directory. .

Microsoft
Active Directory
Microsoft Windows. Active Directory Windows Server 2000,
Windows Server 2003.

Microsoft
. ,
, ,

. , , ( ) ,
.

LAN OS/2 MS-DOS


1987 ,
Microsoft ( OS/2 MS-DOS),
Microsoft LAN Manager. LAN Manager

, ,
. .
,
.

Windows NT SAM
Microsoft Windows NT 3.1 Advanced Server. Windows NT Server
32-
Microsoft Windows for Workgroups,
. Windows NT NOS (Network Operating System
) SAM (Security Accounts Management -
). ,
.
,
Windows NT.
SAM
Microsoft Windows NT NOS, Windows NT 3.5 Windows NT Server 4.
SAM ,
- .
Windows NT Windows NT.
SAM ,
. SAM 40
. ,
, 40000.

, .
,
,
. Windows NT 4 , ,
,
.
,
. ,
,
.
,
,
.
,
: (single domain), (master domain),
(multiple master domain, multimaster)
(complete trust). 1-1.

. 1 -1. , Windows NT 4

.
, Windows NT 4
, ..
. , ,
,
. , Windows NT
. -
, Windows NT,
.
SAM .
, SAM, NOS.

. , SAM

, (UI - User Interface) Windows NT 4, User
Manager For Domains ( ) Server Manager (
). SAM
Windows NT
Windows-NOS.
Microsoft Exchange Server.

Windows 2000 Active Directory


SAM NOS,
Exchange Server.
Exchange Server, - Exchange
Directory. Exchange Directory
,
. , Exchange Directory
(LDAP) TCP/IP
( ) .
NOS- Windows, Microsoft
Exchange Server .
-
Exchange Server , Exchange Server
, ,

Exchange Server. Windows 2000.


Active Directory,
Exchange Server 4, Windows 2000. Active Directory
SAM Microsoft.
Windows NT 4
SAM . Active
Directory Windows 2000 , .
70 ,
SAM 40 . , Active
Directory, .
Active Directory
, .
Compaq Computer Corporation, Hewlett-Packard,

. ,
, , ,
. Active Directory ,
,
.
,
, .
,
,
Active Directory. ,
Windows NT 4,
(OU - organizational unit),
Windows NT 4. 1-2
Windows 2000.
Active Directory . Active Directory
, LDAP .500. Active Directory
.
Active Directory, LDAP-
, Active Directory Service Interface (ADSI) Edit Ldp.exe (LDAP--
Active Directory). Active Directory
LDAP, .
,
, (GUI).
. 1 -2. Windows 2000

----- /.....

/:::\CQntOSO.C0ITI

^ : .^ > ,

.
------------------ ( ---------------

Windows Server 2003 Active Directory


, , Active Directory,
Windows 2000, Windows Server 2003
Web Edition, Active Directory .
Active Directory Windows Server 2003
, ,
.
, ,
MS-DOS, LAN Manager, Active
Directory , .
, Active Directory
Windows Server 2003, .

Active Directory

, Microsoft
NOS .
, , ,
NOS,
. Windows
Novell Netware, Intel, UNIX-,
RISC ( ),
Linux, ,
. NOS
.
. ,
, ()
,
.
,
Active Directory: .500 LDAP.

.500
.500 (namespace) , Active
Directory. .500 ,
.
.
.500 (OID -Object Identifier),
. Active Directory
.500, Microsoft ( )
.
(dotted), .. ,
(string). , .500 OID, 2.5.4.10,
Organization-Name ( ) ( LDAP- - ).

.500, .
Active Directory
.500, (OSI - Open Systems
Interconnection). :
cn=Karen Friske, cn=Users, dc=Contoso, dc=com

.500, Users
() Contoso.com Karen Friske.
Contoso.
.500 , ( OU),

.
.500 Request for Comments (RFC)
1779, http://www.faqs.org/rfcs/rfcl779.html.
.500 OID, (snap-in) Active
Directory Schema ( Active Directory), ADSI Edit ( ADSI).
.500 OID Organization-Name,
ADSI Edit : CN=Organization-Name.
1-3 attributelD ( .500) http://Organization-Name.

. 1 -3. Organization-Name, ADSI Edit




. , ,
, ,
.
, ().

, , ,
Active Directory Windows Server 2003.
,
. :
Windows,
,
, , ,
;
Windows Novell,
Intel NOS
- .
-,
(IT),
NOS. ,
, .
Windows 2000 Active Directory, Windows Server 2003 Active Directory, Novell Directory
Services Novel Netware 5
;
(DNS) UNIX, DHCP (Dynamic Host Configuration
Protocol - ), /

(firewall/proxy) NAT (Network Address Translation -


), RISC. ( )
- UNIX. ,
, , ,
; Linux ,
Intel RISC. Linux, ,
, ,
. Linux-
, Windows- SMB (Server Message Block -
). ,
Windows-.

(LDAP)
LDAP , Active
Directory Windows Server 2003. LDAP
X.500/OSI. (API) LDAP
Active Directory Windows Server 2003 Wldap32.dll. Active Directory
, LDAP
ADSI (Component Object Model ).
LDAP TCP/IP , LDAP-
. LDAP
,
Active Directory .
LDAP ,
, :
LDAP: // cn=Karen Friske, cn=Users, dc=Contoso, dc=com

,
LDAP- . LDAP-
( ) RFC 1777,
http://www.faqs.org/rfcs/rfcl777.html.
Active Directory, LDAP, LDAP Ldp.exe,
Suptools.msi, Support\Tools - Windows Server 2003.
Ldp.exe, Active Directory
UDP (User Datagram Protocol )
LD- , . Active
Directory, Ldp.exe, ,
Active Directory, UDP 389, ,
. 1-4
Karen Friske,
Ldp.exe.

. 1-4. Karen Friske, Ldp.exe


Active Directory
: Active Directory?.
Windows Server 2003,
Active Directory . ,
Active Directory, Microsoft Exchange Server 2000.
Exchange Server 2000 Active Directory ,
Active Directory, Exchange Server 2000.
Active Directory
Windows Server 2003.


Active Directory ,
. ,
,
. ,
, Exchange Server 2000.
,
.


(forest - Active Directory) Windows
Server 2003
(UPN -User Principal Name), , mike@contoso.com.
,
,
. UPN
Active Directory, Active Directory,
.


Windows NT 4 SAM ,
.
, Domain
Admins. , ,
, Domain
Admins. .
, Active Directory

. Delegation Of Control Wizard (


) Active Directory,
. ,

, , -
.


, Active
Directory .
Microsoft ( Microsoft Management Console).
Active Directory

. Active Directory Active Directory Users
And Computers (Active Directory: ), Active Directory Domains And
Trusts (Active Directory: ) Active Directory Sites And Services
(Active Directory: ). ,
Windows Server 2003, , DHCP DNS.


Active Directory Windows Server 2003

. Windows Server 2003
. Windows Server 2003
Windows Server 2003: Kerberos v5
NT LAN Manager (NTLM). Kerberos
, ,
Windows 2000 Professional Microsoft
Windows XP Professional. ,
(Windows NT 4, Microsoft Windows 98 )
NTLM. NTLM
Windows XP Professional Windows 2000, ,
Windows NT 4,
Windows 2000 Windows Server 2003.
Active Directory
Windows Server 2003. Windows Server
2003, Active Directory ,
(SID - Security Identifier) ,
SID , .
SID Active Directory.
, , ,
.

, ,
, Active Directory
, .
,
.
Active Directory
Active Directory, . ,
Active Directory,
,
, .

Active Directory
Windows Server 2003
Active Directory, ,
, Active Directory Windows Server 2003.
Windows Server
2003. .

Active Directory Users And


Computers
Active Directory Users And Computers (Active
Directory: ). Windows Server 2003
.
, ,
. ,
,
(Account Options: Password Never Expires - :
), ,
, .
Active Directory Users And Computers
. , , ,
,
,
.


Active Directory Windows Server 2003 ,
,
.
, ,
Active Directory Windows Server 2003.
,
Windows Server 2003.
.
Windows Server 2003, NOS, , Windows NT 4
Windows 2000.
, , Windows 2000 (
Windows 2000 mixed). , Active Directory
, ,
Windows Server 2003 Windows Server 2000.
Active Directory,
Windows
Server 2003 , .. ,
Windows 2000 Windows NT 4.
. Active Directory Windows Server 2003
mixed-mode ( ) native-mode ( ) Windows
2000. Windows Server 2003
Microsoft Active Directory,
Active Directory.
.
. . 2-1 2-2.


Active Directory
(GUID Globally Unique Identifier)

(SID - Security Identifier) . ,


, ,
Active Directory, ,
. IT.
,
.


( )
Active Directory .

, ,
. Active Directory.
Active Directory,
DNS.
Active Directory, DNS. ,
DNS , DNS, DNS-- .
, ,
.

,

Active Directory.
Windows 2000
( )
,
, . Active Directory
Windows Server 2003
System State ( ) Windows Server
2003. , ,
.


Windows Server 2003 ,
, , .

- . , ,
, integer
( ). , , (string)
, , .

.

. , , ,
, .

Active Directory Windows Server 2003 , Windows 2000,


. ,
,

, .
( ),
.
,
.


, Windows 2000 (native-mode),
(GC - Global Catalog)
. ,
. ,
- GC,
Active Directory ,
.
Windows Server 2003 ,
,
GC. ,
GC-. , GC-
, , .


Windows 2000 , ,
,
.

, ,
. Windows Server 2003
.

UI-
(object picker) (UI),
Active
Directory. ,
UI- , ,
.
, .
,

.
, , . , UI ,
Active Directory.


, (tombstone) ,
. - ,
, . ,
, -,
Active Directory .
, -
,
. ,
-, -
,

. ,
.

inetOrgPerson
Active Directory Windows Server 2003 inetOrgPerson ,

RFC
2798,

http://www.faqs.org/rfcs/rfc2798.html.
Active Directory inetOrgPerson LDAP--,
inetOrgPerson Active Directory Windows Server 2003.

, Microsoft
, . Windows
2000, NOS Windows Active Directory.
,
.
, Active Directory,
.

2. Active
Directory
Active Directory Microsoft Windows Server 2003 :
. Active Directory
, ,
. Active Directory
, ( ,
) . ,
.
Active Directory.
Active Directory.
,
.
.

Active Directory
Active Directory ,
. Active
Directory , .
Active Directory ,
.
, .
(operations master roles). ,
, (GC Global Catalog).
Active Directory ,
.


Active Directory Ntds.dit
. %SystemRoot%\NTDS,
. ,
, ,
.
Ntds.dit %SystemRoot%\ System32. (, ) ,
Active Directory. Microsoft
Windows Server 2003,
.
Active Directory (Dcpromo.exe) Ntds.dit System32 NTDS.
, NTDS, .
,
.


, Windows Server 2003,
Active Directory, .
,
.
(multimaster), . 4,
.
, Active Directory,
, Active

Directory .
(GC) (operations masters).


(GC). ,
(NC - Naming
Context) . GC ,
NC. GC
,
Active Directory.
. GC, .
, GC,
Active Directory Schema ( Active Directory),
. GC, Replicate This Attribute
To The Global Catalog ( ) .
isMemberOfPartialAttributeSet true
(). , ,
.
GC.
, ,
. GC,
Global Catalog Server ( )
Active Directory Sites And Services ( Active Directory).
. GC ,
. 5 GC-,
, , .
, GC-. -, Active
Directory. GC , ,
, ,
. GC- (
), GC- , ,
GC-,
. , GC-, LDAP- (Lightweght Directory
Access Protocol ), 3268 (
GC-).
-, GC- .
, , GC-.
, , ,
. (
, Microsoft Windows 2000 Windows Server
2003. Windows Server 2003, -
Active Directory , .)

. ,
,
, .. (GC).
, ,
GC-
.
. Windows Server 2003
, Windows Server 2003
GC-. -
, GC, ,
. GC-,

( 8 ).
,

GC-.
, Active Directory: Sites And Services (
Active Directory) .
NTDS Site Settings ( NTDS),
Properties (). Properties Enable Universal Group Membership
Caching ( ), ,
.
, GC.


Windows Server 2003
. ,
, .
, .
, mixed ()
Windows 2000; Windows 2000. 2-1
,
.
. 2-1.

,



2000
mixed Windows NT 4, Windows 2000,
(
Windows Server 2003.

Windows
()
)
Windows 2000 native ()

Windows 2000, Windows Server 2003.

Windows Server 2003 interim Windows NT 4, Windows Server 2003.


()
Windows Server 2003.
Windows Server 2003
2-2 ,
.
. 2-2.

,



Windows 2000
)

( Windows NT 4, Windows
Windows Server 2003.

2000,

Windows Server 2003 interim Windows NT 4, Windows Server 2003.


()
Windows Server 2003.
Windows Server 2003
Windows Server 2003, ,
Windows 2000 native Windows
Server 2003. , Windows 2000 native,
Windows Server 2003, -
Windows Server 2003. , ()
,
. .
, (GC) ,
,

(,
usernarae@contoso.com). GC

(UPN - User Principal Names),


. , GC,
, ,
.


Active Directory .
,
. ,
(authoritative) .
, , ;
FSMO (Flexible Single Master Operations ).
Active Directory:
;
;
RID;
PDC (Primary Domain Controller );
. .
,
. , ..
. Active Directory
, .
,
.
. ,
.


,
. , (
Schema Admins )
. ,
, . ,
.
, (
) .
Active Directory Schema ( Active Directory)
Ntdsutil.
fSMORoleOwner .


,
.
, .
, .
,
(RPC) , .
Dcpromo.exe
, Active Directory.
. Dcpromo.exe
, .
, .
Ntdsutil.
,

.
Dcpromo.exe .


(RID) - .
RID-,
, , .
(RID),
(SID),
. RID RID-.
RID- RID-
, RID- RID-.
RID-
, RID- .
.
RID- - ,
.
RID- ,
, , RID-
. RID- ,
, , RID-,
.
, RID-
,
.

PDC
PDC , Windows Server 2003
, , Windows 2000.
, Windows 2000 mixed (),
Windows Server 2003 (PDC)
(Microsoft Windows NT 4 3.51) (BDC
Backup Domain Controller). PDC
, BDC-
(Domain Master Browser Service). PDC , ,
, , .
, Windows 2000 native () Windows Server
2003, PDC . ,
, PDC.
, PDC,
, PDC. PDC
, .



. , ,
,
, .

. ,
.



, .
.

:
- Active Directory Schema;
Active Directory Domains
And Trusts ( Active Directory);
RID, PDC Active
Directory Users And Computers ( Active Directory).

: .
.
. ,
, , ,
. . . 15.

, Active Directory.
Active Directory, .
, . ,
, ,
.


. ,
.
. User ().
, Active Directory, User.
, .
.
, ,
. ,
User,
organizationalPerson, User.
,
, ,
.
, Active Directory ,
. , display Name,
, -
. .
Active Directory .
.
. , Computer
() User (),
Computer , User. Computer
, . Active Directory Schema
. 2-1
Computer (). , User,
organizationalPerson, ..
,
, ,
.

. 2-1. Computer (), Active Directory Schema


Active Directory ,
.
Category 1 ( 1), .
, , Active Directory
. ,
, , , . ,
, Category 2 ( 2).
, ,
Active Directory. Microsoft Exchange
Server 2000, Active Directory
.
, Active Directory,
.
, LDAP Data Interchange
Format Directory Exchange (LDIFDE) Comma Separated Value Directory Exchange (CSVDE).
, Active Directory Service Interfaces (ADSI)
Microsoft Visual Basic.
.
LDIFDE CSVDE
. ADSI ADSI Edit
Microsoft Windows Platform (SDK),
- http://
www.microsoft.com/msdownload/platformsdk/sdkupdate.ac ADSI Platform SDK
http://msdn.microsoft.com/library/default.asp?url=/library/ enus/netdir/adsi/directory_services.asp.
Windows Server 2003 Active Directory Schema.
, Regsvr32 Schmmgmt.dll .
Schema Admins (
). , , ,
, , ..
- Active Directory.
,
. Active Directory Schema
User.
.
1. Active Directory Schema ( Active Directory).
2. Attributes () .
3. Action () Create Attribute ( ).

4. Schema Object Creation ( )


Continue ().
5. Create New Attribute ( )
Identification ():
Common Name ( );
LDAP Display Name ( LDAP-);
Unique X500 Object ID ( 500);
Description ().
6. Syntax And Range ( ) :
Syntax ();
Minimum ();
Maximum ().
7. , (Multi-Valued) .
, ,
F1.
500 Object ID
.
, Active Directory
(OID Object Identifier) ,
OID. , OID,
(ISO International
Standards Organization) (ANSI - American
National Standards Institute).
OID, .
, 1.2.840..
:
1 - ISO;
2-ANSI;
840 - ;
, .
, . ,
Employee Start Date ( ),
1.2.840..12.
OID Active Directory 1.2.840.113556.1.5.15.
ISO, ANSI . 113556 ANSI
Microsoft, 1 - Active Directory, 5 Active Directory, 15 Contact ().
Microsoft Windows Server 2000 Resource Kit
OIDGen, OID
OID.
, .
Microsoft OID.
. http://msdn.microsoft.com/certification/ad-registration.asp. 2-2
Active Directory Schema ( Active
Directory).

. 2-2.

. ,
.
, Active Directory Users And Computers (
Active Directory),
, . ,
,
. ,
, . Directory Services ( ) Platform SDK

http://
msdn.microsoft.com/library/default.asp?url=/library/en-us/
netdir/ad/extending_the_user_interface_for_directory_objects.asp.


,
, .
. ,
() . Windows Server 2003
,
, .
,
. ,
, .. Category 2. Category 1
. , , .
,
.
Category 2,
isDefunct true (). ,
ADSI Edit ( ADSI) Active Directory Schema ( Active Directory).
2-3 ,
EmployeeStartDate, , .
, .

, , .
,
, .
isDefunt false ().
.
/ .

. 2-3. Active Directory Schema ( Active Directory)


Active Directory
Active Directory
, ,
Active Directory. ,
, .
Active Directory :
;
;
;
;
;
.
,
, . 5 ,
(,
) .
(, ) .

Active Directory
, Active Directory
. ,
. Active Directory (NC naming contexts). Ldp.exe ADSI Edit (. 2-4).

. 2-4. Active Directory ADSI Edit


.
, , : ,
Active Directory Users And Computers (
Active Directory).
. ,
,
.


, ,
, .
. Exchange Server 2000, Microsoft Internet Security And Acceleration (ISA)
Server Active
Directory, . ISA-
, ,
ISA Active Directory.
ISA-, ,
Active Directory.
.
,
. ,
.
,
.


. ,
, Active Directory,
. .
, ,
. - ,
.


GC .
,
. GC GC-,
.
isMemberOf Partial Attributes et. true (),
GC.


Active Directory Windows Server 2003 -
. Active Directory
, (DNS Domain Name System). (integrated) Active Directory
ForestDnsZones DomainDnsZones.
Active Directory, .
,
,
GC.
,
. ,
.
, .
, .
, ,
.
Active
Directory. , DNS- Contoso.com dc=Configuration, dc=Contoso, dc=com.
AppPartitionl Contoso.com, DNS- dc=AppPartitionl, dc=Contoso, dc=com.
, ,
, . ,
AppPartitionl. ,
dc=AppPartition2, dc=AppPartitionl, dc=Contoso, dc=com.
DNS-, .
Contoso.com, DNS- dc=AppPartition, ,
.
. DNS-
.
LDAP-, .
LDAP, ,
.

. Active Directory
. Domain
Admins ( )
.
, .

,
. Domain Admins ,
, .
, .
,
.
, ,
, .
, ,

.
. ,
.
.
Ntdsutil,
.
Windows Server 2003 Help And Support Center ( Windows Server
2003). , ,
, Using application directory partitions
msdn.microsoft.com.
,
, .
Active Directory . . 4.

Active Directory.
Active Directory , Windows Server 2003,
. , -
. , ,
( ).
Active Directory .
, .
Active Directory. ,
Contoso Contoso.com.
(dedicated) (non-dedicated) . ,
, -,
Active Directory.
() .
,
, , Administrator
() Domain Admins ( ).
- ,
. -
. 5.
(peers)
, .
, . 2-5
, .

Contoso,com

Fabrikam.com

. 2-5. Active Directory,


, , ,
. Active Directory
. , Contoso
Contoso.com, NAmerica.Contoso.com
Contoso,
. ,
, , Sales.NAmerica.Contoso.com.
2-6 -- Contoso.

Sales.NAmerica.Contoso.com .

2-6.

-
Contoso


, Active Directory
,
Active Directory
.
,
. ,

,

.

,
. ,
, . .
DNS,
. 3. ,
(forest root domain),
. Contoso,
Contoso.com, ,
, , Fabrikam.com.
, Fabrikam,
Fabrikam. 2-7 Contoso

.
SaJes.NAmerica.Contoso.com
Sales. Europe.Fabrikam.. com .

2-7. Contoso



.
Active Directory. .
:
. .

, .
.
,
. ,
Active Directory (Echange Server 2000 ISA).
GC. .

, UPN.
.
(security groups). ,
. Schema Admins
, , Enterprise Admins
( ) ,
, .
Enterprise Admins
Administrators () .
.
, .
.
2-8 Contoso.


.
, (,
)
. , ,
Active Directory.
,
,
. , :
;
;
;



. , ,
NAmerica.Contoso.com Contoso.com,

NAmerica.Contoso.com Contoso.com.
NAmerica.Contoso.com Contoso.com,
. , Contoso.com -
( ),
NAmerica.Contoso.com.
-
, (tree root).
--
NAmerica.Contoso.com Contoso.com. -
, , Contoso.com Fabrikam.com.
. ,
. Contoso.com NAmerica.Contoso.com
Europe.Contoso.com Contoso.com, ,
Europe.Contoso.com NAmerica.Contoso.com.
NAmerica. Contoso.com ,
Europe.Contoso.com, .
. NAmerica.Contoso.com
Contoso.com, Contoso.com Fabrikam.com. NAmerica.
Contoso.com Fabrikam.com
.


,
,
. ,
, .
,
.
(shortcut trusts).
,
, .
Contoso, 2-9.

Sales. Euro pe. Contoso. com

Research. NAmerica.Con toso.com

. 2-9. Contoso

Sales.Europe.Contoso.com
Research.NAmerica.Contoso.com,
Sales.Europe.Contoso.com
, ,
. ,
.
,
Sales.Europe.Contoso.com
Research.NAmerica.Contoso.com ,
. 2-10 .
,
, .
( ,
).


Windows Server 2003.

. ,
,
. , ,
UPN.


. , Forest 1 Forest2, Forest2
Forest3, Forestl
Forest3.
,
. ,
GC, .
,
.

.
,
.
2-11 Contoso.



Conlo50.com

NWTrades.com

V,
HWTraders
Eu rope.Contoso.com N Ann e rica. Contoso.com

Contoso
.

2-11.
Contoso.com

NWTraders.com,

Contoso

(Realm
Trusts). Windows Server 2003 Windows Kerberos v5. Kerberos ,
, Kerberos.
Kerberos--, Kerberos v5.
,
.

Active Directory, ,
. ,
, , .
,
.
Active Directory.
Active Directory
. ,
, .
(IP), (LAN)
(WAN),
WAN-.
,
, .
Windows Server 2003
.
. ,
,
GC-. , ,
.
, .

, . ( 4

.)

. Windows Server 2003 ,


Windows 2000 Microsoft Windows XP Professional,
,
, . 3 ,
(SRV), .
, DNS. , .
Windows 2000 native ()
Windows Server 2003, GC
. GC-, . (
. 3.)
. , Windows NT 4 SP6a,
Active Directory,
Directory Services Client ( ),
http://www.microsoft.com/ windows2000/server/evaluation/news/bulletins/ adextension.asp.
, Windows 95 Windows 98,
Directory Services Client - Windows Server 2000.
, . ,
,
,
. , (DFS Distributed File System),
. DFS ,
, DFS-
, WAN-,
.
Windows Server 2003 . Active
Directory Windows Server 2003, ,
Default First Site Name ( ),
, .
, IP. ,
Windows Server 2003, ,
, IP- .
Active Directory
Sites And Services (Active Directory: ).
,
. , ,
.
, , -
.
. IP-,
, Default First Site
Name. , Windows Server 2003,
.
,
Active Directory. ,
. 2-12 , Seattle
: Contoso.com NAmerica.Contoso.com. NWTraders.com
.

. . 3 DNS
. 4 ,
. 5
Active Directory.



Active Directory Windows Server 2003 ,
. Active Directory,
, ,
,
, .
(OU - Organizational Unit) ,
Active Directory. OU ,
,
Active Directory. OU
. .

. .
2-13 OU Contoso.

Contoso.com

SeattfeOU
ProductOU
___ I ___

CalgaryOU DenverOU
R&DOU
OesiijnOU

! __
ProductOU

MarketingOU

ManufacturingQU

SalesOU

. 2-13.

OU , :
;
;

;
inetOrgPerson;
;
;
;
.
.
.

.
,
OU. ,
, (,
). ,
,
OU.

OU. Windows Properties ()
. OU
(ACL Access Control List), OU.
OU ACL-. ,
, - .
, Help Desk ()
OU, . Human
Resources ( ) ,
OU, .

OU ,
.
(, ,
), OU
Logon Locally ( ) OU.
OU.
,

. OU,
(group policy)
.
OU . Group Policy
Object Editor ( ) ,
.
,
, ,
. 2-3 ,
Group Policy Object Editor.

. 2-3.

Administrative
templates
(
)

,
,

,

,
.
Security


()
,

,

.
Software installation
(
.
) Scripts ()
,

,
.
Folder
redirection
(
.
)
My Documents ( )
, ,
,
.
OU.
, (GPO Group Policy
Object), , ,
OU. .
.
, OU
. OU .
.

Active
Directory Windows Server 2003. ,
, . -
Active Directory .
Active Directory.

3. Active Directory

Active Directory Microsoft Windows Server 2003


(DNS). DNS
, Microsoft Windows
2000 Microsoft Windows XP Professional , ,
Microsoft Exchange Server 2000, .
, DNS , Windows Server 2003
. , Active Directory
DNS Windows Server 2003.
DNS . ,
Active Directory DNS, .
DNS Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise
Edition; Windows Server 2003, Datacenter Edition. Windows Server 2003
,
Active Directory.
. Windows Server 2003, Web Edition
Active Directory.

DNS
DNS . ,
, , , www.microsoft.com, IP-,
207.46.230.219. Web- Microsoft
IP-. DNS .
, , a DNS
IP-.
. Active Directory,
DNS , .
DNS, , - Microsoft
http://msdn.microsoft.com/ library/en-us /dns/dns_concepts. asp.

DNS . 3-1
. (.).
DNS, .
,
(generic) (com, edu, mil, net, org),
(, uk, fr, br), (biz, info, pro ..), 2001 .

. 3-1. DNS

,
.
.
. DNS, .

(FQDN Fully Qualified Domain Name), ,
www.NAmerica.Contoso.com. FQDN ,
DNS. , FQDN
DNS, . (.),
, .
com , Contoso NAmerica.
FQDN www - .


DNS ,
.
, , ,
.
, . DNS,
.
, DNS (
) ( ). DNS-
DNS.
. . ,
, .
DNS-cep-,
. ,
, .
DNS-, ,
, . ,
, ..
, ,
. ,
, ,
DNS. , com,
Contoso, .
Contoso ,
Contoso.com.
,
DNS.
,
, , , DNS-
. DNS- ,
(forwarders) , DNS-
. .


DNS ,
IP- .
(. . 3-1), , DNS ( ),
- , -,
www.NAmerica.Contoso.com. IP- .
1. - IP-
DNS- ( DNS-

2.

3.

4.
5.
6.
7.
8.

). : IP-,
, , ,
.
DNS- ,
IP- . ,
, .
, ,
DNS-, . DNS-
IP-,
www.NAmerica.Contoso.com.
, ,
.
DNS-
(referral). DNS- -
IP-.
,
Contoso.com. DNS- DNS- Contoso.com,
DNS-, NAmerica.Contoso.com.
DNS- NAmerica.Contoso.com ,
DNS- IP- .
DNS- , , IP- Web-.
www.NAmerica.Contoso.com.
. DNS ,
. - DNS-
, .

9.


, DNS, (RR
Resource Records). .
DNS- Windows Server 2003.
3-1.
. 3-1. Windows Server
2003

Start of Authority
(SOA) - , ,

,

(TTL Time to Live) (. . 3-2).
Host (A) -
IP-
. , DNS-cep .
Mail Exchanger (MX) -
.

-
. Name Server (NX)
- .
Pointer (PTR) - ,

IP-.
.

Canonical
Name
(CNAME)
- . ,


Service Locator (SRV) IP-.
-
,
. Active Directory
SRV .

. 3-2. SOA Contoso.com

. 3-2 SOA DNS. DNS


. ,
Webl.Contoso.com Webl.Contoso.com IN A
192.168.1.100.

DNS-,
DNS ,
DNS.


, ,
. , ,
DNS, . ,
Contoso.com. ,
DNS, .. .
DNS- , DNS
DNS-.
DNS. DNS.
DNS:
. IP. ().
SOA NS, MX, CNAME SRV.
, - DNS-,
IP- .
. ,
IP- , .
SOA NS, - PTR. PTR

, .
. . 3-1.
.
, IP- , ,
. , , IP . , 192.168.1.0,
L168.192.in-addr.arpa. in-addr.arpa DNS
. ,
.
(150.38.0.0), 38.150.in-addr.arpa.


(Primary Name Server) ,
(
- primary zone). , DNS-
, - .
,
, .


(Secondary Name Server) ,
.
.
DNS , ..
DNS . Request for
Comment 1995 ( )
, (incremental zone transfers),
,
. Request for Comment
1996. ,
, .

, SOA .
. DNS- Windows Server 2003 ,
. (integrated) Active Directory,
Active Directory.


- , (caching-only).
, ,
. ,
.
, DNS
. ,
DNS- , .
DNS-,
( -1 ). , DNS-
.
. DNS- Windows Server 2003,
, , (caching-only) .
,
.


DNS, (zones of
authority) (authoritative) .

. , DNS-
Contoso.com,
.
DNS-.
DNS- , 3-3.
DNS-, Contoso.com. DNS1
Webl.Contoso.com, a DNS2-cepBep
. DNS1, IP- Webl.
DNS2 IP- Webl, ,
. DNS2 Contoso.com,
DNS1. ,
,
.

Web1 .Contoso.com

www.Contoso.com

. 3-3. DNS-

.



,

DNS-,

, - DNS

DNS (
. 3-3).
DNS1

DNS2 -
.

DNS2

DNS- ,
DNS1 SRV- Active Directory.
(Contoso.com),
.

DNS-. DNS-, ,
, - -,
. DNS-
, ,
, ,
.
DNS. ,
www.Contoso.com, ,
-, .
DNS1. ,
-.


DNS ,
. , ,
,
Contoso.com, corn- ,
Contoso.com. (delegation records).
,
. , 3-4 ,
DNSl.Contoso.com Contoso.com. DNS2 DNS3
NAmerica.Contoso.com. DNS1
NAmerica.Contoso.com,
. DNS1 ,
DNS2 DNS3 .
DNS1, NAmerica.Contoso.com,
.


DNS
.
DNS ,
DNS-.
DNS- ,
. , DNS- Contoso.com.
, Fabrikam.com
(. . 3-1), DNS- Contoso.com - .


. (forwarder) -

DNS-,

DNS-,
. ,
Contoso.com

Fabrikam.com. DNS- Contoso
,
,
.

.

DNS-,
.

IP-
. 3-4.
. , DNS- ,
.
DNS- , DNS-,
.

3-5. DNS-
DNS-, -. DNS-
, ,


IP-.

'
DNS

3 .

3-5.

, DNS- ,
, .
DNS- Windows Server 2003, ,
. - ,
. DNS-
DNS, ,
.
, ,
.
. , DNS-
, Cache.dns,
DNS-.
DNS- ,
DNS-, .
DNS- Windows Server 2003 ,
. ,
.
, DNS-cep-
, . DNS, .
, Do Not Use Recursion For This Domain (He
) Forwarders () Properties
() DNS-. DNS-
- ,
.

, DNS- ,
. , .
. DNS Windows Server 2003
.
.

DNS
DNS ,
. RFC 2136
DNS-. RFC 2136 , DNS-
, .
DNS (DDNS). DNS- Windows Server 2003
DNS. Windows 2000 Windows XP Professional,
Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server; Windows Server 2003,
Standard Edition; Windows Server 2003, Enterprise Edition Windows Server 2003, Datacenter Edition
DNS. Windows 2000 Windows
Server 2003 SRV- DNS-,
. DNS- Windows Server 2003

(DHCP). DHCP- Windows Server 2003
DNS- , Microsoft Windows 95, Microsoft Windows 98, Microsoft
Windows Me Microsoft Windows NT.
DNS . - ,
DNS, , ,
DNS,
. DNS Windows Server 2003
.
Active Directory. ,
DNS-. Authenticated Users
( ) DNS.
, ACL (ACL - Access Control List) DNS-.
DNS , DNS. ,
Active Directory Windows Server 2003 SRV-
, DNS-
Windows Server 2003.

DNS Active Directory Windows Server 2003


Active Directory DNS.
, Windows 2000
Windows XP Professional .
DNS , Active Directory, . ,
Exchange Server 2000 Active Directory,
, Exchange Server 2000, ,
Exchange Server 2000.
. , Windows 95, Windows 98, Windows Me Windows NT
DNS Windows Server 2003.
NetBIOS, Windows (WINS - Windows Internet Naming Service) -
NetBIOS IP-. Windows Server 2003
, NetBIOS WINS.

DNS Locator
DNS Locator ( DNS) Active Directory, DNS
, .
, .
. Windows NT NetBIOS.
NetBIOS Domainname <1>
WINS. , ,
. ,
. SRV Windows Server 2003
,

Windows 2000 Windows XP Professional. SRV


Windows Server 2003.

DNS, Active
Directory
, Active Directory
(service locator) SRV. SRV - DNS-,
RFC 2782, TCP/IP-. ,
Active Directory, , SRV
(. . 3-2). _ldap._tcp.contoso.com. 600 IN SRV 0 100 389 dc2.contoso.com
. 3-2. SRV


_ldap

_tcp
contoso.com

600

(TTL Time
to
Live)

IN

SRV

100

, .

_kerberos, _kpassword _gc.


, .
TCP

(UDP).
, .

( ).
DNS- .
SRV.

. SRV ,

,
.
.
SRV-
,
,
.

389
, .
dc2.contoso.co , ,
m
.

, ,
(LDAP) Contoso.com, dc2.contoso.com.
Windows Server 2003 SRV-
DNS. , .
contoso.com. 600 IN A 192.168.1.201
_ldap._tcp.contoso.com. 600 IN SRV 0 100 389 dc2.contoso.com.
_ldap._tcp.Default-First-Site-Name._sites.contoso.com. 600 IN SRV 0 100 389
dc2.contoso.com.
_ldap._tcp.pdc._msdcs.contoso.com. 600 IN SRV 0 100 389 dc2.contoso.com.
_ldap._tcp.gc._msdcs.contoso.com. 600 IN SRVO 100 3268 dc2.contoso.com.
_ldap._tcp. Default-First-Site-Name._sites._gc._msdcs.contoso.com. 600 IN SRV 0

100 3268 dc2.contoso.com.


_ldap._tcp.64c228cd-5f07-4606-b843-d4fd114264b7.domains._msdcs.contoso.com.
600 IN SRV 0 100 389 dc2.contoso.com.
gc._msdcs.contoso.com. 600 IN A 192.168.1.201
175170ad-0263-439f-bb4c-89eacc410ab1._msdcs.contoso.com. 600 IN CNAME
dc2.contoso.com.
_kerberos._tcp.dc._msdcs.contoso.com. 600 IN SRVO 100 88 dc2.contoso.com.
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.contoso.com. 600 IN
SRV 0 100 88 dc2.contoso.com.
_ldap._tcp.dc._msdcs.contoso.com. 600 IN SRV 0 100 389 dc2.contoso.com.
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.contoso.com. 600 IN SRV 0
100 389 dc2.contoso.com.
_kerberos._tcp.contoso.com. 600 IN SRV 0 100 88 dc2.contoso.com.
_kerberos._tcp.Default-First-Site-Name._sites.contoso.com. 600 IN SRV 0 100 88
dc2.contoso.com.
_gc._tcp.contoso.com. 600 IN SRV 0 100 3268 dc2.contoso.com.
_gc._tcp.Default-First-Site-Name._sites.contoso.com. 600 IN SRVO 100 3268
dl2.contoso.com.
_kerberos._udp.contoso.com. 600 IN SRV 0 100 88 dc2.contoso.com.
_kpasswd._tcp.contoso.com. 600 IN SRV 0 100 464 dc2.contoso.com.
_kpasswd._udp.contoso.com. 600 IN SRV 0 100 464 dc2.contoso.com.
DomainDnsZones.contoso.com. 600 IN A 192.168.1.201
_ldap._tcp.DomainDnsZones.contoso.com. 600 IN SRV 0 100 389 dc2.contoso.com.
_ldap._lcp.Default-First-Site-Name._sites.DomainDnsZones.contoso.com. 600 IN
SRV 0 100 389 dc2.contoso.com.
ForestDnsZones.contoso.com. 600 IN A 192.168.1.201
_ldap._tcp.ForestDnsZones.contoso.com. 600 IN SRV 0 100 389 dc2.contoso.com.
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.contoso.com. 600 IN
SRV 0 100 389 dc2.contoso.com.

. Windows Server 2003,


Netlogon.dns, %systemroot%\
system32\config. DNS-,
DNS.
SRV- , SRV.
:
_ldap Active Directory , LDAP-,
, LDAP-. _ldap SRV
LDAP , .
Windows Server 2003 LDAP-;
_kerberos - Windows 2000
Windows XP Professional. SRV- _kerberos
(KDC - Key Distribution Centers) .
Windows Server 2003 KDC-;
_kpassword kerberos (
Windows Server 2003
kerberos);
_gc - , Active
Directory. Active
Directory.
SRV- ,
3-2. Active Directory
IP-, .
,
, , .
,
, . ,
, , .
SRV- _msdcs,
. , SRV, ,
Microsoft. , LDAP kerberos-cep-
, Microsoft. SRV
DNS. Windows Server 2003 (generic)

(, _ldap._tcp.contoso.com), , _msdcs.
, Microsoft, .. Windows Server 2003
Windows 2000.
: gc ( ), dc ( ) pdc (
).
(GUID globally unique identifier) . GUID
.
. , - ForestDnsZones
DomainDnsZones.
.

Active Directory
, Windows Server 2003,
( ) , . , ,
Windows 2000 Windows XP Professional, .
, .
1.
(RPC) ,
. RPC-, ,
, , Net Logon ( ).
2. (domain locator),
API- DsGetDcName (), ,
3-3.
. 3-3. DsGetDcName

DsGetDcName DNS
DS_PDC_REQUIRED
DS_GC_SERVER_REQUIRED

_ldap._tcp.pdc._msdcs.domainname
_ldap._tcp.sitename._sites.gc.
_msdcs.Forestrootdomainname

DS_KDC_REQUIRED

_kdc._tcp.sitename._sites.dc
._msdcs.domainname
_ldap._tcp.sitename._sites._
msdcs.domainname

DS_ONLY_LDAP_NEEDED

. DsGetDcName sitename.
, DS_PDC_REQUIRED, ,
. DNS- ,
. , DS_KDC_REQUIRED ,
_kdc._tcp.dc._msdcs.forestrootdomain. ,
, DNS.
DomainGUID DsGetDcName ().
_ldap._tcp.domainGUID.domains._msdcs.forestname.
, .
3. DNS ,
. LDAP , UDP- 389
, .
0,1 , ,
.
, .
4. , , ,
. ,
.
, ,
Active Directory, .

,
Active Directory,
. ,
,
, . ,
?
-, Active Directory,
. IP-,
, .
Active Directory, IP-
IP- . ,
.
.
(,
),
. DNS- ,
. IP- ,
, .

.
, Active Directory,
.

Active Directory
DNS Windows Server
2003 (integrated zones) Active Directory.
Active Directory .
DNS-,
Active Directory. .
Active Directory.
Active Directory,
Active Directory. ,
, .
, .
Active Directory
DNS.
DNS-
. Active Directory DNS
. ,
,
. Active Directory DNS-
,
.
DNS.
.
Active Directory, ,
. , ,
Active Directory.
Active Directory
DNS Windows Server 2003,
.
. Active Directory .
,
, . DNS-
, DNS ,
Windows Server 2003, DNS.

Active
Directory.
Active Directory,
DNS Active Directory
(. . 3-6). Microsoft (MMC -Microsoft Management
Console) , Active Directory Users And Computers (
Active Directory) . Active Directory Users
And Computers ( Active Directory) View (),
Advanced Features ( ). ,
System (), - Microsof tDNS.
Active Directory .

DNS

DNS
Windows
Server
2003
,

Active Directory
. 3-6. Active Directory
Windows 2000 Advanced Server.
; ,
(dedicated)
(. . 3-7).
.

3ontoso.com

Fabticam.com

TaiispinToys.com

WingtipToys.cor

. 3-7. Active Directory


,
.

, . ,
- Contoso.com Fabrikam.com,
DNS- Contoso.

Fabrikam, ,
. DNS- Contoso
DNS- Fabrikam,
.
TailspinToys.com .
DNS Windows 2000
(. ),
.
DNS
.

DNS DNS--
, DNS ,
DNS .
, DNS
,
.
. Windows Server 2003
. ,
(stub zones) .

DNS
DNS, , Windows 2000.
Windows Server 2003 , ,
DNS. (. )
DNS ,
Windows Server 2003.


(conditional forwarding)
. Windows Server 2003
, . - ,
,
.
, .
: DNS-cep-
DNS, .
, , , .
.
.
, .
,
. , DNS
.
Windows Server 2003 DNS
, DNS
. DNS ,
, . ,
Contoso.com Fabrikam.com, DNS-
Contoso.com. DNS- , ,
, .
, .
Fabrikam.com, DNS- Contoso.com
DNS.
Fabrikam.com, DNS Contoso.com,
, -

, .
. , DNS-
, . DNS-
, .
Properties ()
DNS (. . 3-8).
.
DNS , DNS-
DNS- .
-, Forwarders (),
DNS- ,
DNS-. ,
, , DNS,
All Other DNS Domains ( DNS).
DNS
. , ,
Fabrikam.com
Europe.Fabrikam.com,
Webl.Europe.Fabrikam.com, DNS-
DNS- Europe.Fabrikam.com.


(stub zones) -
DNS Windows Server 2003.


. .

IP- .
. 3-8.

, ,
. ,
SOA, NS () , .

. DNS- ,
. .
DNS-
. ,
, ..
(. . 3-9). NAmerica.Contoso.com IP SAmerica.Contoso.com DNS NAmerica. Contoso.com
, .

, . DNS
Contoso.com ,
DNS- NAmerica. Contoso.com .
IP-
SAmerica.Contoso.com NAmerica. Contoso.com. NAmerica.
Contoso.com DNS SAmerica. Contoso.com IP-
, .
, DNS- NAmerica. Contoso.com
DNS .
, SAmerica.Contoso.com. ,
,
SAmerica. Contoso.com.
.
, .
,
.
DNS . - DNS
, DNS- ,
.

, IP
.
,
,
,

NAmerica.Contoso.com
SAmerica.Contoso.com
. 3-9. DNS

. ,
. Contoso.com,
NAmerica.Contoso.com DNS
Contoso.com. Contoso.com,
. ,
. DNS Contoso.com
, ,
.
, New Zone Wizard ( )
DNS. Forward Lookup
Zones ( ) Reverse Lookup Zones ( ))
New Zone ( ). (. . 3-10).

. 3-10.


DNS, ,
.
DNS Active Directory Windows Server 2003
DNS . DNS,
, Active Directory
. DomainDnsZones ForestDnsZones. (
Active Directory,
ADSI Edit Ldp.exe; ADSI Edit 3-11.)
. DomainDnsZones
DNS, . ForestDnsZones
DNS, .
DNS , ..
.
DNS (. . 3-12)
Zone Properties ( ) DNS.
DNS.
All DNS Servers In The Active Directory Forest domainname (Ha DNS
Active Directory). ForestDnsZones,
DNS .
_msdcs Active Directory.

. 3-11. DNS ADSI Edit

All DNS Servers In The Active Directory Domain domainname (Ha DNS
Active Directory). DomamDnsZones,
DNS, .
, Active Directory,
.
All Domain Controllers In The Active Directory Domain domainname (
Active Directory).

, .
,
, DomamDnsZones
, DNS.
All Domain Controllers Specified In The Scope Of The Following Application Directory
Partition (
). ,
.
DNS ,
.
. DNS ,
DNS .
DNS ,
, .
DNS
DNSCMD. DNS
DNS Create Default Application Directory Partitions
( ).
DNSCMD dnscmd DN S
servername/CreateBuiltin-DirectoryPartitions /forest.
ForestDnsZones. DomainDnsZones, /domain
.
Active Directory, Enterprise Admins
( ).
. 3-12.
DNS


.
,
DNS,

DomainDnsZones

,
DNS. _msdcs ,

Active Directory ,
ForestDnsZones.
.

DNS Windows Server 2003.



Windows Server 2003. DNS.
, DNS
, DNS Active Directory.
,
Active Directory SRV DNS,
. , DNS
Windows Server 2003.

4. Active Directory
, Active Directory Microsoft Windows Server 2003,
.
.
(WAN).
, -
.
, ,
.
, . ,

, . Active
Directory ,

. Active Directory.
, , ,
.

Active Directory
2 , Active Directory .

. ,
, .
,
.
, , .
, Active Directory.
, Microsoft
Windows NT, Active Directory .
Windows NT (PDC Primary Domain Controller)
, .
,
(BDC Backup Domain Controllers).
, .
(, ) PDC,
, . PDC
, ,
, PDC.
, PDC . ,
,
BDC- PDC. Active
Directory , ..
, PDC
. ,
.
,
, .
, . .
2 , Active Directory ,
.
,
.
, Active Directory,
, . ,

, , . ,
,
. , ..
,
,
. (store and forward).
, ,
. , ,
, WAN-.

. , ,
. , ,
,
.

Active Directory Windows


Server 2003
Active Directory Windows Server 2003, , ,
Microsoft Windows 2000, .
, . Windows 2000
.
.
.
,
,
. Active Directory Windows Server 2003 ,
, ,
.
, 5000 . Windows 2000
5000 - ,
.
5000 . ,
. Active Directory Windows Server 2003
, ,
.
. ,
(interim) Windows Server 2003.
Windows Server 2003 ,
Windows Server 2003. Windows Server 2003
, , Windows Server 2003
Windows NT. . . 7.
.
Active Directory Windows 2000, Active
Directory Windows Server 2003.
. Active
Directory Windows Server 2003 .
.
, .
Active Directory Windows Server 2003 ,
. , - (bridgehead server)
, , - ,
.
, .
.
, ADSI Edit Options () (site link object) - (connection object).

, Options () ;
, .
. Windows 2000
100 . ,
(Knowledge Consistency Checker ),
.
Active Directory Windows Server 2003 .

Active Directory ,
. ,
,

. ,
.
.
. Microsoft Exchange Server 5.5 ,
. Active Directory
Exchange Server 5.5.


,
.. ,
. .
, Active
Directory. 15 ,
,
. 3 ,
. 15
,
.
Windows 2000 Windows Server 2003 (
Resource Kits ).
Windows Server 2003
, ADSI Edit.
.
, .
.

.
,
-. -
, .

(RPC). -
, .
, .

.
;
.
.
- Active Directory Sites And
Services ( Active Directory), (,

) (
Resource Kits )
Partition (), Windows Server 2003.
.


, ,
- .
.
, , .
, ,
. ,
. , ,
.
, , ,
.
10 - 15
, 32 . ,
-
.

.
.
, ,
(IP) (SMTP). ,
,
, .
, -.
- (
) , - .
-
.
,
.
. Active Directory
, ,

.
, , , 5.


Active Directory Windows Server 2003 ,
, ,
. (replication
latency). ,
. , ,
,
15 . 15 ,
.
15- , , ,
.
,
45 .
. ,
. ,

, , - . -, ,
, .
3 .
, 3 .
- ,
.
. ,
15 ( ).

.
, ,
45 .
WAN- ,
, .


, ,
, . Active Directory
(urgent replication),
. ,
, . ,
.
.
.
.
(RID)
.
(LSA - Local Security Authority),
, .

.
.
.
,
PDC-.
- . ,
, RPC- PDC--.
PDC-
. ,
, , , PDC-,
, .


Active Directory .

Active Directory. ,
, , .

(Knowledge Consistency
Checker)
(Knowledge Consistency Checker) ,
,
. Active Directory ,

, ,
.
, ,
. ,
.
, ,
.
15 .
Active
Directory Sites And Services ( Active Directory). ,
, NTDS Settings
( NTDS) , All Tasks ( ),
Check Replication Topology ( ).


(connection object),
Active Directory.
,
. , ,
. ,
.
pull ()
, pull-,
- - .

, .
. Replication Monitor ( )
push () .
pull-. ( ,

.)
, , ,
. , , ,
. , ,
,
. ,

.
:
, , .

,
- ,
- .
,
, . ,
, 15 . (
4-1.)
, <automatically generated> (
) (GUID).
.

. 4-1.


,
. ,
.
.
, .
,
. ,
, .


Active
Directory. (spanning tree),

. , ,
, . ,
,
.
, .
spanning tree .
,
.
.
Active Directory
. ,
Active Directory .
,
,
. ,
Active Directory .
Active
Directory, KCC .
. 4-2
.

. 4-2.

(. . 4-2),
. ,
. ,
- .
.

. ,
(hop).
,

. , 4-3 .
, , , .


. ,

.
,



. 4-3. ,

. , 4-4.
(. . 4-4) ,
. 4-1.
. 4-1.


,

.
DC2.Contoso.com,

DCl.Contoso.com,
Contoso.com
DC3.Contoso.com, DC4.Contoso.com.

DC5.Fabrikam.com, DC6.Fabrikam.com.

Fabrikam.com
(GC) DCl.Contoso.com,
DC4.Contoso.com,
DC5.Fabrikam.com.
DC2.Contoso.com, DC6. Fabrikam.com.1.
AppPartitionl
.

. 4-4. ,

. DNS (ForestDnsZones DomainDnsZones)


. , 4-4
. 3 ,
, .
4-4 GC.
GC .
Replication Monitor
( ).
, - Windows Server 2003.
, Suptools.msi Support\Tools
- Windows Server 2003. , Run
() replmon. 4-5
, .

. 4-5.

- , ,
.
,
. , ,
.
4-5 DCl.Contoso.com DC4.Fabrikam.com.
.
,
. Show Replication
Topologies ( ). View (), Connection
Objects Only ( ),
Properties (). Inbound Replication Connections (
) , ,
. 4-6,
( Fabrikam.com),
. , ,
, .

. 4-6. ,


,
. GC . ,
GC .
GC , ,
isMemberOfPartialAttributesSet true ().
, GC , GC.
GC- GC- .
4-7 ,
; . DCl.Contoso.com
. GC-
Contoso.com, GC-
Contoso.com .
Fabrikam.com ,
DCl.Contoso.com GC- Fabrikam.com DC2.Fabrikam.com.
Fabrikam.com ,
DC2.Fabrikam.com DCl.Contoso.com.
GC- DCl.Contoso.com.
4-8

GC


GC-.
DCl.Contoso.com

. 4-7.

DC2.Contoso.com, DC4.Fabrikam.com
DC6.NWTraders.com.
DCl.Contoso.com. GC-

. , GC
GC .


,
. , , ,
. ,
.
,
, .
, ,
.
, ,
. , ,
, .

,
,


(ISTG - InterSite Topology Generator)
.
ISTG-
, ,
. 4-8. GC-

. ISTG
. .
- (bridgehead server) ,
.
- - . ,
.
-
. -,
.
ISTG ,
. ISTG ,
. , ISTG
- . ISTG
, -. -

- ,
.
4-9 , .
.
, , GC- . ,
, GC,
. -,
. -
Contoso.com. -
Fabrikam.com. ,
4-9, DCl.Contoso.com DC6.Fabrikam.com GC-.
, - GC-
.
,
.
.
Active Directory.
, .
.

. 4-9.


Active Directory.


.
,

, .


Active Directory,
. - (originating update).
,
. - (replicated update).
, , ,
. ,
, , ,

. ,
Active Directory, .
Active Directory :
Active Directory ;
Active Directory ;
.
,
;
Active Directory .
,
.
Active Directory . ,
, ,
.



, .
, , 15
. ,
,
.
,
.

. Active Directory
,
. ,
, , .
Active Directory (USN update sequence number), (high-watermark value), (up-to-dateness
vectors) (change stamps). .

,
. (USN update sequence number)
. ,
USN 5555, ,
, USN 5556. USN
.
(, , ),
USN.
USN . -,
USN , .
USN . -, USN
uSNChanged .
USN . . ,
, USN, 5556.
USN, uSNChanged 5556.
, ,
, USN uSNChanged
5557. USN
5556, USN .
USN uSNChanged ,
. USN USN .
,

.
, USN USN.
, USN
,
. USN uSNChanged
, USN ,
. USN ,
.


(high-watermark values) ,
.
. -
uSNChanged,
. ,
uSNChanged .
.
.
, -
-. -
-
, uSNChanged.
.
.


(up-to-dateness vectors) ,
.
,
- . ,
DC1, USN, 5556.
DC2, USN .
, GUID DC1 . DC2
, , ,
, DC1, 5556.
. -
-, .
-
, -. ,
. ,
, , DC3,
, DC1, DC2, DC3. DC3 DC2
, , ,
, DC1, USN 5556.
15 DC2 DC3,
. DC3 DC2,
. DC2 ,
DC3 DC1 USN.
, ,
DC2 DC3 .
, ,
. ,
- . ,
, ,
. ,
,
. , ,

USN
USN (update sequence number)
, Windows Server 2003.
USN , USN
(time stamp)
Repadmin. ( Repadmin
.) repadmin
/showmeta object distinguished name ( ) .
uSNCreated uSNChanged ADSI Edit .
Ldp.exe, ,
, Advanced (), Replication Metadata (-
). USN (. . 4-10).
,
Show Attribute Meta-Data For Active Directory Object (
Active Directory). (credentials)
Active Directory, . USN-
.
USN Active Directory Users And
Computers, Advanced Features ( ) View (),
Object () Properties () .
.
,
, - .
,
, , -
, -
.

. 4-10. -
)

Replication Monitor (


, ,
(change stamp). , ,
.
, .
, ,

. .
. ,
. , 1,
. ,
1.
, .
. ,
. ,
, .
(Originating server). GUID ,
.
.
, .
,
, .
.
1. . .
3, 4, 4.
2. . ,
.
3. GXJID . ,
GUID , .
, , GUID.
GUID , a GUID .

.
, ,

. . -,
. (
,
,
.) -, ,
, ,
,
.
,
. , ,
Active Directory,
. Active Directory , ,
.
, .
,
.
,
(OU) Accounting ().
OU Accounting. ,
, Active Directory LostAndFound.
(relative
distinguished name) . ,

BDiaz OU Accounting,

, OU OU.
, , ,
GUID,
. , GUID, ,
GUID BDiaz#CNF:userGUID,
(#) . ,
.


Active Directory ,
. , .
- (tombstone). - ,
isDeleted true (), .
, GUID, SID, USN ,
.
- .
, ,
, . ,
- (tombstone lifetime).
-, 60 ,

. -
(garbage collection). , ,
12 . 12 ,
-, .
1 , Active Directory Windows Server 2003
Active Directory. (lingering object)
, ,
. Repadmin. .
- ADSI Edit
Ldp.exe. CN=Directory Service,CN=Windows
NT,CN=Services,CN = Configuration, DC=ForestRootDomain. garbageCollPeriod
tombstoneLifetime .
.


Active Directory
, ,
WAN-.
, .
. ,
, - ,
. 5
.
Active Directory,
.
2, Active Directory ,
. Active
Directory , ,
.


Active Directory, Default-First-SiteName ( ). ,
.

, .
Active Directory
Sites And Services ( Active Directory). ,
Sites (), New Site ( ). Link
Name ( ) ,
. IP
Active Directory. Subnets ()
Active Directory Sites And Services . ,
, GC-.
,
Servers () Move ().
, .
, ,
IP IP- .
, .


Active Directory, , (Site
Links). Active Directory
DEFAULTIPSITELINK. ,
,
. WAN-
, .
, .
.
- ,
.
ISTG.
ISTG. , ISTG
, Active
Directory . .
(Cost) - ,
.
, .
, , ..
.
.
(Replication schedule) ,
.
24 .
, .
(Replication interval) - ,
- .
180 .
. ,
22:00 5:00 , -
3 .
(Replication transports).
RPC IP, SMTP.


.
. , .
, , ,
4-11.
Active Directory Windows Server 2003 (transitive)
. 4-11, Sitel Site2 Site4, a Site2
Site3 Site5. - , Sitel
Site3 Site5.
,
. ,
. ,
4-11, Sitel Site5:
Site2, Site4. Site2 - 300 (100
+ 200), Site4 700 (500 + 200). ,
Site 2, .

. 4-11.

.
,

Site1 Site3

24:00 4:00
(
) 60

Site2-Site3).
. ,
- . , Sitel-Site2 2:00 6:00,
Site2-Site3 22:00 1:00, Sitel Site3
. Sitel Site2, Site2
Site3. ,
, Site2 2:00, Site3 22:00.



(site link bridges).
, , . ,
, .. (, ,
).
, ,

, ,
.
.
. 5 ,
.
, . ,
, ; ,
, . ,
, , Site1, Site2, Site4 Site5.
, , - Sitel
- Site5.
Site2 Site3 , .
Site3 Site2, .
, Bridge All Site Links (
) General () IP-Properties ( IP). IP
Inter-Site Transports ( )
Active Directory Sites And Services. , ,
,
.


Active Directory Windows Server 2003
.
RPC IP .
RPC no IP. ,
..
. RPC- (dynamic port
mapping). RPC- RPC (RPC
endpoint mapper port) (IP 135). ,
- .
.
,
, . ,
DWORD :
HKEY_LO-CAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\ Parameters\TCP/IP Port.
RPC no IP . RPC-
, ,
, .
. RPC IP
Active Directory Sites And Services, , -
. RPC no IP RPC, a RPC no IP
IP.
SMTP . SMTP
,
. SMTP , ..
.
SMTP . -, SMTP
,
. SMTP
, GC. , SMTP
, SMTP (IIS)
, SMTP .
, Microsoft Certificate
Authority (MCA) ( ).
SMTP,
.

-
, -.
(ISTG - Inter-Site Topology Generator)
-
. , -,
Replication Monitor
( ). ,
, Show Bridgehead Servers ( ). -: ,
, . -
Repadmin. repadmin
/bridgeheads.
,
-. -
,
. -
Active Directory Sites And Services,
, Properties () (. .
4-12). (preferred)
- SMTP IP.

- ,
-
, .
, ,

- ,
. ,
Contoso.com,
Fabrikam.com, GC
, ,
,
. , ISTG

,
. 4-12. -

- .
-, ISTG . ISTG -, ..
, .
-
, ISTG -,
,
-. - ,
ISTG
-,

-.
. - ,
, . ,
, .

,
, Replication Monitor ( ).
Suptools.msi Support\Tools - Windows
Server 2003. Replication Monitor, replmon.
.
Edit ,
. ,
Active Directory. ,
, ;
; .
,
. - Repadmin.
Suptools.msi. ,
repadmin. Repadmin
, Replication Monitor, . Repadmin
, . .
Replication Monitor
Repadmin, Help And Support Center ( ).
Support Tasks ( ) Tools (), Windows
Support Tools ( Windows).
,
, , .
Help And Support Center.

. -Event Viewer ( ).
Directory Service ( )
, . ,
, , ,
. Performance
() , ,
. ,
NTDS Performance.
, ,
Active Directory.
. Active Directory ,
, - DNS.
DNS .

Active Directory Windows Server 2003


, .
,

. :

Active Directory
, , ,
.

II. Active
Directory Windows Server 2003
I ,
Active Directory Microsoft Windows Server 2003. II
Active Directory.
Active Directory . , ,
(OU) ,
. 5
. Active Directory,
. 6 , Active
Directory. , Active Directory Windows Server 2003,
Microsoft Windows NT 4. Active Directory Windows Server 2003
Windows NT, 7.

5. Active
Directory
Active Directory Microsoft Windows Server 2003
. Active Directory
,
. Active Directory
.
, .
, ,
Active Directory Windows Server 2003. ,
, .
, , ,
.
.
.
, (OU)
, .
. Active Directory Windows Server 2003
Active Directory Microsoft
Windows 2000. Windows Server 2003 Windows
2000, Active Directory .
, Active Directory Windows 2000,
Active Directory Microsoft Windows NT 4 .


, , -
. Active Directory ,
.
, ,
. ,
, :

.
. - Active
Directory
Active Directory ,
. -
,
(IT), ,
.

. , ,
.
, , .
,
. ,

.

Active Directory
Active Directory , .

.
.
Active Directory, , .
, .
. (GC). GC
,
.
.
.
, Active
Directory, ,
.
.
. , .
.
Microsoft Exchange Server 2000.
Exchange Server 2000. Exchange Server 2000
,
. (GAL - Global Address List)
GC. Exchange Server 2000
.
, .
,
.
Active Directory ,
, ,
. .
. .
,
. ,
, . , ,
,
, ,
, .
, .
.

. ,
. ,
, , Schema Admins
( ). ,
, - Enterprise Admins ( ).
Enterprise Admins Administrators
() .
. ,
Windows NT 4,
.
.
,
.
.
. ,
, ,
. ,
.
, ,
.


, ,
, - .
, .
-
, .
. , .
.
GC,
,
. Active Directory
. , , ,
, .
,
.
.
,
, . ,
.
.
,
-
. .
.
, ,
,
.

, .
.
.
,
, .
,

,
.
.

. ,
.
.
,
, , ,
, ,
. ,
,

.
. ,
,
, . ,
-
.
,
,
, .
,
, ,
.
.
. .
, .
, ,
.
. . GC-
, , GC.
, ,
.
.
- ,
.
.
-

,
. Active Directory
,
(, , )
( ,
..)
,
, OU.
. ,
, Enterprise Admins
( )
.
, , ,
.
, ,
.

Active Directory
. , .
OU
OU. Active Directory
.
,
.
, Active Directory. Enterprise Admins
Administrators . Domain Admins
( )
Administrators
.
,
,
. ,
.
,
,
.

.
,
.
(SID) , , Enterprise Admins,
, , .
,
Directory Services Restore ( ),
Active Directory , .
, ,
,
.
, .

,
.
,
.
.
,
.
, ,
,
.
.
,
.
Domain Admins ( ),
Administrators (), Server Operators
( ) Backup Operators (
). ,
, .

, .
, .
,
, .
.

, ,
. ,
. Schema Admins ( ), Enterprise Admins
( ) Domain Admins ( )
, ,
. ,
, .
, Schema Admins , Schema Admins
,
.
.
,
.
, , ,
,
, .

. , ..
,
.
, ,
.



. ,
. :
(,
, ).
,
. ,
,
.
,
.
,
.
, .
,
Active Directory.
,
Active Directory .
,
.


,
. ,
,
,
. .

Active Directory

.
Active Directory.
.
, Sysvol
. ( ,
GC) ,
.
.
. ,
,
.
.
. , ,
Kerberos,
.


,
.
, .
.


Active Directory Windows Server 2003
, Windows NT.
Windows NT Active Directory.
, Windows
NT, Windows Server 2003.
,
Windows NT.
.
Active Directory
Active Directory
, .
, Active Directory,
Active
Directory. Windows NT 4,

Active Directory Windows Server 2003.
Active Directory.
,
Active Directory,
. , Active
Directory, .
, ,

. , ,
.

.
Active Directory,
Active Directory, ,

. ,
- .

Active Directory:
. ,
, , ,
, .
, , Active Directory .
,
, .
,
.
, . OU
.
Active Directory,
. , ,
Active Directory
.
Windows NT ,
. Active Directory OU
,
.
,
, OU .
.
,
. ,
.
.
Sysvol
. ,
.

. ,
.


,
.
.
. ,
,
.
(
).
,
.
,
.
,
(SMTP), .
,
SMTP.
,
Kerberos .

, .

.
,
.
.
.

. ,
.
, ,
. -
, .


, Active Directory
,
( ). (dedicated root domain) -
, .
, , .
5-1.
, ,
. - Active
Directory. ( Enterprise Admins
Schema Admins) ( ).
, ,
, ,
, . , ,
, .

,
,

.

,


.
. 5-1.

.
, (generic) .
, ,
. , ,
, .
, .
,
.
, .
, . ,
, Restricted Group ( )
Domain Security Policy ( ) .
DNS ,
. -
,
DNS ,
.


,
, DNS . ,
. - Windows NT,
Windows Server 2003
.
Windows NT,
,
, .
.
,

. 5-2 ,
.
Active Directory, .
.
Active Directory ,

Active Directory. ,
,
Active Directory. . ,
Exchange Server 5.5. Exchange
Server 2000 Active Directory. ,
Exchange Server 5.5, , Exchange .
5-3 , Windows NT
4.

^=2.

. 5-2.
Windows NT


, .
, .
, , ,
. ,
,
, , , ,
. , ,
, .
, ,
, .


,

, ..

. 5-3. Windows NT 4 Active Directory Windows Server 2003

.
,
.
, , ,
.

.

, GC .
DNS DNS.
(conditional forwarders) (stub zones)
Windows Server 2003 .
, ,
, , ,
(shortcut trusts) .

. -
Active Directory -,
. -
, .
, , .
, , ,
. ,
, 5-4.
Asia.Fab-rikam.com Canada.NAmerica.Contoso.com Contoso.com,
.
NAmerica,
Contoso, Fabrikam , , Asia.
. ,
Canada Asia,
Asia . .

, .
,
, ,
.

. 5-4.


,
. Windows Server 2003
, Windows Server 2003.
,
. ,
,
. , ,
.
Active Directory (ADMT - Active Directory Migration Tool v.2)
. ADMT /I386/ADMT Windows Server 2003.


, Active Directory,
.
, .
. ,
. ,
,
.
.
.
. ,
Kerberos.

Group Policy ( ) .

OU.
OU- . OU-
OU
OU.
.
(
, ..),
OU.
. ,
,
.

, .

DNS
,
DNS . Active Directory
Windows Server 2003 DNS,
DNS. , ,
Active Directory .
DNS.
DNS, ,
, DNS- Windows Server 2003
DNS.

DNS
DNS
DNS. DNS Active Directory
DNS.
DNS,
DNS- Active Directory DNS Windows
Server 2003. Active Directory , DNS, ,
. DNS,
.
DNS- ,
. , , .
,
. .com,
.net .org.

.
DNS.
DNS-, (
DNS- Windows, BIND - Berkeley Internet Name Domain Lucent
VitalQIP). , DNS
,
.


DNS,
Active Directory.

DNS
,
, ,
DNS , .
,
.



DNS , .
DNS- . ,
5-5 , Contoso Contoso.com ,
.

. 5-5. DNS

. ,
, DNS
. DNS- ,
, , (
DNS - DDNS). ,
, .
, , SMTP, Web-
. ,
DNS- .
,
.
. SMTP
(UPN)
-. ,
, ( ).
,
DNS-.

.
DNS .
DNS,
DNS ,
.
. , - ,
,
, -.


.
, Contoso.com
Contoso.net ADContoso.com (. . 5-6). .
, ,
. , Contoso.com
, Contoso.net, ADContoso.com AD.Contoso.com
. AD.Contoso.com DNS, ,
.

. 5-6. , ,

,
. ,
DNS .
,
DNS .
, . ,
, ,
.


, DNS,
DNS.
DNS ( Windows NT),
, Active Directory,
. DNS
, DNS .
DNS ,
, , DNS
.
,

(. . 5-7).

. 5-7. DNS DNS


.
, ,
.
,
-,
. ;
, ,
, SMTP
.

, .

, .
,
, . , Contoso
Contoso.net Contoso.com
.
, . SMTP
alias@contoso.com, -
- Contoso.com. , UPN
alias@contoso.com,
.

5-7 , DNS . DNS-


Contoso.com (authoritative)
NAmerica.Contoso.com Europe.Contoso.com,
Fabrikam.com. DNS- Fabrikam.com
Contoso.com.
,
, , .
DNS , DNS.
.
DNS Active Directory, .
, Contoso Contoso.net ,
DNS- BIND DNS. Contoso.net
Active Directory DNS ( ,
SRV- ).
, DNS DNS-,
Windows Server 2003.
DNS-. DNS
.
. DNS
.
, DNS-
DNS-. .
,
. , DNS .
DNS DNS-
Active Directory. , Contoso Contoso.net
DNS Active Directory,
AD.Contoso.net (. . 5-8).
DNS- AD.Contoso.net
NAmerica.AD. Contoso.net Europe.AD.Contoso.net. DNS-
DNS-,
Contoso.net, DNS-.
DNS- Active Directory,
.
DNS Active Directory
. , Contoso
AD.Contoso.net Active Directory (. . 5-9). DNS- Contoso.net
AD.Contoso.net. DNS-
AD.Contoso.net , DNS Contoso.net.
DNS, - , ,
DNS
. , 5-10 , , , Contoso.net
Fabrikam.net . Active Directory,
,
NWTraders.net. DNS DNS .

. 5-8. DNS

. 5-9. DNS

DNS Active Directory.


5-10 AD.Contoso.net Active Directory
NAmerica.AD.Contoso.net Europe.AD.Contoso.net AD.Fabrikam.net
NWTraders.net,
Active Directory.

. 5-10. DNS

DNS
DNS.
DNS UNIX
DNS . DNS DNS BIND, UNIX-.
Windows NT NetBIOS
Windows (WINS), DNS,
Windows- DNS. Active
Directory Windows 2000 Windows Server 2003. 3 , Windows
Server 2003 DNS , .
Active Directory
DNS.
DNS ,
Windows Server 2003.
DNS Active Directory
DNS.
, BIND
DNS. , DNS-
Microsoft Active Directory DNS.
, , . DNS -
SRV. , , , DNS
(, IP

DNS) (incremental) .
BIND DNS, BIND 8.1.2 SRV .
BIND 8.2.1 .
BIND, DNS- BIND. (
DNS- Lucent VitalQIP, 5.2 BIND
8.2.2.)
. DNS
, DNS- Windows Server 2003
DNS- Microsoft,
.
DNS- BIND, DNS- ,
DNS Microsoft.
, DNS
Microsoft.
:
, DNS-. DNS-
SRV, Active Directory Windows Server 2003
DNS. , DNS
. ,
Active Directory.
: DNS- , Active
Directory?.
, ,
.
, : DNS
?.
Windows Server 2003
,
Active Directory. DNS-
DNS.
Active Directory .
DNS- BIND,
- .
DNS DNS- Microsoft
DNS- BIND .
, DNS- ,
, .
DNS Windows Server 2003 BIND
DNS. DNS- BIND
. , Contoso BIND
Contoso.com. Active Directory
DNS- Windows Server 2003, .
Contoso Contoso.com DNS- Active Directory,
DNS- Windows Server 2003 DNS BIND
. DNS- Windows Server 2003
DNS- BIND.
. DNS- BIND DNS- Windows
Server 2003 . DNS-
, .
Active Directory, DNS-
BIND . Active
Directory .
Contoso Active Directory, ,
, DNS- BIND. , Contoso.net
DNS- Active Directory. DNS- Windows Server
2003 Contoso.net, BIND -

Contoso.com. DNS- Windows Server 2003


DNS- BIND Contoso.com.
Active Directory AD.Contoso.com
. DNS- BIND Contoso.com
, AD.Contoso.com DNS Windows Server
2003. DNS Windows Server 2003
, DNS- BIND.
. , DNS,
DNS. DNS-,
, : BIND Windows
Server 2003. DNS Windows Server 2003
DNS, DNS BIND Active Directory.

,
OU . 2 , OU
.

.

Active Directory
Windows NT , ..
.
,
. OU Active Directory . OU,

.
OU,
. ,
. OU,
(Group Policy),
. ,
. ,
, OU,
, OU
. .
OU DNS. OU
DNS. ,
OU=ManagersOU,OU=AdministrationOU,
DC=Contoso, DC=Com. Contoso.com DNS--, LDAP-
DNS OU.
.
Group Policy ( ),
OU, OU.
.
0U .
Active Directory,
GC-. OU,
Active Directory.
Active Directory, ,
OU . OU

Move ()
.

OU
OU .
.
. OU

. ,
.
, .
, .
OU
. OU.
, OU, , .

, OU .

(IT).

, -- .
OU, 1, .
OU,
OU
. , Windows NT
Active Directory, , ,
.
, , ,
.
. ,
,
.
OU Active Directory
.
OU. OU ,
.
OU,
OU . OU ,
, ,
. ,
OU, , ,
. 9
. OU.

, . ,
OU
. OU .

0U,
OU .
.

, .
, ,
. Active Directory
OU,
OU. OU ,
. ,
, ,
.
(mapped drives). ,
. ,
. , OU
, .
OU ,
, .
OU. ,
OU,
. ,
, OU
OU. OU ,
. 11,
12, 13 , .

OU
OU .
- OU, . OU
- :
.
OU, , ,
. ,
. OU, , ,
,
. (
) , OU
.
OU, , ,
. ,
,
OU, .
OU .
OU .
,
.
, , , OU
.
,
. - OU
, , OU
, . OU
, ,
OU, .
5-11 OU . OU Domain
Controllers OU (OU ) ( OU) OU
. OU OU
(Service Account), .
OU ,
, . OU OU
, .

OU OU ,
. , ,
.

. 5-11. OU

OU
. OU -
, . OU
OU,
. OU
, . OU
OU.
OU - .
OU OU, ,
.
OU -
OU Windows NT, Windows 2000, Microsoft Windows XP
Professional OU .
OU - , OU.
, , .
OU .
(), ,
OU , ,
, , OU.
. , ,
OU. ,
. OU,
, , - . OU,
.

OU, OU OU.
OU , ,
OU. , OU,
.


Active Directory
. Active
Directory, ,
.

Active Directory
Active Directory
. .
,
, .
,
.
, , ,
.
, Active Directory,
(DFS - Distributed File System),
, .


,
.
:
(WAN) (LAN),
,
;
,
.
, ,
. , ,
.

512 /.
10 /;
, ,
IP.


, .
,
. ?
, ?
?
, - GC-.
,
, ,
. ,
. :

?
.
,
, .
Windows Server 2003 ,
?
. Active Directory ,
, , .
, OU
. ,
WAN-,
. ,
Active Directory, .
Active Directory .
Active Directory IP, ,
.
- , , ,
IP . ,
, .
.
. ,
. - (bridgehead servers)
, Active Directory,
, - .
,
.
, Active Directory .
,
.
5-1.
. 5-1.


10 /

10 / 1,544 /
1,544 / 512 /
512 / 128 /
128 / 56 /
56 /

10
100
200
400
800
2000

, 5-1,
. , ,
, . ,
, ,
.
Active Directory (site link
bridging) . ,
, ..
, ,
. . ,
. ,
(hub sites)
,
(. . 5-12). ,
. ,


, , ,
.
5-12 -
.

, -
- - ,
. ,
. ,
, .
,
Active Directory Sites And Services ( Active Directory)
IP- Inter-Site Transports ( ).
General () IP-Properties ( IP) Bridge All Site Links
( ). ,
. ,
,
, .
.

Bridge All Site Links,


, ..


.



,

.
!

. 5-12.

, Windows Server
2003, . ,
, .

DNS-
, DNS - Active Directory Windows Server
2003. DNS Active Directory,

. DNS
,
.
DNS Windows Server 2003 .
DNS- , . ,

- , .
DNS- , ,
.
DNS- , ,
, . DNS-
Active Directory.
,
.
.
,
.
Active
Directory . ,
()
. 100
.
, ISTG ( )
, , ,
. ,
6 ,
, -
.
.
, ,
,
.
Windows Server 2003 ,
Active Directory , Windows 2000.
,
ISTG, ,
. Active
Directory
.
, Active Directory
.
, Active Directory Branch Office
Planning Guide ( Active Directory ),
Microsoft http://www.microsoft.com/windows2000/
techinf/planning/activedirectory/branchoffic/default.asp.

Windows 2000, Windows Server


2003.

, ,
. , , .
-, . -,
WAN-
.
. ,
, .
,

. , , ,
, ,
.
, , .
,
. -,
, . -,
IP .
,
. ,
, , ,
, . -

,
.
, .
. -

. ,
,
.
, .


GC- , (native)
Windows 2000,
Active Directory. Windows
2000, GC- .
, GC- .
, GC--
. , - GC-
GC- . Active Directory
Windows Server 2003 ,
GC- .
,
. ,
GC-.

. 8
GC .
, Active Directory Sites And Services (
Active Directory) ,
. NTDS Site Settings (NTDS
) Properties () (. . 5-13). Site Settings (
) Enable Universal Group Membership Caching (
) Refresh Cache
From ( ) , GC-.

. 5-13.

. Exchange Server 2000 GC-. Exchange


Server 2000 , GC.
GAL, , GC. Exchange
Server 2000 , ,
GC. Exchange Server 2000, GC
, Exchange Server 2000, GC .



(PDC). ,
Windows 2000 Windows
Server 2003, (BDC) Windows NT4
PDC . ,
Directory Services Client
( ), PDC,
. PDC
. , . PDC
,
.
. ,
, .
,
(RID) ,
.
. , , ,
.
,
.
,
.
RID
(RPC).
RID, RPC ,
RID.
GC-,

.
. , ,
,
. GC-,
, GC
.
, , .
, ,
.

Active Directory - . ,
Active Directory ,
. ,
, , DNS , , OU. ,
,
Active Directory.

6. Active Directory
Active Directory , Microsoft
Windows Server 2003, .
Active Directory. Active Directory Windows
Server 2003, .
, ,
.
,
. ,
Microsoft Windows NT4,
Active Directory ,
Windows Server 2003.
, Active Directory
Installation Wizard ( Active Directory),
Active Directory:
. Active Directory
.

Active
Directory
, Windows Server 2003 ,
, Active Directory .
,
Active Directory.
: Active Directory,

LDAP.
2 ,
Ntds.dit. Windows Server 2003 Ntds.dit
%systemroot
%\system32 . Active Directory- Ntds.dit
, ,
%systemroot %\NTDS, . Ntds.dit,
Windows Server 2003, Active Directory
.
. Active Directory
, (DNS)
. ,
- Windows Server 2003 .
, , Active Directory Windows
Server 2003.


, Active Directory,
,
(GC). Active Directory ,
Windows Server 2003,
:
15 - ;
250 - Active Directory Ntds.dit;
50 -
(ESENT). ESENT

,
(rollback),
.
Sysvol
NTFS v.5 (
NTFS, Microsoft Windows 2000 Windows Server 2003).
.
Active Directory
. Active
Directory, Planning Domain Controller Capacity (

www.microsoft.com/technet/
prodtechnol/windowsserver2003/evaluate/cpp/reskit/adsec/ parti /rkpdscap. asp.


Windows Server 2003 Active Directory ,
.
, UNC IP-
Windows Explorer Ping (,
ping 192.168.1.1).
, .
Network Monitor ( )
,
, .
. Network Monitor Windows Server
2003. Windows Components Wizard (
Windows) Add/Remove Programs (/ ) Control
Panel ( ).

"Network Monitor" ( ) Windows Server 2003 Help and Support Center
( Windows Server 2003).
Active Directory
Local Area Connection Properties ( ).
, Local
Area Connection ( ) Network Connections ( )
Control Panel Properties (). Local Area Connection Properties
Internet Protocol (TCP/IP) ( ), Properties.
Internet Protocol (TCP/IP) Properties ( ), .
General () IP- .
, , DNS,
General DNS, IP-
DNS, (authoritative) .
DNS
Active Directory.
Advanced TCP/IP Settings ( TCP/IP)
Advanced () General, WINS
, IP- Windows
(WINS), .

DNS
, Active Directory DNS
. DNS ,
- , ,
. , DNS
(SRV) .
DNS , Active Directory

DNS Active Directory.


DNS , ,
Active Directory. Dcdiag (
, \Support\Tools\ Support.msi
- Windows Server 2003). :
dcdiag/test:dcpromo/dnsdomain:domainname/newforest

, DNS-
domainname .
dcdiag
dcdiag/? .
DNS , DNS
Active Directory. , ,
DNS, DNS,
(. . 5
DNS).
DNS Active Directory,
DNS ,
Active Directory. Internet Protocol (TCP/IP) Properties ( ) Preferred DNS Server ( DNS) IP (. . 6-1).

. 6-1. DNS


Active Directory,
.
. Active Directory
. ,
,
.
,
, .
,
. ,
Enterprise Admins (
). ,
,
NTDS Setting ( NTDS) .
Domain Admins ( ) .

Active Directory
Active Directory,
.
,
. Active Directory , DNS
,
DNS, DNS- .
Active Directory:
Configure Your Server Wizard ( );
Active Directory Installation Wizard ( Active Directory);
.


Manage Your Server ( ) ,
Windows Server 2003.
, ,
(. . 6-2).

. 6-2. Manage Your Server ( )

Manage Your Server .


, Typical Settings for a First Server (
) .
,
DNS DHCP. Active Directory
, Active Directory Installation
Wizard ( Active Directory). Active Directory
, Configure Your Server Wizard (
) .

Active Directory
Active Directory Installation Wizard ( Active Directory) ,
dcpromo.exe Run . Dcpromo.exe
:
/answer[:answerfil]
Active Directory. ,

, ; /adv
Active Directory ,
.
/adv,
.
Active Directory.


Active Directory ,
, dcpromo.exe/ answer:answerfil, answerfile ,
.
,
Active Directory. , ,
, ,
.
.

Active Directory, (Configure Your


Server Wizard), Manage Your Server (
) Configure Your Server Wizard Administrative Tools (
).
Active Directory, Configure Your Server Wizard,
.
1.
Manage Your Server Add Or Remove A Role (
) Configure Your Server Wizard Administrative Tools.
.

2. Preliminary Steps ( ) Next ().


, Local Area Connections
( ).
3. Active Directory, DNS
(DHCP), Configuration Options ( )
Typical Configuration For A First Server ( ).
Active Directory, Custom Configuration (
), Next (. . 6-3).
, Custom configuration.

. 6-3. Configuration Options ( )

4. Server Role ( ) Domain Controller ( ),


Next (. . 6-4).
Server Role
Voucan *et up this server to perform one or more specific rolr If you want to add more than one rob
to this server, you can run this wizard again.
Select a role, If ths rule has not been added, you can add it. If It has already been addedj you can
remove ft, [f the role you want to add or remove is not Cited, open Add ^-; P-^nr-ins.

! :

"Swyer'.Role :;:..: :"':: -",'. ;; '


File server
Print server

D
Directory)
o
main Controller (Active
!..,:> CwiBired ::k

App*catiori Server 115, A5P.NET)


Ma) server (POP3, SMTP)
Terminal server
Remote access /VPN server

Mo
Mo
Mo
Mo

DM5 server
DHCP server
Stfearning metis server

No
Mo
Mo
Mo

WINS server

Domain controlers store directory data


and manage user logon processes and
directory searches.

No

F.ead abqut domahi cpntrolters

View the Conf loure - Server loo.

<5

- .Next->.;- j

.Caned

A ::
:

_______ i ____________

^1

. 6-4. Server Role ( )

5
.
6
.

Summary Of Selections ( )
Next.
Applying Selections ( ).
Welcome ()
Active Directory (. . 6-5). ,
Active Directory
Run ().
Active Directory . Active
Directory, Finish (). Active
Directory , ,
.

. 6-5. Welcome () Active Directory

Active
Directory
Active Directory .
.
, ,
Active Directory.
Active Directory, dcpromo
Run () . Active
Directory.


, Windows Server 2003, , ,
Windows,
Active Directory ,
. ,
Windows Server 2003,
: (Server Message Block SMB),
.
.
Windows
SMB, :
Microsoft Windows for Workgroups;
Microsoft Windows 95 Windows 98;
Microsoft Windows NT 4 (Service Pack 3 ).
, ,
, Windows Server 2003 (. . 6-1).
. 6-1. Active Directory

Windows for Workgroups .


Windows 95/Windows 98

() Directory
Services Client ( ).
Windows NT 4

() Service Pack 4 (
).
Directory Services Client ( ) ,
(Microsoft Windows 95,
Windows 98 Windows NT 4) Active Directory. (
(DFS) ).

Active
Directory

http:/
/www.microsoft.corn/windows2000/server/evaluation/news/bulletins/ adextension.asp
Directory Services Client
Windows NT 4 SP6a. , Directory Services
Client Active Directory Client Extension,
- Microsoft.
6-6 Operating System Compatibility (
).


, , -
.
(. . 6-7).
.
, ,
, ,
, .
, Active Directory .

. 6-6. Operating System Compatibility ( )


. 6-7. Domain Controller Type ( )

, ,
,
(. . 6-8).
Active Directory (. . 5), .

,
.
.

. 6-8. Create New Domain ( )


DNS
NetBIOS (. . 6-9). .
DNS ,
, DNS.
, NAmerica Contoso.com,
DNS, , NAmerica.Contoso.com.
Z, 0 9
(-). DNS (, [.])
63- .

. 6-9. New Domain Name ( )

DNS , NetBIOS (. . 6-10).


NetBIOS Windows
. NetBIOS,
DNS. NetBIOS ,
. , NetBIOS .

. 6-10. NetBIOS Domain Name ( NetBIOS )


Active Directory
Active Directory (Ntds.dit), Active Directory
Sysvol. (. . 6-11).

. 6-11. Database And Log Folders ( )

%systemroot
%\system32. Active
Directory , .
Sysvol - %systemdrive %\Windows.
Sysvol ,
NTFS v5. Sysvol ,
Active Directory, , (. . 6-12).

DNS-
Active Directory , DNS, -
. DNS
SRV. Microsoft .
DNS Microsoft,
DNS-, Windows NT 4 (SP4), Windows 2000 Server Windows Server 2003.

. 6-12. Shared System Volume ( )

, Active Directory, DNS-,


Active Directory , DNS-
, DNS
Active Directory. (
, , DNS ,
.) DNS , ,
DNS Registration Diagnostics ( DNS) Active
Directory .
DNS DNS.
Active Directory
DNS . 6-13 DNS,
Active Directory
. , ,
DNS- ,
, DNS .
,
DNS , DNS DNS
Active Directory. DNS Active Directory,
, .
DNS-cep- ( TCP/IP)
DNS-. ( IP-
Active Directory.)

, 6-13. DNS Registration Diagnostics ( DNS)


Active Directory

. DNS
Active Directory, DNS Active Directory.
Active Directory . .
3.



, Windows Server 2003 Windows 2000,
, , Windows NT 4.

.
, Windows 2000 (Microsoft SQL-
Remote Access Service, RAS), Active Directory ,
.
Everyone () Anonymous Logon
( ) Pre-Windows 2000 Compatible Access (,
, Windows 2000).
Active Directory
. Permissions ()
(. . 6-14):
Permissions Compatible With Pre-Windows 2000 Server Operating Systems (,
, Windows 2000);
Permissions Compatible Only With Windows 2000 Or Windows Server 2003 Operating Systems
(, Windows 2000
Windows Server 2003).
?
Windows
NT, ,
Windows NT
,

:
Permissions Compatible With Pre-Windows
2000 Server Operating Systems.
Windows
2000 Windows Server 2003,

,
,
Windows
2000,
,

Permissions Compatible Only With Windows


2000 Or Windows Server 2003 Operating
. 6-14. Permissions ()

Systems. ,
Active Directory, .
Windows 2000 Windows Server
2003, Windows Server 2003
. Pre-Windows
2000 Compatible Access (, , Windows 2000).
Windows Server 2003 SID Everyone ()

Anonymous Logon ( ).
Active Directory
Users And Computers ( Active Directory), Builtin
( ), Pre-Windows 2000 Compatible Access
( Name () ). Members ()
SID Remove ().
:
net localgroup "Pre-Windows 2000 Compatible Access" Everyone "Anonymous Logon"
/delete

, ,
.
Finish Replication Later
( ). ,
.

. 6-15. Directory Services Restore Mode Administrator


)

Password

,
, Active Directory Windows Server 2003

, .
. Active Directory
Active Directory Users And Computers ,
, Administrator
Domain Admins, Enterprise Admins.
Authenticated Users ( ) Interactive
(). ,
. ,
.
Active Directory Users And Computers.
, View (), Advanced Features ( ).
. Foreign
Security Principals ( ). S-1-5-11 S-1-5-4,
Authenticated Users SID Interactive SID, .
,
.


Active Directory ,
/answer [:filename] Dcpromo. .
, .
Active Directory Windows Server 2003
. E:\I386\winnt32/unattend[:unattend.txt],
unattend.txt - , Windows Server 2003.
(, CD-ROM , .)
Unattend.txt [Deinstall], Active Directory.
Active Directory
Windows Server 2003, , [Deinstall].
Run dcpromo/ answer:answerfile (
answerfile - ). ASCII-,
, Active
Directory. , DNS
, :
[Deinstall]
UserName=admin_ username
Password=admin_password
UserDomain=acmin_domain
DatabasePath=
LogPath=
SYSVOLPath=
SafeModeAdminPassword=password
ReplicaOrNewDomain=Domain
NewDomain=Forest
NewDomainDNSName=DNSdomainname
DNSOnNetwork
DomainNetbiosName=NetBIOSdomainname
AutoConfigDNS=yes
AllowAnonymousAccess=yes
CriticalReplicationOnly=yes
SiteName=
RebootOnSuccess=yes

, ,
, . , ,
, ( ,
).

<

http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b223757.
ReplicationSourcePath ,
, .
, ,
. ( ,
Active Directory.)
Active Directory
.
. Active
Directory, Deploy.cab Support\Tools Windows Server 2003, Explore () .
Ref.chm, Extract (),
Ref.chm . Deploy.cab Setupmgr.exe,
Setup Manager ( ), GUI,
Unattend.txt, Windows Server 2003 ( [Deinstall]).
Microsoft Windows Corporate Deployment Tools User's Guide (
Microsoft Windows),
,
[Unattended] [Deinstall] Unattend.txt.

Active Directory

Windows Server 2003 ,
Active Directory, '

. ,
.

. , ,
.

.
.
, ,
,
. ,
Active Directory. ,
- , 60 .
Windows Server 2003
, ;
Windows 2000 . ,
,
, ( UNC (mapped
drives) /adv).
Active Directory . . 15.
,
.
1. System State ( )
.
, ( ) ,
Windows Server 2003 .
2. Active Directory
Run, /adv dcpromo / adv.
3. Domain Controller Type ( ) Additional Domain
Controller For An Existing Domain (
).
4. Copying Domain Files ( )
.
5. Copy Domain Information ( )
.
6. Active Directory ,
.

.
Sysvol, ,
. , ,
, ,
.
.
, ,
Active Directory, Active Directory Branch Office Guide
(

Active
Directory

http://www.microsoft.com/windows2000/
techinf/planning/activedirectory/branchoffice/default.asp.

,
Active Directory

.
.

Active Directory
Active Directory ,
-Dcpromo.exe.
, , Active Directory
, , Active Directory
. , ,
Active Directory, .
Active Directory.
, Active Directory?
, , Active Directory, ,
SAM,
. ,
.
Active Directory , dcpromo
Run. ,
.
6-16 .
Active Directory

,
.
- ,

. ,
,

,
.
,
Active Directory,
DNS, ,
, ,
. 6-16.

. 6-17 DNS
, Active Directory.
,
. Summary
(),
Active Directory . .
-
.

. 6-17. DNS


Active Directory - ,
Active Directory .
,
, .
Active Directory.
.
Sysvol .
NTDS Settings ( NTDS) .
DNS SRV .
SAM .
, Active Directory (, Net
Logon - ), .
- ,
Domain Controllers (
) Computers (). Active Directory
, Domain
Admins Enterprise Admins.
. Active Directory
, GC. GC
, ,
.


. . ,
, . ,
, .
Active Directory ,
. Active Directory , .
, , ,
, .
, , .
.
Active Directory ,
.
Workgroup ( ).
,

,
Enterprise Admins ( )
Active Directory.
Active Directory ,
Administrator (), Domain Admins
( ).

Active Directory
Active Directory ,
. .
.
Active Directory,
Run, dcpromo/ answer:answer file ( answerfile
, ). ,
. IsLastDCInDomain . Yes ()
No (). Yes, ,
Active Directory
. ,
, :
[Deinstall]
RebootOnSuccess=Yes
lsLastDCInDomain=No
AdministratorPassword=passivord
Passwo rd =password
UserName=Administrator

, Active
Directory Windows Server 2003. Active Directory
, Active Directory.
Active Directory ,

. Active Directory

. ,
, .

7. Active Directory
6 ,
Active Directory .
, , ..
. Active
Directory DNS.
. , , Active Directory Microsoft Windows Server
2003, . Active Directory
Windows Server 2003 Microsoft, ,
(SAM) Microsoft Windows NT 4 Active Directory
Microsoft Windows 2000. ,
Microsoft, Novell Directory Services (NDS) NetWare 3 Bindery,
UNIX, .
. - Microsoft ,
Windows Server .
UNIX Linux - Windows Migrating to
Windows from UNIX and Linux ( Windows UNIX Linux) http://
www.microsoft.com/windows2000/migrate/unix/default.asp.

Novell Netware NetWare to Windows 2000


Server Migration Planning Guide ( NetWare Windows
2000
Server)

http://
www.microsoft.com/windows2000/techinfo/planning/
incremental/netmigrate.asp. Windows Server 2000,
Windows, Windows
http://www.microsoft.com/windows2000/migrate/.
Active Directory Windows
Server 2003. ,
.
. Windows NT 4.
, ,
. Active Directory Windows Server 2003 Active
Directory Windows 2000, .
Windows 2000 . ,
, , , Windows
NT 4 Windows Server 2003.
, , Windows 2000 Server
Windows 2000 Server, Windows 2000 Advanced Server Windows 2000 Datacenter Server.


,
, -
Active Directory Windows Server 2003. ,
, - , .
, .
. ,
.
,
. :
;
;
.
Windows Server 2003
. Windows NT 4

SAM Active Directory Windows Server 2003. ,


Windows NT 4 Windows 2000 Windows Server 2003 .
.
, .
.
( ) Active Directory Windows
Server 2003 ( ). .
.
, ,
, . ,
,
.
.
-
, . ,
Windows NT 4,
Windows Server 2003.
, .
.


, (in-place),
. .
Active Directory
Windows Server 2003.
, . NAmerica Contoso.com, Windows NT 4,
NAmerica Windows Server 2003.
.
. (source domain)
, , .. . ,
, (target domain) - .
Active
Directory, .

Windows NT 4
Windows NT 4
Active Directory Windows Server 2003. , Windows NT 4 Server
(NOS) .
Microsoft Windows NT 4 Server

. Windows Server 2003 ,
Windows 2000, Active Directory Windows Server 2003.

Windows Server 2000


Windows Server 2000,
Windows Server 2003.
, Windows 2000,
Windows NT Server 4. , Active Directory
Windows Server 2003 Windows 2000,
, Active Directory Windows Server 2003.
.
, Active Directory Windows Server 2003, . . 1.
Windows NT 4 Active Directory
. ,
Active Directory Windows Server 2003. Windows 2000 Server

? , ,
Windows NT 4 Server , -
. Windows 2000 Server, ,
NOS, a , .
Windows 2000 Server Windows Server 2003 :
Active Directory Windows Server 2003. \I386 - Windows Server 2003
: ForestPrep DomainPrep.
. .
Windows NT 4 Windows 2000 Windows Server 2003 Active
Directory . Active Directory
Domain Rename ( ).
, Windows Server 2003,

. :
-
;

;

.

,
, .
Windows Server 2003 Domain Rename
( ). Rendom.exe Gpfixup.exe Windows Server 2003 \VALUEADD\MSFT\MGMT\DOMREN.
Domain Rename - Microsoft http://
www.microsoft.com/windowsserver2003/downloads/
domainrename.mspx.
Domain
Rename Windows Server 2003 Windows 2000.
Domain Rename
Understanding How Domain Rename Works (

http:
/
/www.
microsoft.com/windowsserver2003 /docs /Domain-Rename- Intro.doc.
Domain Rename Step-by-Step Guide to
Implementing Domain Rename (
Domain
Rename)
no

http://www.microsoft.com/windowsserver2003/docs/Domain-Rename- Procedure, doc.


Windows Server
2003, .
, Windows NT 4 ,
(pristine forest). , ,
, : , . , ,
. ( , ..
Windows NT 4 Windows Server 2003 Active Directory.)
- , ,
, .
,
.


, , ,
(security principals), SAM Windows NT 4 Server

Active Directory. :
, .
. - ,
, , .
,
, .
Windows Server 2003 .
, , Windows
Server 2003 Windows 2000 Windows Server 2003.
, ,
. .
SID-History

,
?
.
Windows NT 4 Windows Server
2003. ,
. , X
,
, Windows NT 4 Server,
. X
?
, SID-History.
SID-History Active Directory,
(SID) .
X Windows NT 4 SID, S-1-5-212127521184-1604012920-18879275 27-324294,
SID-History Windows Server 2003.
Windows NT 4 Active Directory SID
Windows NT 4 SID-History .

, Windows Server 2003.
, , Windows NT 4,
. SID,
, SID .
? X
, Windows NT 4,
,
.
SID X SID , ,
SID-History .
(DACL discretionary access control list) SID
( SID-History),
.
? .
, ? .

. , ,
,
. , ,
, SID-History .
Active Directory Migration Tool (
Active Directory, ADMT).
SID-History ? :
. SID

. X . SIDHistory ? :
, , ..
SID SIDHistory. , Active Directory ,
SID , : SID
SID-History.
, .


. Windows NT 4 Windows Server 2003
Active Directory.
Windows Server 2003.
(, , )
( ,
, ).
Windows NT 4 Windows Server 2003
.
- , , .
,
- .
, :
NOS, , - ,
.


, ,

. ,
Windows NT 4 ,
Windows NT 4 Windows Server 2003.
Windows NT 4 ,
, ,
(OU).
. ,
.



.
1. ?
Windows NT 4 ?
2. ?
3. ?
4. ?
5. ?
6. ?
7. , Windows
Server 2003, ?
, ,
, -

. ,
, ,
(. . 7-1).
. 7-1.

,
,


.

,
Windows Server 2003,
. ,
. - ,
Windows Server 2003.


,
.
Windows NT 4 Server, .
.
. ,
(PDC), (BDC),
, PDC, .


,
, .
, , ,
, . ,

, .
, , ,
. , -
, , .


, ,
, .
Windows Server
2003. .
,
NOS. Windows
NT 4 (
). , ,

, ,
.

, ,
. ,

, .


, ,
. ,
; , NOS
,
( , - ..).
Windows Server 2003,
.
,
. ,
, (
),
(
).

, Windows Server
2003
- , ,
, ,
Windows NT Server 4 .
, ,
. ,
Windows Server 2003 ,
. ,
Windows Server 2003, :
,
; - ( );
,
Windows NT Server 4, . ,
, Windows NT 4,
- , Windows Server 2003.
. BDC Windows NT 4 Windows Server 2003 ,

Windows 2000 mixed () , Windows Server 2000,
Windows Server 2003 interim ().


,
.


Windows NT 4
: - , ,
.,
,
. Active Directory,

. ,
Active Directory ,
, ,
.


,
. , ,
. , ,
.
, , .
? , ,
.

,
.
, , .


, ,
, ,
,
. ,
, , , ,
.

,
.


, ,
. , ,
,
. ,
- , .
,
- , ,
,
.
, ,
. ,
.


,
. , ,
,
. Windows NT 4,
, , .

, Windows NT 4 Server
,
Windows NT 4 Server, , ,
, .
,

,
- , ,
Windows Server 2003.


, ,
,
, , ,
. ,
Active Directory (
, , ),
(
,
).
, , :
Windows Server
2003? ( ,
,
, , .) - , ,
.
.
.
,
. , ? - SAM (
80 , ,
, 40 - ).
Windows NT 4,
.
- .
,
(, ..) ,
.
.
, .
,

Active Directory. Active Directory Windows Server 2003
,
, .
OU ,
Windows NT 4,
Domain Admins
( ). Windows NT 4
Active Directory .
, .
,
Windows NT 4 Windows Server 2003.

Active Directory
Windows NT 4 Windows Server 2003 Active Directory
.
1. .
2. .
3. .

, ,
.
.
.
Windows NT 4 Windows Server 2003 Upgrading
Windows NT 4.0 Domains to Windows Server 2003 ( Windows NT 4.0
Windows
Server
2003)

http://
www.microsoft.com/technet/prodtechnol/windowsserver2003/ evaluate/cpp/reskit/ad.
Domain Migration Cookbook ( )
http://www.microsoft.co7n/technet/prodtechnol/windows2000serv/deploy/cookbook/cookintr.
Windows Server 2000,
Windows NT 4
. Windows
Server 2003.

Windows Server 2003 Active Directory,


,
.
, .
,
.


Active Directory
. , ,
, ,
. , ,
.
,
.
, ,
Active Directory.
, .
Windows NT 4.
. ,
.
,
, :
o ( );
o (
); o ,
,
; o
,
; o
,
.
Windows NT 4. ,
, , .
, .
:
o DNS;
o (DHCP), a
(scope); o
Windows (WINS);

o (RAS) (. );
o .

. RAS- Windows NT 4 NULL-


,
(call-back) . Active
Directory NULL-.

,
. RAS-
, RAS- Windows NT 4.
,
Active Directory, Permissions Compatible
With Pre-Windows 2000 Server Operating Systems (,
, Windows 2000 Server)
Active Directory.
Windows NT 4 Server
. ,

. , ,
, ,
Windows Server 2003.
,
. - ,
:
o ;
o ; o
;
o NOS, . ( ,
NOS,
.); o , . (
,
.); o ,
, Windows NT 4. (
, Windows Server 2003
.) - .
, .
, , , .. ,
.


- .
,
. ,
.
, :
PDC BDC, , ,
,
, .
, , ,
, .
, ,
, .
.
.
,
.

.
,
.
1. Windows NT 4 Server
Contoso.
2. Contoso.
3. BDC DC7 .
, .
DC7,
.
4. DC7 .
.
5. Server Manager ( )
, PDC DC1
NOS.
6. NOS DC1,
. ( Active Directory
.)
7.
DC1
.
,
, ( ,
DNS, WINS, RAS).
Active Directory Users And Computers (
Active Directory). ,
.

Upgradel, = P@sswOrd.
.
, .
\\ ITStaff\Policies\
PersonalSoftware.doc. .
? ? -
?
. ,
, . ,
.
. , ,
Upgradel.
,

.

,
, ,
. ,
(LAN), -
, - . ,
, ,
, , , ..


, , ,
, , ,

.
, ,
, ,
.
, .

Active Directory.

,
.
1. BDC Windows NT 4 .

.
2. BDC PDC. ,
SAM .
3. PDC.
, , .
4. BDC
. SAM,

.
5. BDC
. SAM.
, Windows 2000
(interim) Windows Server 2003 (
Windows 2000 Server).
, Windows Server 2003
BDC .
PDC ,
.
1. . PDC
Windows NT 4 .
2. BDC PDC .
SAM
BDC Windows NT 4.
, , Windows NT 4,
. ,
,
.

Windows NT 4 Active Directory Windows Server
2003, .
- - , Windows NT 4
. ,
,
Windows NT 4.

, .
1. BDC Windows NT 4,
. ,
.
2. BDC PDC.
SAM.
3. PDC.
, , .
, ,
Windows NT 4, ,

. SAM Windows NT 4
,
. ,
User Manager ( ), .


.
, .
,
.

, Active Directory.
.
, .
, Windows NT 4
. ,
, , .
. ,
. ,
.


,
.

.
.
.
.
.

.
.
. .
. ,
, .
.
, .
,
, Active Directory Windows Server 2003.


- Windows Server 2003. (
- NOS.) ,
Windows NT 4 Server Windows 2000 Server, NOS
Active Directory .
Active Directory Windows Server 2003.
.
Active Directory . . 5.
Active Directory . . 6.
Windows .
Windows NT 4 Server,
Windows 2000 Server.

. , Windows NT 4,
Windows Server 2003. Windows NT 4
Service Pack 5 ( )
.

Windows NT 4 Server
Windows NT 4 Server Active Directory Windows Server 2003
,
. ,
Windows NT 4 Server Active Directory.
.
Active Directory Windows Server 2003.
Windows NT 4 Server Windows Server 2003,
NOS.
(
) Installing and Upgrading the Operating System (
) - Microsoft http://
www.microsoft.com/technet/prodtechnol/windowsserver2003/
proddocs/entserver/ins.
Microsoft Windows Server 2003
Deployment Kit ( Windows Server 2003) http://
www.microsoft.co7n/windowsserver2003/techinfo/reskit/ deploykit.mspx.


PDC
Windows NT 4, .
SAM. ,
Active Directory. ,
, Active Directory,
Windows Server 2003.
,
Active Directory 10 . SAM
Windows NT 4 User Manager For Domains (
) Net User ( )
:
o ;
o ;
o , ;
o ,
;
o Service Pack 5 Windows NT 4 .
Windows NT 4
-
Microsoft

http://www.microsoft.com/ntserver/nts/downloads/default.asp.

PDC
, Windows NT 4 -
PDC. BDC , PDC, ,
, Windows NT 4, PDC.
Windows Server 2003 PDC
Windows NT 4, PDC,
.
. PDC
, BDC Windows NT 4,
PDC, a Windows
Server 2003. ,
, Windows

Server 2003, ,
.
,
BDC.
Windows 2000 (interim)
Windows Server 2003, Windows Server 2003
Windows NT 4.
BDC, .
Windows Server 2003,
.
.
PDC, .
- Windows Server 2003 CD-ROM. CD-ROM
Autorun ( ), Setup
(). Setup.exe -
.
Setup Install Windows Server 2003 (
Windows Server 2003). Setup
, Upgrading To Windows Server 2003 (
Windows Server 2003). , Setup.
Windows Server 2003 ,
, Active Directory.
Active Directory Active
Directory. , ,
Active Directory .

Active Directory
Active Directory
.
, -.
.
, ,
Active Directory. Active Directory Users And Computers
( Active Directory)
. , ,
Windows NT 4 ,
.
Active Directory Domains
And Trusts ( Active Directory).
Event Viewer ( )
- , Active Directory.
, Windows
Server 2003. Active
Directory Users And Computers
.
, . ,
,
.
.
BDC .
User Manager For Domains BDC Windows NT 4 Server
, .
Windows Server 2003 , BDC

Windows NT 4 . Active
Directory Support Tools ( ) -
Windows Server 2003.
Windows Server 2003, Suptools.msi \SUPPORT\TOOLS,
- Windows Server 2003.
.
Active Directory,
Domain Controller Diagnostic ( ) (
dcdiag). passed
(). . Dcdiag Support Tool
Windows Server 2003
, .
,
. Dcdiag
dcdiag/? . Active Directory ,
repadmin/showreps ,
Active Directory.

.
BDC, nltest/bdc_query:domainname, domainname -
. status = success ( =
) BDC . PDC
BDC.

BDC

, BDC- Windows NT 4
. PDC Active Directory
Windows Server 2003.
Windows Server 2003
, Windows Server
2003 BDC.
Windows Server 2003, ,
BDC (, , ) .
Windows Server 2003 ,
.
BDC? , , ,
BDC,
.
, BDC, ,
PDC. NOS,
Active Directory Active Directory
. Active Directory fie .
- Windows Server 2003,
SAM . Active Directory
, ,
BDC ,
- .


,
Windows 2000 Professional / Windows XP Professional
, Windows NT 4, PDC Windows Server 2003.
,
Windows Server 2003. , Windows 2000
Professional Windows XP Professional, Active Directory,

, ,
, Windows
2000 Server Windows Server 2003.
, ,
,
( PDC).
,
Windows Server 2003.
BDC Windows NT 4 Server Windows
Server 2003, PDC ,
Windows Server 2003
Windows NT 4 , Windows 2000 Professional Windows
Professional. Windows NT 4,
PDC Windows NT 4.
1. Windows NT 4 Windows Server 2003,
Active Directory (
regedit Run).
2.

NT4EMULATOR

HKEY_LOCAL_MACHINE\SYSTEM\CurrentContro lSet\Services\ Netlogon\Parameters.


3. Edit (), New (), DWORD Value ( DWORD).
New Value #1 NT 4Emulator Enter.
4. Edit Modify(). Edit DWORD Value
( DWORD) 1 Value Data (),
.
5. .
6. Active Directory, dcpromo Run.
Windows
Server 2003 Windows NT 4,
Windows Server 2003,
.
, .
Windows NT 4 Windows
Server 2003, NT 4Emulator 0x0,
.
. NT 4
,
NT 4EMULATOR. Windows Server
2003 Windows 2000, ,
Windows 2000 Professional Windows XP Professional,
Active Directory.
Windows Server
2003 .
NT 4EMULATOR, .
( regedit
Run).

NeutralizeNT4Emulator

HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Services\
Netlogon\Parameters. Edit (), New (),
DWORD Value (
DWORD). New Value #1 NeutralizeNT4Emulator
Enter. Edit () Modify ().
Edit
DWORD Value ( DWORD) 1 Value
Data (), . BDC Windows NT 4
Windows Server 2003,
.
mixed Windows 2000 (

) Windows Server 2003.


Windows Server 2003,
,
.
.
,
.
1. Active Directory Domains And Trusts (
Active Directory).
2. ,
, Raise Domain Functional Level (
).
3. Select An Available Domain Functional Level (
) :
Windows 2000 native
(), Windows 2000 Native, Raise
();
Windows Server 2003,
Windows Server 2003, Raise.
( ,
(native) Windows 2000), Windows
Server 2003. Active Directory .
, .
Active Directory Domains And Trusts.
Active Directory Domains And
Trusts, Raise Forest Functional Level (
). Select An Available Domain Functional Level (
) 2003 Windows Server, Raise
(). .
.
Active Directory (
),
.


Windows Server 2003,
Active Directory ,
. , ,
Windows, .
, .
Windows Server 2003, Active Directory
.

, Windows Server 2000.
Windows Server 2003, Active Directory.
,
.
: Windows 2000 mixed () (
), Windows 2000 native (), Windows Server 2003 interim ()
Windows Server 2003. ,
, Windows Server 2003,
Windows Server 2003.
Windows 2000 Windows 2000 Windows Server 2003
, SID-History, Universal Groups ( ) .
: Windows 2000, Windows Server 2003 interim

Windows Server 2003. Active Directory ,


native Windows 2000 ,
Windows Server 2003.
. Windows Server 2003,
, Windows NT 4 Server
Windows 2000 Server. Windows
Server 2003, mixed native Windows 2000,
.

Windows 2000 Server


Active Directory Windows 2000 Server Active Directory Windows
Server 2003 Windows NT 4. ,
Windows 2000, Active Directory ,
, .
Windows 2000 ,
.
Active Directory Windows 2000 Active
Directory Windows Server 2003. ,
Active Directory.
( , )
Windows 2000 Server Service Pack 2 (SP2), ,
, Windows 2000 Server.
Windows 2000 Server - Microsoft
http://www.microsoft.com/ windows2000/downloads /servicepacks/default, asp.


Active Directory ,
Adprep.exe, Active Directory.
, , Windows
Server 2003.
Windows 2000 Server
Windows Server 2003, .
, . Active
Directory Schema Microsoft Management Console ( ),
Active Directory Schema ( Active Directory),
Operations Master ( ). Change Schema
Master ( ) .
. ,
, .
. 8
.
- Windows Server 2003 CD-ROM.
, CD-ROM \I386.
adprep/forestprep. Enterprise Admins
( ) Schema Admins ( ) Active
Directory, .
, Event Viewer ( )
.
, ,
, .
, Active Directory ( dcdiag
Run), .
,
, ,
.
adprep/forestprep ,

. Windows 2000
Server Windows Server 2003. .
. , ,
, . ,
, , .
, , ,
.


.
.
Windows 2000
Server Windows Server 2003, .
, .
Active Directory Users And Computers,
, Operations Masters ( ).
Infrastructure () Operations Masters
. , ,
- Windows
Server 2003 CD-ROM. , CDROM \I386. adprep/domainprep.
Domain Admins ( ) Enterprise Admins (
) Active Directory,
. Event Viewer (
) .
adprep/domainprep , ,
Windows 2000 Server Windows Server 2003.
, , ,
,
.
, , ,
.
, Active Directory Windows Server 2003,
.


Windows NT 4 ,
Windows 2000, PDC .
Active Directory,
. . , ,
.
Windows 2000 , Windows NT 4 Windows
Server 2003. : NOS Windows Server 2003
Active Directory.


,
Active Directory. ,
,
Active Directory .
.

.
( Active Directory ).
Windows NT 4 Windows Server 2003,
. Active Directory Windows 2000 Active
Directory Windows Server 2003
.
Active Directory (
, , )
.
Microsoft, .
, ( )
. , ,
Active Directory Windows Server 2003.

.
Active Directory Migration Tool ( Active Directory) (ADMT).
- Windows Server 2003 \I386\ADMT.
Admigration.msi . bvAdmin Windows 2000 Windows Server
2003 BindView (http://www.bindview.com/products/Admin/winmig.cfm)
- . Domain
Migration Administrator (
) (DMA) NetlQ (http://www.netiq.com/products/dma/)
- .
Domain Migration Wizard ( )
(DMW) Aelita Software (http:// www.aelita.com/products/DMW.htm)
.
,
.
Active Directory ADMT Microsoft.
, .
: .
,
Windows NT 4, (
) (
, ,
). 7-2
.
,
Windows NT 4? ,
, .
.


Windows Server 2003,
Windows NT 4, .. .
. ,
Active Directory,
Active Directory ,
. . . 5.

. 7-2.
Windows NT 4

. Active Directory Permissions ()


Active Directory Permissions Compatible With Pre-Windows 2000
Server Operating Systems (, ,
Windows 2000).

. , Custom
configuration ( ) Custom Options ( )
.
,
.


, Windows Server 2003
native Windows 2000 Windows Server 2003.
Windows Server 2003 mixed
Windows 2000. Windows 2000
Server Windows Server 2003, native
Windows 2000. Windows
Server 2003, Windows Server 2003. ,
,
.


, ,
, .
, , ,
, . ,

Administrator (). ,
( Migrator) (Migrator 1, Migrator2 ..),
, .

, ,
, .
, ,
, Domain Admins ( ) ,
SID-History .
Administrators () Windows NT 4.



, ,
.
Windows Server 2003 Windows NT 4
(, )
(, ).
, Active Directory Domains
And Trusts ( Active Directory) Windows Server 2003
Server Manager ( ) Windows NT 4
Server.



Windows NT 4 .
ADMT,
. ADMT ,
PDC.
(RPC) TCP,
Windows NT 4. PDC
:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentContolSet\Control\Lsa.
TcpijpClientSupport, DWORD, 1.
.
( ,
Windows NT 4
Windows Server 2003),
. ,
PDC ( , )
:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\Lsa.
AllowPasswordExport DWORD, 1.
ADMT.

Active Directory Migration Tool


Active Directory Migration Tool ( Active
Directory) Microsoft . ADMT
. Windows
NT 4 Windows Server 2003 . ADMT
(GUI) ,
Windows 2000 Windows Server
2003.
ADMT 2.0, - Windows Server 2003,
, :
;
;
;
;
;

Exchange;
;
;


.
ADMT ,
Windows Server 2003.
- Windows Server 2003 \I386\ADMT.
. ADMT ADMT
- Windows Server 2003 Readme.doc,
, ADMT.
ADMT .
- Windows 2000 Active Directory Migration Tool :
http://www.microsoft.com/windows2000/downloads/ tools/admt/default.asp.
ADMT. ,
, , - Windows Server 2003.
ADMT ,
.
1. \I386\ADMT - Windows Server 2003.
ADMT
2. Admigration.msi,
.

3.
. ADMT ,
Administrative Tools ( )
Start (). ADMT ,
Action () (. . 7-3).

. 7-3. , ADMT

,
, .
Windows Server 2003, .
1. Active Directory Users And Computers
( Active Directory),
Domain Controllers ( ) Properties ().
2. Domain Controllers Properties ( )
Group Policy ( ).
3. Default Domain Controllers Policy (
) Edit ().
4. Default DomainControllers Policy\Computer Conf iguration\ Windows

Settings\Security Settings\Local Policies\ Audit Policy (


\- \ Windows\
\ \ ),
Audit Account Management ( ),
: Success () Failure ().
5.
, - .
Windows NT 4, .
User Manager For Domains (
), Policies (), Audit
().
, Audit These Events ( )
User And Group Management ( )
Success () Failure (). ,
ADMT.
sourcedomainname$$$ (, Contoso$$$). ADMT
, .


Permissions Compatible With Pre-Windows 2000 Server Operating
Systems (, , Windows
2000 Server ), Active Directory Everyone () PreWindows 2000 Compatible Access (, ,
Windows 2000), net localgrowp "Pre-Windows 2000 Compatible
Access" everyone /add Enter.
, ,
Everyone () . Active Directory
Users And Computers ( Active Directory),
Domain Controllers ( ) Properties ().
Group Policy ( ) Default Domain Controllers
Policy ( ). Group Policy Object Editor (
) Default Domain Controllers Policy\Computer
Configuration\Windows Settings\Security Settings\Local Policies\Security Options (
\ -\
Windows\ \- \ )
Network Access: Let Everyone Permissions Apply To Anonymous Users ( :
). Define This
Policy Setting ( ), Enabled (),
.


Windows NT 4 ,
.

. ,
. ,
.
Windows Server 2003
Windows NT 4.
.
( ).
.


,
Windows NT 4, ,
, Windows Server 2003.
.
Windows Server 2003.
Windows NT 4 Domains That Trust This Domain
(, ) Properties () ,
Active Directory Domains And Trusts.
, ,
.
PDC Windows NT 4. User
Manager For Domains ( ) Windows
Server 2003 Trusted Domains ( ). ,
, . ,
.


: ,
. ,
, .
Windows NT 4 Windows Server 2003,
SID . SID
SID-History . SID SID-History,
, Windows NT,
.
( ADMT),
Active Directory.
,
, .
Windows NT 4 Windows Server 2003
Group Account Migration Wizard ( )
ADMT .
Windows NT 4 Windows Server 2003 Group
Account Migration Wizard, .
1. .
, .
2. Windows NT 4, Windows
Server 2003.
3. OU, .
. ADMT OU
. ,
.
, OU.
,
OU.
4. . , -
.
.
,
- .
( ) ,
.
Windows Server 2003,
.

.
.
, Windows NT 4, ,
. .
-?
?

?
.
, , .

.
Windows NT 4 Windows Server 2003 Active
Directory User Account Migration Wizard ADMT, .
1. .
2. Windows NT 4, .
3. OU- .
4. , .
ADMT, .
, . ( ,
, [.csv]),
, .
, .
username ( ).
, User
Must Change Password At Next Logon (
).
.
,
.
.
, Password Export Server (
) (PES) DLL . ADMT,
( BDC) - Windows Server 2003.
DLL Windows NT 4,
\I386\ADMT\PWDMIG Pwdmig.msi. PES

.
Readme.doc \I386\ADMT
- Windows Server 2003 : http://www.7nicrosoft.co7n/
windows2000/downloads/tools/admt/default.asp.
5.
. ADMT
Account Transition Options (
).
(,
) (
).

. ,
, ,
.
.
,
. ,
Windows Server 2003 ,

ADMT,
.
Windows NT 4 , ADMT,
ADMT.

Windows Server 2003
, ,
Windows Server 2003,
. ,
. (
)
Windows Server 2003,
Windows Server 2003,
- .
.
Windows NT 4 ,

.
account
unknown ( ).
, account unknown,
, SID-History.
,
Windows NT 4. ,
, .
Windows Server 2003
Windows NT 4. SID-History
, , ,
, .
,
Windows Server 2003.


, .
.
, - .
(- ).
.
. .


Windows NT 4 Windows Server 2003,
, .
1. , Domain Admins ( )

Windows NT 4. ,
.
2. .
, .
,
.
Active Directory Domains And Trusts ( Active
Directory) , .


- ,
, Windows NT 4
Windows Server 2003. Local System Authority
(LSA) ( ).
, ,
LSA.
.
. ,
Windows NT 4, Windows Server 2003
.
, Windows
NT 4, ADMT, :
1. Service Account Migration Wizard ( ).
2. .
3. ,
. , ,
, . 4. Service
Account Migration Wizard.
ADMT,
.
.


, Windows NT 4,
- Windows NT 4 Server, Windows NT
Workstation 4, Windows 2000 Professional Windows XP Professional.
OU
.
. ,
, Windows NT 4
.
Windows Server 2003.
Windows Server 2003
.
Active Directory, . ,
ADMT,
.
Computer Migration Wizard ( ).
.
, .
OU,
. ,
.
(DACL) , ,
SID
. :
;
;
;
;
;
;
. .
Computer Migration Wizard,
, Security Translation

Wizard ( ) ADMT.
Translate Objects ( ),
. ,
.
, Previously Migrated Objects (
).
.
, ADMT ,
.
. ADMT
.
Computer Migration Wizard ( ).
View Dispatch Log ( ),
(dispatch agent).
, .

.


(shared local groups)
Windows NT 4. .
,
.
,
.
. , -
, .
, ,
SAM - . SAM
, .
, SID
. Computer Migration Wizard,
,
. , ADMT,
.
1. Group Account Migration Wizard ( ).
2. .
3. , .
4. OU,
.
5. Migrate Group SIDs To Target Domain ( SID
).
6.
.



.
,
- .
Windows NT 4 Windows Server 2003. ,
, LSA, ,
- .
, ADMT, . 1.
User Account Migration Wizard (
).

2. .
3. , .
1. .
, (Dctlog.txt),
%userprofile %\Temp. Windows
2. Server 2003 Migratorl, C:\Documents and
Settings\Migratorl\Temp.
3. OU ,
.
4.
. ,
Password Options ( ), ADMT
. ADMT , ,
, ,
.
. , , ,
, , log on as a service (
), .
Security Translation Wizard ( ).
Translate Objects ( ) Local Groups
( ) User Rights ( ) - ,
, .
, .


, Windows
Server 2003 Active Directory, Windows NT
4. , - .

Windows Server 2003, .
, , ,
, ,
. , ,
, Windows Server 2003.
, ,
. Active Directory Domains
And Trusts,
Windows NT 4 Remove ().


, , ,
. ,
Windows Server
2003 ( ),
,
( ).
, Active Directory
. , Windows
Server 2003, , ,
.
Windows Server 2003
. ,
Active Directory, Active Directory
.

, . ,
,
.
.
,
SID-History, , .
,
,
.
, ,
.

, ,
. (closed set).
Windows NT 4 Windows,
,
. ADMT ,
,
. ,
, ,
- , ,
,
. ( )
, .



, ,
,
Windows Server 2003 , , Windows Server 2003,
, .
Active Directory Windows Server 2003
Windows 2000 Active Directory.
Active Directory Windows 2000
. Active Directory
Windows Server 2003
. .
,
.
.
. ,
, . ,
, (GC)
.
Active Directory,
(name suffix routing) .
,
(UPN) . ,
NWTraders.com Contoso.com,
Contoso.com NWTraders.com,
UPN alias@contoso.com.
, .
UPN- , .
, UPN-
. UPN- Contoso.com

NWTraders.com, Contoso.com NWTraders.com,


UPN.
,
UPN .
.
UPN- , ,
. ,

Name Suffix Routing ( ) .
,
Windows Server 2003. Enterprise Admins ( )
.
, .
1. Active Directory Domains And Trusts.
Properties ().
Trusts ( ).
2. New Trust ( ). New Trust
Wizard ( ).
.
3. ,
(. . 7-4).
.
,
. Forest Trust ( ).
4. (. . 7-5).

. 7-4.

. 7-5.

5. ,
. ( - .)

(. . 7-6).
, Enterprise Admins
( ), .
, ,
.

.

. 7-6.

6. ,
(. . 7-7).
.
,
. ,
.
,
.
.
. ,
Allowed To Authenticate ( ) Active

Directory.
7.
.

. 7-7.

Windows NT 4
Active Directory Windows 2000 Active Directory Windows Server 2003.
: ,
. ,
. ,
,
.
, .
, ,
.
, Windows NT
Server 4 Windows 2000 Server.
Windows NT 4 ADMT.
,
, .
, Windows Server 2003.

III.
Active Directory
Windows Server 2003
I II Active Directory
Microsoft Windows Server 2003, , ,
, Active Directory. Active Directory
. III
, .
, ,
8 , Active Directory
Windows Server 2003. 9 ,
. 10
Active Directory. Active
Directory - Group Policy ( ),
, Active Directory. 11, 12 13
, , ,
.

8. Active Directory
Active Directory
.
.
,
. Microsoft Exchange 2000
Server, .
Active Directory Microsoft Windows Server 2003 .
Active Directory. Active
Directory Windows
Server 2003. ,
, Active Directory
, ,
(), ,
(). Windows Server 2003, Microsoft
Windows 2000, Kerberos ,
Kerberos .

Active Directory
,
Active Directory Windows Server 2003. Active Directory
. - ,
, , ,
. - , ,
. ,
Active Directory ,
.


Active Directory Active Directory
. - Active
Directory, , , .
(SID).
SID . - ,
.
SID - (RID),
Active Directory.
SID ,
Windows Server 2003.
, Windows Server 2003
SID .
, ,
SID , . ,
, , , .
, ,
, SID .


, Active Directory, - ,
. Active Directory, ,
(OU), .
Windows Server 2003 Microsoft Exchange
2000 Server.
, ,
(ACL - Access Control List), (security
descriptor). Active Directory NTFS
. SID ,
, SID . ,
ACL: (DACL
Discretionary Access Control List) (SACL - System Access
Control List). DACL ,
, ,
. DACL ( Access
Control Entries). SID
, SID.
. , Read
() , - Full Control ( ).
DACL , , , -
Read, - Full Control. SACL
, .
SACL , ,
.
. DACL ,
, , . , ,
ACL, .
, , ..
, , ,
SID.


SID ACL .
Active Directory,
. SID ,
SID , , .
,
.
, , ,
. ,
, Exchange 2000 Server,
. Exchange 2000 Server SID
, ACL.
, ,
SID.

, SID ACL,
, - ,
. , ,
, ,
. .
.
Windows 2000 Microsoft Windows XP Professional
Ctrl+Alt+Del, Winlogon
Graphic Identification and Authentication (GINA) (
) (DLL).
Msgina.dll. GINA
(, Netware Nwgina.dll).
, , GINA
Winlogon. Winlogon LSA
(Local Security Authority). LSA
,
. (SSP Security Support
Provider) (SSPI - Security Support Provider Interface).
Windows Server 2003 SSP-
KerbeVos SSP NT LAN Manager (NTLM) SSP. Windows 2000,
, Windows 2000 Windows Server 2003, SSP
Kerberos, SSP. SSP
.
Kerberos .
, , ,
. ,
, ,
. , ,
, .

(authorization) ,
. ,
. .
.
. SID
SID ACL,
, .

Kerberos
Active Directory
, .
Active Directory Kerberos. Kerberos
(MIT) 80- . Kerberos
- 5 (Kerberos v5), RFC 1510. Kerberos
Windows Server 2003 RFC-1510
(public) .
Kerberos Active
Directory Windows 2000 Windows Server 2003. ,
Windows 2000, , Active Directory,
Kerberos. ,
Active Directory, - NTLM,
, .
Kerberos NTLM.
. NTLM
, .. .
Kerberos
, , , ,
.
.
, NTLM (, Microsoft Windows NT 4),
, ,
. , Kerberos,
,
. ,
.
.
NTLM , , .
Kerberos ,
. ,
Kerberos
Kerberos Windows Server 2003 Kerberos.
. ,
NTLM,
, . Kerberos
,
.
. Windows Server 2003 SSL/TLS
(Secure Sockets Layer/Transport Layer Security /
), Digest Passport.
- Microsoft
(IIS - Internet Information Services) 6.0,
.

Kerberos
, Kerberos, . -, ,
. -, ,
,
.
(KDC - Key Distribution Center),
, . Kerberos
, .
. , Kerberos ,
,

. ,
, ,
, .
, Kerberos .
, . .
, Kerberos,
. Kerberos ,
, , .
, , ,
.
. , .
. Kerberos
, , .
, ,
, - .
,
, .
, ()
.
.
. Kerberos ,
(KDC - Key Distribution Center). KDC
. KDC

( ).
, KDC ,
, .
. Kerberos ,
, KDC. Kerberos Windows Server 2003
. Active Directory
KDC. Kerberos , ,
KDC, (realm). Windows Server 2003
.
KDC : (AS Authentication Service) (TGS Ticket-Granting Service).
AS TGT (TGT - Ticket-Granting
Ticket) . TGS ,
Windows Server 2003.
KDC ,
Kerberos. Kerberos Windows Server 2003
(DSA - Directory System Agent),
LSA .
- DSA,
Active Directory.
(, ) ACL. DSA
,
.
. Active Directory ,
, krbtgt.
, (enable).
, .
, TGT,
.

Kerberos
Microsoft Windows 2000 Professional Windows XP Professional,
Windows 2000 Server Windows Server 2003 Kerberos
, LSA Kerberos.
, ,
,
. ,
- (hash).

.
1. Kerberos SSP
KDC (. . 8-1). : ;
(realm) ( );
TGT-;
, .
,
.

. 8-1. Kerberos TGT

2. , ,
,
.
.
,
5 , .
, , ,
. 5
, .
,

.
, 5 ,
.
3. ,
TGT (. . 8-1). - ,
KDC .
TGT ,

. TGT TGT
, .
. , TGT
.
4. ,
.
, , KDC
, .
,
.
KDC, ..
, .
TGT .
. Kerberos Authentication Service (AS) Exchange
( ), ,
.
AS Exchange. ,
KDC, KRB_AS_REQ.
KRB_AS_REP.
*
5. , .
TGT - , KDC,
- ,
KDC (. . 8-2.)
KDC. , TGT,
, ,
, ,
, AS Exchange.

6.

KDC

TGT,


TGT

,
,

,

.

. 8-2. Kerberos

, KDC .

7. ,
. ,

, .

. ,
, , KDC
, , ,
KDC.
8. .
. , 5- 8-, Ticket-Granting
Service Exchange ( ). ,
, KRB_TGS_REQ; -
KRB_TGS_REP.
9. (. .
8-3.)

10.

,
,
,

KDC.

,
,
KDC.


,
,

.
. 8-3.
,
. . , 9 10, -
Client/Server (CS) Exchange. KRB_AP_REQ.
, ,
.
, ,
, . ,
KDC .
. ,
, - Microsoft.
KList.exe
Kerberos. Kerberos Tray (Kerbtray.exe)
(GUI). 8-4 ,
Kerberos Tray. Kerberos Tray
http://www.microsoft.com/ windows2000/techinjo/reskit/tools/existing/kerbtray-o.asp ,

KList

http://www.microsoft.co7n/windows2000/techinfo/reskit/tools/ existing /klist-o. asp.

. 8-4. Kerberos Kerberos Tray

, KDC
,
, .
, TGT, KDC
. ,
KDC .
. ,
, ,
.

,
,
. ,
, 8-5.

NAmericaContoso.com . 8-5. ,

, Fabrikam.com,
NAmerica.Contoso.com ,

Fabrikam.com.
NAmerica.Contoso.com.
, Fabrikam.com,
.
(shortcut trusts),

Fabrikam.com. ,
NAmerica.Contoso.com Fabrikam.com.
NAmerica
Contoso.com. ,
Contoso.com. , NAmerica
Contoso.com .
, .
Contoso.com.
Fabrikam.com.
, .
TGT Fabrikam.com.
, ,
.
, ,
, .
, ,
, .
, , ,
. ,
.
, .


,
. ,
,
, .
,

( ). Windows 2000
Kerberos : - (proxy tickets)
(forwarded tickets). - ,
KDC, . KDC
PROXIABLE.
, ,
. -- ,
.
. , -
AS Exchange KDC, TGT,
. KDC TGT
, TGT
, .
,
Windows 2000. ,
,
Kerberos. Windows NT, Microsoft Windows 95 Windows 98
. Windows Server 2003
. Windows 2000
. Windows 2000

KDC
. Windows Server 2003 ,
, .. ,
( ).
,
Windows Server 2003.
,
, ( ) ,
. Properties ()
Active Directory Users And Computers (
Active Directory), Account ( ), Account
Options ( ). , o Account Is Sensitive And Cannot Be
Delegated ( ) . (
.) ,
, , ,
, LocalSystem.
, Account
, Account Is Sensitive And Cannot Be Delegated
. ( .)
LocalSystem, Properties
(. . 8-6). Windows 2000,
Trust This Computer For Delegation To Any Service (Kerberos Only) (
( Kerberos)).
Windows Server 2003, Trust This Computer For Delegation
To Specified Services Only (
). ,
Kerberos, ,
( , Active Directory),
.

. 8-6.

Kerberos Windows Server


2003
, Kerberos
Windows 2000, , Active
Directory. Kerberos
. Kerberos, Domain
Security Policy ( )
Account Policies ( ) (. . 8-7).
.

. 8-7. Kerberos Domain


Security Policy ( )

Enforce User Logon Restrictions (


). KDC,

. , , ,
Allow Log On Locally ( ),
, Access This Computer From The Network
( ) .
Local Policies\User Rights Assignment ( \
) Domain Security Policy ( ).
.
Maximum Lifetime For Service Ticket ( ).
( ),
.
, .
, , 10 ,
, Maximum Lifetime For User Ticket
( ).
600 (10 ).
Maximum Lifetime For User Ticket (
). ( ),
TGT- .
TGT--, ,
KDC. 10 .
Maximum Lifetime For User Ticket Renewal ( ,
). (
), TGT- (
TGT--). 7 .
Maximum Tolerance For Computer Clock Synchronization (
).

( )
,
Kerberos, Kerberos .
, ,
Kerberos . 5 .
,
.
Kerberos, ,
.
.
KDC, .


Kerberos .
,
Windows Server 2003. , ,
, KDC.
, .
, , , ,
.
, ,
, .
,
. ,
, . ,
, ,
.
(PKI - Public Key Infrastructure)
,
. PKI
, . PKI
, .
PKI : (public) (private) ,
( - certificate authorities). PKI
, ,
, : .
. ,
(roaming) , -.
, . ,
. .
.
.
, , ,
. , ,
, .
, . - ,
, .
,
.
. ,
. ,
(digest),
. .
, ,
. .
,
.

PKI . ,
.
() , -
, .
, ,
.
, -.
-.509 v3. ,
, , (
) -, . ,
PKI, ,
, . - PKI
-,
Verisign Thawte. -, Microsoft
Internet Explorer, ,
. --,
Windows Server 2003. , Windows Server 2003,
- ,
, ,
.
. PKI
. Windows Server 2003 PKI
- , Active Directory.
- ,
,
. - Microsoft Help And Support Center (
) Windows Server 2003 ,
PKI.
,
, Active Directory,
Windows Server 2003. , -,
,
. Windows Server 2003
. ,
, .
,
Active
Directory,
.
Windows Server 2003
.
.
Windows Server 2003.
.
,
-.
, ,
.
.
Active Directory. ,
, , .
, . ,
, ,

. , ,
.

.
Active Directory Users And Computers (IIS)
Microsoft. Active Directory Users And Computers Name Mappings
( ^,
.

-
- PKI
Kerberos. Kerberos PKI,
KDC
. ,
. -
PKI, ,
, .
- .509 v3.
- Active
Directory. , - (PIN
personal identification number). LSA
Ctrl+Alt+Del, .
PIN
-. TGT- KDC.
( ),
, , KDC
. TGT
, .
KDC, ,
, -, , .
KDC ,
.
, KDC
(UPN), , Active
Directory. , KDC
TGT, .
,
.
KDC.
. -
. , -
. -,
-, -
.
, . -
,
.


Kerberos
Kerberos ,
, Kerberos.
, Kerberos Windows Server
2003, , Windows.
:
Kerberos;
Kerberos;

, Kerberos .
.
Windows 2000 Windows XP Professional
Windows Server 2003 , Windows Server 2003
, Kerberos.
Windows 2000 Windows XP Professional KDC-,
Windows-, ,
Windows Server 2003 ,
Kerberos.
Kerberos, Windows-, KDC-
Windows Server 2003 , Windows Server 2003
, Kerberos.
Kerberos, Windows-,
Kerberos, Windows-,
, Windows Server 2003 ,
Kerberos.
Windows Server 2003 .
, Kerberos
Windows Server 2003, Kerberos, Windows-.
Kerberos Windows Server 2003
Kerberos.
Windows Server 2003 Kerberos, Windows-.

, .
, Active Directory Domains And
Trusts ( Active Directory) Properties () ,
. Trusts ( ) New Trust,
New Trust Wizard.
Windows Server 2003 Kerberos. 8-8 Properties
.

.
Microsoft

Kerberos . ,
Step-by-Step Guide to Kerberos 5
(krb5 1.0) Interoperability -
Microsoft

http://
www.microsoft.com/technet/prodtechnol/windows2000ser
v/ howto/kerbstep.asp.

. 8-8.

NTLM
Windows Server 2003 NTLM. ,
Windows NT 4, Windows 95 Windows 98.
.
, Windows 95, Windows 98 Windows NT,
Windows Server 2003.
Windows 95 Windows 98 Directory Services Client,

LAN Manager.
, Windows XP Professional Windows Server
2003, Windows NT 4 Server.
Windows Server 2003.
, Windows XP Professional Windows 2000,
Windows Server 2003,
, Kerberos. NTLM
.
NTLM , Kerberos. Windows NT 4 Service Pack 4
Microsoft NTLM NTLMv2.
,
,
.

Active Directory Windows


Server 2003, , ,
.
Active Directory Kerberos. Kerberos
Active Directory
. Kerberos PKI,
- Kerberos.

9.
Active Directory
, Active Directory Microsoft Windows
Server 2003 ,
Microsoft Windows NT.
, (DNS) ,
(OU) .
: .
Windows NT . , ,
. . Active Directory Windows Server 2003
.
Active Directory, 8.
Active Directory (ACL)
Active Directory. .
ACL .
Active Directory Windows Server 2003 . Delegation Of Control Wizard (
).

Active Directory
8, Windows Server 2003,
. (SID) ,
SID , . ,
, Active Directory.
Active Directory ACL, NT Security Descriptor,
(), ,
SID. ,
(DACL) (SACL).
DACL , . SACL
. . Active Directory
ACL, .. . ,
Active Directory Users And Computers (
Active Directory), Active Directory Sites And Services ( Active Directory), ADSI Edit
Ldp.exe. , Active Directory
Users And Computers,
. , ,
Active Directory. ,
, ACL,
Active Directory Sites And Services. Delegation Of Control Wizard,
.
,
Active Directory. Active Directory Users And
Computers. ACL. ,
Active Directory : (standard)
(special). Active Directory Users And Computers
,
.


Active Directory ,
Security () Properties ()
Active Directory Users And Computers. ( Security

, Advanced Features ( ) View (),


Properties). Security()
, (. . 9-1).

. 9-1.

Active Directory . ,
(OU) - ,
, , ,
. , , ,
Full Control ( ), Read (), Write (), Create All Child Objects (
) Delete All Child Objects ( ),
.
Active Directory ,
. ,
Public Information ( ), Personal Information (
) Web Information (-).
,
. , Personal Information homePhone,
homePostalAddress, streetAddress .
.
. , ,
"property sets" ( ) Help
And Support Center ( ). Active Directory ,
, rightsGuid
( ) attributesSecurityGUID
. , rightsGuid cn=Personal-Information, cn=Extended-Rights,
cn=conf iguration, dc=forestname attributes ecurityGUID cn=Telephone-Number,
cn=Schema, cn=Configuration, dc=forestname. ,
Personal Information.
Security
, Receive As, Send As, Send To ( , Microsoft
Exchange 2000 Server), Change Password Reset Password.
Validated Write ( ). ,
Group Validated Write , / .
Validated Write Write , Validated Write
, . ,
/ ,
.


Security () - Special
Permissions ( ). Active Directory
, . ,
. , Advanced ()
Security (. 9-2). 9-1 .
. Default ( ) Advanced ,
, .

. 9-2. Advanced Security


Settings
. 9-1.

()


Allow () Deny ().
,
Deny
().
.

Deny ().
Name ()
,
.
Permission ()
,
.

Full
Control,
, , Create/Delete User
Objects (/
), Special ().

.
Inherited
From ,
( )
.

Apply To ( )


.
, This Object
Only ( ), This Object And All
Child ( )
Only Child Objects (
).

- .
. , Authenticated
Users ( ) Read Permissions ( ),
Read General Information ( ), Read Personal Information
( ), Read Web Information ( -) Read Public
Information ( ) .
,
, Advanced Security Settings
( ).
, ,
. 9-3 .
Object ()
, ,

. , OU
, (OU),
,
(
, ).

, .

(.
. 9-4).

. 9-3. Active Directory

. 9-4. ,

Properties ()
, Name () Advanced Security Settings
( ). ,
, Read Write
, .
. , , ,
. , , -,
, . - ,
.
. ,
, ,
.

Ldp.exe
(GUI) ,
-. -
GUI, Ldp.exe.
ACL Ldp.exe, Run ()
ldp. ( Ldp.exe ,
\SUPPORT\TOOLS - Windows Server 2003
Suptools.msi, Active Directory.)
Connection (), Connect ().
, .
. , Connection
() Bind (). ,
, . ,
, .
View (), Tree ().
, . OU
(. . 9-5).
ACL ,
. Advanced (),
- Security Descriptor ( ). ACL NT Security
Descriptor Active Directory. Ldp.exe
:

(A;; CCDCLCSWRPWPDTLOCRSDRCWDWO;;; DA)

- .
, , .
, DA, ..
Domain Admins. ,
SID, SID .
( ,
, DsAcls,
Active Directory. DsAcls
Active Directory).
Cnnnect^n" 5rw^sf i^sw. Opfcons ntHt
:

cW=Butfttn>DC-Contosa,DC*=com CN
!
Computers. DOContosOjDC=cofli
OLf=E>Ofriain Controile^s^DC-CDntosoJDC=com '
;
Cf^Forel^iSeajntyPrincipa^OC^ContosOjOC !
O^IrifrastruchjrfijDC^onfcoso.DC-^otn
CIW.ost ArdFound, DC-CcrtosOj DC=c orn !!
=1*^=1,[)" QLfcSales OU,K>Cwitcso,DOCom ':
CM^SysttmjDC-^ontMOjDC-com CJ+Users,tJC=Conto5o,OC=-com
^DCAppPartftFonljDC"ContcfiOjDC"=com
DC=f=dre5tOnsZones,DC=CtjntosoIDC=corn :;
CM-CDFtftgurettoTiDC-Contoso^^cam DC^CofnainCTKZonesjDC^Coritoio^^om

Si!ea.CM=Confi'guratiort,oc=Coniuso,DC--cpfn; '
I ms-DS<Ma,Ghineftecciufi(<3uola. 1.0. '. ' "
:
1>'rnsD^Be^aviQr?-Vers]ori:-2i- . -- 1m-;DS
PetUeafTruslQuqb: t;-1 > msPS-AiJUsersTiustQuota.
1000, 1 ' msOS PsrU^rTrtf^TombstcnesQui 1.0,
b

'
:: 4 msDs^masleredftcCrfcNTDS
Stt!'f!fif..Ci'!=DC'iCN~SsA'ers,Cti-CyriicSD-SrteS :ie s ,e^ Contsgu rabo aOC^ &mo so,D C=com;
SN=^TDd ..' . .
:... '. ..
Seftngs,N= DC 3, CN= Servers, N= nto s o-Sile-''
Site 5; NCoVi It gu ti , DC= or?use.DC=t om;

Cftfrib^i"; , '
.
Seti in^s ;C N=D , Servers;CM=C.o lite s ci^SiteSite s .u;eon(i su rat n ,DC=CanJoso,De=ti6m;.- *
C=NTOS
. -.
.'
-..
'
Sa^rjes.CNteDCI.CN^Sewsrs.CN-Ceriioso-Site-' Site
5,CN=-.Qonfi gu faUan,pc=bortioso.DC=com;

I
. 9-5. Ldp.exe

Ldp.exe
. , , , :
[]
: 0x0 - ACCESS_ALLOWED_ACE_TYPE
Size: 36 bytes
Flags: 0x0
Mask: OxOOOfOiff
DELETE
READ CONTROL
WRITE DAC
WRITE_OWNER
ACTRL DS CREATE_CHILD
ACTRL DS DELETE CHILD
ACTRL DS LIST
ACTRL DS SELF
ACTRL DS READ_PROP ACTRL DS WRITE_PROP ACTRL_DS_DELETE_TREE ACTRL_DS_UST_OBJECT
ACTRL_DS_CONTROL_ACCESS
Ace Sid: Contoso\Domain Admins S-1 -5-21 -602162358-688789844-1957994488-512


Active Directory Windows Server 2003
. Active Directory,
,
.
, ACL
. ,
, .
Active Directory . ,
,

, . ,
OU,
OU OU. , ,
. OU
, OU--,
,
Active Directory.
,
.

OU. , OU

OU. , ,
, OU.
OU Executives () OU-,
Executives OU.
Active Directory,
Advanced Security Settings
(. . 9-2). Allow Inheritable Permissions From The Parent To
Propagate To This Object And All Child Objects (
).
,
(. . 9-6).

. 9-6. ,

.
.
.
,
.
,
, .
, .
, .
, .
, ,
.
.
, , .
, OU
.
Domain Admins ACL OU, Domain Admins
, OU . Domain
Admins .


,
Active Directory .
.
, ,
.
, ,
,
.
, ..
. ,
Read () ,
Modify () Full Control ( )
, Full Control.
, , .
, .
, , Active Directory
. .
, ,
.
, ,
,
.
(Deny) (Allow). ,
, Modify Active
Directory, Modify ,
. , ,
, , .
,
.
, , ,
Deny , Allow . ,

. Modify ,
Modify .

:
,
Active Directory . ,
. ,
Deny () .
, Modify ,
Read-Only ( ) .
Write .
, Deny, ,
. , ,
,
. Read ,
Domain Users ( ).
, . - ,
Deny, .
,
. ,
, .
Active Directory.

, Deny, ,
,
. , Account
Admins, .
,
,
. Account Admins

, OU
Account Admins.
- OU .
, Active Directory
.
,
Active Directory. Active Directory
. .

. ,
, . ,
Active Directory, .
Active Directory ,
, .
, , . , Windows
Server 2003 ,
, Active Directory.
Active
Directory. Security (), Advanced (),
Effective Permissions ( ). 9-7
Active Directory Users And Computers.
, Select (
. , . Effective
Permissions ( ) ,
Active Directory.
. ,
. ,

.
, . , Windows Server 2003
Interactive ( ,
c ) Network Login (,
). Active Directory ,
. ,
, ,
. , , ,
, ,
.

. 9-7. Active Directory

Active Directory
Active Directory .
, , .
, ,
,
.
, .
- Domain Admins.

Domain Admins.
Administrators, a Domain Admins,
Administrators.
Active Directory, ,
Active Directory. Security (),
Advanced (), Owner ().
9-8 Active Directory Users And Computers.

. 9-8. Active Directory

Modify Owner ( ) ,
.
, .
Active Directory Windows Server 2003. Active Directory
Microsoft Windows 2000
.


Active Directory
, . ,
, ACL,
Active Directory. ,
. ,
, , Active Directory.
, ( )
. , ( ) Create
Computer Objects ( ) OU Computers
().
.
,
. Default Domain Controllers Policy (
). , ,
.
Domain Users ( ).

Active Directory
.
, .
.
. -, ,
. ,
, . ,
.
, .
, ,
, .
, Active Directory, .
OU Domain Controllers (
). Domain Controller Security
Policy ( ). Microsoft Management Console
() File>Add/ Remove (>/),
Add (), Group Policy Object Editor (
). Group Policy Wizard ( ), Browse
(), Domain Controllers.domainname.com ( domainname
, ). 9-9
Active Directory Windows Server 2003.

. 9-9. Default Domain Controllers

Active Directory,
, Audit Account Management (
). , Active Directory,
. Active Directory,
Active Directory.
Active Directory Windows Server 2003
.
OU
. ,
. Active Directory,
Properties () Active Directory.
Security (), Advanced ()
Auditing (). 9-10 Active Directory Users And
Computers OU Active Directory.

. 9-10. Active Directory

, Add ()
, .
Everyone, , ,
. , .
, ,
.
, .
, ,
. ,
.
, Security,
Event Viewer ( ).
. .
OU ,
Security . ,
, .
, .
,
.
.
,
. Microsoft Operations
Manager ( ) ( )
.
. Microsoft
Operations Manager (MOM), - http://www.microsoft.com/mom. MOM
,
.


Active Directory.
,
. Active Directory
ACL-,
. , Active
Directory ,
.
,

.
Active Directory .
OU. ,
,
.
, Windows NT OU
Active Directory.
, OU.
,
, .
OU.
. ,
OU
. ,
, . ,
- (OU), , , ,
OU

OU, .
.

,
.
,
.

.

.
.

. , ,
.
,
, .
Active Directory Windows Server 2003.

ACL .
- .
, Active Directory Windows Server 2003 Delegation
Of Control Wizard ( ).
Delegation Of Control Wizard, .
1. Active Directory Users And Computers
, .
OU, , ,
Computers () Users ().
Delegate Control (
). Next ().
2. Users Or Groups ( )
, . Add
(), Active Directory
.
3. , . (. 9-11)

.

. 9-11. Delegation Of Control Wizard ( )


4. , ,
(. 9-12).
. 9-12. ,

5. ,
:

(.
9-13).

. 9-13.

Delegation Of Control Wizard


ACL-.
, .. ACL-
.

Active Directory Windows Server 2003


,
.
Active Directory ,
. ,
OU, ,
. Windows Server 2003
.
(taskpad),

Microsoft

Microsoft ( - Microsoft Management Console)
.
. --
.

. ,
, -,
OU,
OU.
Active Directory Users And Computers
-, .
- Run ()
. -. File ()
Active Directory. ,
Active Directory Users And Computers,
, .
New Window From Here (
).
,
. , ,
. ,
, --.
. ,

.
, -,
-, Options File. , User Mode ( ),
, -.
9-14 . Help And Support Center ( ).

. 9-14. -


- ,
OU.

, .
. , ,
. ,
-, ,
. , ,
New Taskpad View ( ).
New Taskpad View Wizard.
, , , .
. ,
.
, . ,
OU, , ,
.
, ,
.
9-15 ,
OU. ,
, Reset Password (
).

..............................................................................................................- " ...............................""

----------- : ---------------------_* ----------------- >~ ---------------"------------------:-,i^:^:..-i.i.^... ,-,- ^

. 9-15.

Active Directory Windows Server 2003 ,


.
.
,
Active Directory , .
, , .
, ,
, . ,
.

. ,
, .
Windows NT,
Domain Admins. ,
, ,

.
, ,
, .
, ,
, .
- ,
.
.
,
, , .
Effective Permissions ( ) Advanced Security
Settings ( )
, . Effective Permissions
Active Directory Windows Server 2003,
.
,
, ,
, .
, . ,
, , ,
, .
.
,
,
, .

Active Directory Windows Server


2003 .
Active Directory, ACL,
.

, . ,
Active Directory.
, Active Directory
, .
, Active Directory
, .

10. Active
Directory
, Microsoft Active
Directory Windows Server 2003, Active
Directory . Active
Directory . Active Directory
. user () group ()
.
, .
Active Directory , printer (), computer ()
shared folder ( ), .
, Active
Directory. , Active Directory
, . ,
, Active Directory Users And Computers
( Active Directory) ,
Windows Server 2003.


Active Directory Windows Server 2003 ,
. , user
() inetOrgPerson, ,
. contact ()
.

User
Active Directory user.
user,
Active Directory, . ,
250- . Active Directory Windows Server 2003
Microsoft Windows NT, user .
Active Directory ,
, .
Active Directory
. :
, .
Active Directory,
.
user , .
10-1, ,
sAMAccountName ,
. , (SID),
.

. 10-1.
Adsiedit.msc


user. (UI),
, Assistant (). ,
Adsiedit.msc, .
Csvde
Ldifde. Help And Support
Center ( ). UI ,
.
Find (). , Active Directory Users And
Computers ( Active Directory) ,
Assistant, Advanced ()
Find, , Assistant (. . 10-2).
Field (), User (),
, . .

. 10-2. ,

.
user, Adsiedit.msc Ldp.exe.
. ,
Active Directory ,

.
Active Directory TechNet Script Center

http://www.microsoft.com/technet/scriptcenter/default.asp. TechNet Script Center


,
,
Active Directory. - Microsoft Press Online http://
www.microsoft.com/mspress/, - Introduction
to ADSI Scripting Using VBScript ( ADSI VBScript),
(Mike Mulcare).
, ,
Active Directory Users And Computers.
user, , ,
New>User (>). Full
Name ( ) User Logon Name ( ). Full
Name , User Logon Name
sAMAccountName.
,
. ,
Account ( ) (. . 10-3).
, Account, 10-1.
. 10-1. User

UserLogonName
(UPN) (
.

, )
, Microsoft User
Logon
Windows 2000, , (
domain\username.

,
)
.
(
( Windows
NetBIOS ), 2000)
. Logon Hours (

)
Log On To ( )
. 10-3. Account user

Name

Account Is Locked Out ,


( ) -

.
Account Options (

)
,
.
Account Expires (
)
.

user Active Directory

Active Directory , user


, user
. 10-2 ,
username, , .
. 10-2.

Username ( )

First name, initials, last name (, .


, )
Display name ( )
.
Full name ( ) -

. (OU).
First Name, Initials Last Name New Object-User
( -). ,
Adsiedit.msc
Username ( )

User principal name (
). UPN .
DNS-
UPN,

UPN-.
User Logon Name (Pre-Windows 2000)

( , .
Windows 2000)
UPN .
, UPN-,
. UPN- DNS- .
UPN-, , DNS-
. SMTP-
DNS. , ,
, SMTP. ,
UPN- .
UPN-, Active Directory Domains And Trusts
( Active Directory),
Active Directory Domains And Trusts, ,
Properties () (. . 10-4). UPN-,
.

. 10-4. UPN-

inetOrgPerson
Active Directory Windows Server 2003 inetOrgPerson.
,
(Lightweight Directory Access Protocol
LDAP) .500, Request for Comments (RFC) 2798.
inetOrgPerson, Microsoft Active Directory
Active Directory.
. Windows 2000 Windows Server 2003
inetOrgPerson, Adprep.exe /forestprep. Adprep.exe
\I386 - Windows Server 2003.
inetOrgPerson Active Directory Users And
Computers. , ,
New>InetOrgPerson. inetOrgPerson
. inetOrgPerson
user, .. ,
, . inetOrgPerson
, user.

Contact
, Active
Directory, contact (). contact user
inetOrgPerson , (security principal).
contact . contact
Active Directory Users And Computers, ,
, New>Contact.
contact ,
, .
. , ,
,
. ,
, ,
. .
, , Active
Directory. ,
, (GC)
. ,
.
Microsoft Metadirectory Services (MMS), contact


.
. MMS Microsoft Consulting
Services ( ) MMS.

-
http://
www.microsoft.com/windows2000 /technologies/directory / mms/'default, asp.
contact Microsoft Exchange 2000
Server, , , .
Exchange 2000 Server Active Directory,
Active Directory. Exchange Server 5.5
. ,
, Exchange-.
Exchange 2000 Server, contact
. contact,
, .
contact, .


Active Directory .
,
. .
. ,
, (ACL)
.
,
group .


Windows Server 2003 ,
(distribution group) (security group).
group, (. . 10-5).

' paiesManagers
broup riant* fpfeiW*iefaws-20bO) 1
SalesManagers

Q. Oft "

.Cancel.' :j'j

. 10-5. Active Directory Users And Computers

Active Directory .

. ,
. , Exchange 2000 Server
, .
, ,

, , ,
.
. Exchange Server 5.5,
Exchange 2000 Server. Exchange Server 5.5
, ,
Exchange-. Exchange 2000 Server
,
.
,
Windows 2000 native (). (
. . 2-1, 2-2 . 2.)
, user contact ,
.
. Active
Directory, .


Active Directory Windows Server 2003
: , . 10-3
.
. ,
Windows 2000 native. (nested groups} ,
. , ,
. ,
| ,
,
Windows 2000 native, .
,
Windows 2000 native. (mixed)
Windows 2000, ,
Windows NT 4.
, , .
Windows 2000,
,
Windows 2000 Windows Server 2003.
. 10-3. Active Directory



Domain
Local

(

)

.

Windows 2000

Windows Server 2003.

Global


() ,
,


,
.

- ,

Windows.
Universal


()

,

,
.

Windows 2000

Windows Server 2003.

. -, ,
. Windows 2000 Windows
Server 2003, ,
.
- . ,
Windows NT.
. Windows 2000
Windows Server 2003,
.
Active Directory Windows Server 2003 Active
Directory Windows 2000 .
Windows 2000 native,
.
Windows 2000 mixed native, ,
. ,
.
. ,
, .
Managers ,
.
Active Directory,
.
, .
(GC)
. Windows 2000 native,

.
.
Windows Server 2003, ,
Windows Server 2003, .
.
, , GC-
,

, . Active
Directory Windows Server 2003. Windows
Server 2003, ,
, . GC ,
.
,
, .
. ,
, ,
,
GC-.
Active Directory Windows Server 2003
Users () Builtin ().
.
- Administrators
() Domain Admins ( ).
Administrator, , ,
Domain Admins Administrators. ,
Administrator Enterprise Admins
( ) Schema Admins ( ).

Active Directory
. ,
.
.
.
, .
Active Directory . ,
,
, .
, .

.
.
.
, .
, ,
, .
, ,
, - .
. ,
, .
.
.
, . ,
, .

. .
,
, - .
.
, Read

Only ( ),
. ,
, :
.
.
, Human Resource (),
. ,
, .
.
Read Only ( ), - Full Control ( ) Modify
(). Human Resources
, Full Control,
, Read Only, - Read
Only.
,
.
,
.
(owner) , authorizer ().
.
. ,
, . .
*.
, ,
,
, .
,
.
,
.
10-6, ,
,
.
. Windows NT ,
. - Windows NT,
.
Windows 2000 Windows Server 2003,
Windows 2000 native,
, .
,
.

. 10-6.

,
, - .
. , Exchange 2000 Server , ,
, Exchange Server 5.5
. ,
Exchange 2000 Server, . Exchange Server 5.5 Exchange 2000 Server
Exchange Server 5.5 ,
. ,
, .

Active Directory Windows 2000 ,
, .
GC-. ,
Windows 2000. Windows Server 2003
Windows Server 2003 Windows Server 2003 interim (),
, , . , ,
GC-, GC- .
, ,
Active Directory Windows Server 2003.
.


Active Directory - computer (). Active Directory
. - domain controller ( ),
. domain
controller OU Domain Controllers.
OU, .
OU Domain Controllers,
.
computer - , ,
. Active Directory
Computers. computer
OU, . ,
,
(OU).
. ,
, . OU
OU,
.
, .
. , Windows NT, Windows 2000,
Microsoft Windows XP Professional Windows Server 2003,
. , Microsoft Windows 95
Microsoft Windows 98, .
Active Directory .
Active Directory, ,
. -
. ,
, .
Active Directory
Computer Management ( ).
Active Directory Users And Computers,
Manage (). -
Computer Management, .
. ,
Active Directory, , Active
Directory . 11, 12 13 ,
.

printer
Active Directory printer.
printer Active Directory,
, , ( ,
). printer Active Directory
.

Active Directory
, Windows 2000 Windows Server
2003, , Active Directory.
, List In The Directory ( )
Properties () .
Windows NT ,
Active Directory. , container,
printer, New

()>Printer (). UNC- . .


Windows NT Windows
2000 Windows Server 2003,
Windows NT Active Directory. Microsoft Pubprn.vbs,
.
%systemroot %\system32.
Active Directory printer
Active Directory.
Properties () , Active Directory Users And
Computers. , ,
, , , , .
Active Directory, A Printer On The
Network ( ) Search (), Start (),
, . 10-7
Windows Professional. ,
Connect
(), .
printer Active Directory,
Group Policy Object Editor (. . 10-8).
, , ,
. printer Active
Directory, printer . , ,
,
printer. Active Directory
8 , .
, printer Active Directory.
Windows 2000, ,
Active Directory.
, Group Policy Object Editor.

. 10-7. Active Directory

. 10-8. Group
Policy Object Editor

Active Directory,
printer ,
, . ,
, , .
, . ,
,
. , ,
, .
, Active Directory,
, .
.
, .
1. Active Directory Sites And Services subnet (),
.
subnet Properties (). Location
() location ( ) .
: location/sublocation (
/ ) (, / ).
2. Group Policy Object Editor Pre-Popula-te
Printer Search Location Text ( ,
) .
.
3. Properties .
General () .
, Browse (),
.
, (,
/ / 5).
4. ,
. Add Printer
Wizard ( ) , Location (
) .
10-9 Windows Professional.
Browse .

. 10-9. printer Active Directory Location


, Active Directory - shared folder (
). Active Directory, .
New (HoBbm)>Shared Folder (
). Active Directory, UNC- .
Active Directory shared folder,
Active Directory. shared folder,
.
Active Directory ,
, .
shared folder, (. . 10-10).
Properties () ,
. ,
Active Directory, , ,
.

. 10-10. Active Directory

, Active Directory, , ,
, , ,
, , . ,
Active Directory UNC-
. , Saleslnfo,
\\Server1\SalesInfo. Active Directory
, \\Serverl\SalesInfo.
, ,
Active Directory , .


Active Directory Windows Server 2003
Windows 2000 Active Directory,
, Windows 2000,
. Windows Server 2003
.
Drag and drop. Active
Directory Windows Server 2003
Active Directory.
OU .

.
.
. Active Directory
Windows 2000 .
Active Directory Users And Computers Windows Server 2003
. ,
Marketing () ,
. ,
, Department
Marketing. ,
Properties ().
.
Windows Server 2003,
.
.
Active Directory ,
. ,
, . ,
, ,
30 .
Saved Query ( ) New
()><Quer (), ,
, .
Active Directory Windows Server 2003
, Active Directory:
Dsadd Dsmod ( Active Directory
), Dsrm ( Active Directory), Dsmove (
), Dsquery ( ) Dsget
( ). Help And Support Center (
) ,
.

Active Directory Windows Server 2003


, .
. ,

. ,
, - ,
: user, inetOrgPerson contact. ,
, .
computer, printer shared folder.

11.
,
(IT-Inf ormation Technology), -
. ,
.
, .
,
.
.

. ,
.
.
Microsoft Active Directory Windows Server 2003
. ,
Active Directory,
( )
, Active Directory Windows Server 2003. 12
13 ,
.
.
Microsoft Windows 2000 : Windows 2000 Server, Windows Server 2003, Windows 2000
Windows XP Professional. -,
Microsoft Windows NT, Windows 95 Windows 98.
Active Directory Windows 2000, ,

Active Directory , Active Directory Windows Server 2003
. Windows XP
Professional Windows 2000.


Active Directory Windows Server 2003
,
. 11-1 ,
.
. 11-1.


.

.

, .


,
.
MS-DOS .bat
Windows Script Host.


,
My Documents ( ), Start
() Desktop ( ),
,
.
.

.
,

,
- .


, ,

.
.
Windows 2000, Windows XP Windows Server 2003.
, ,
, . ,
. ,
, - , ,
Active Directory .
. (GPO -Group Policy Object)
%systemroot%\System32\GroupPolicy.
- | Active Directory.
Active Directory, .
Active Directory Windows Server 2003,
Active Directory: Default Domain Policy ( ) Default
Domain Controllers Policy ( ). Default
Domain Policy
. Default Domain Controllers
Policy (OU)
.
, ,
Active Directory.
, OU .
Active Directory .
, - .
. Active Directory
,
.
GPO, Active Directory, .
(GPC),
Active Directory Users And Computers System
()\Policies (). , Advanced
Features ( ) View () (. . 11-1). GPC
.
. GPC,
(GPT - Group Policy Template)
.
. ,
(, )
GPO.

. , GPO
, . , GPC,
ADSI Edit,
Group Policy Editor.

. 11-1. GPC Active Directory

. 11-1 , (GUID),
GPC Active Directory, .
GPC-
ADSIedit.msc. GPC Active Directory, ADSI Edit,
display Name.
, , GPT,

Sysvol . (. . 11-2).
. 11-2.


Adm

.adm,
.

,
.

,
.
Registry.pol.

.
,
.
Registry.pol. Machine\ Applications
, .

Scripts
User

User\Applications
Machine

{GUID}

Gpt.ini,
GPO.

GPO- . (GPC)
Active Directory. Sysvol (GPT)
(File Replication service - FRS).
. GPO ,
. Replication
Monitor . (Replication Monitor Active Directory,
, Suptools.msi,
\Support\Tools - Windows Server 2003.) Replication Monitor
Monitored Servers (- ).
Show Group Policy Object Status (
). 11-2 ,
.

. 11 -2.
Replication Monitor


GPO ,
(PDC).
,
.
PDC , ,
, (. . 11-3). (
, ,
View ()> Options ( DC) .)
, Operations Master (
) PDC, PDC.
, ,
.

. 11 -3. , GPO

GPO
GPO.
Active Directory ,
GPO.
Properties (). Group Policy ( ) (. . 114). GPO, , New
().

(Microsoft Management Console)
Group Policy Object Editor (
).
GPO,
.
Local Computer Policy (
).
Browse (),
GPO .
GPO
,
(. . 11-5).

. 11 -4. GPO, OU

. 11 -5. GPO- Group


Policy Object Editor -

GPO Welcome To The Group Policy Wizard (


), Create New
Group Policy Object ( ).
, GPO,
, GPO. 11-6

GPO. GPO
.


GPO , .
Group Policy Properties ()
, GPO (. . 11-4). 11-3
, .

. 11-6. GPO-

. 11 -3. GPO


Add ()


GPO
. Add,
,
11*5. GPO

.

Edit ()
GPO,
GPO. Edit,
(. . 116).
Options () No Override
(He ) GPO.


Delete ()

Properties ()

GP

GPO Active Directory, .

.
]
GPO
. :
, :
GPO.


.


GPO , OU Active
Directory.
Users Computers.

. , ,
,
. .
1. Local group policy ( ).
.
2. Site-level group policies ( ).
Active Directory.
3. Domain-level group policies ( ).
Active Directory.
4. OU-level group policies ( OU).
OU,
OU, OU .
Active Directory
. , GPO
. 11-7
, OU. Scripts Policy ( ),
- Desktop Policy ( ), - Office Installation Policy (
).

. 11-7. , ,
,

,
. , GPO Run ,
GPO Run,
Run OU. ,
. GPO
Run, GPO
.
, .
GPO : Enabled
(), Disabled () Not Configured (He ).
Enabled, , ,
. Disabled, ,
, . GPO,
, Disabled. ,
Run GPO, OU .
Run OU ,
Run OU . Not
Configured, , ,
.

///

(Local/Site/Domain/Organizational Unit -LSDOU).


.
,
.

OU
. 5, OU
, OU .

.

,
.
,
. , OU,
,

. ,
.
,
.
, Active Directory Windows Server 2003
.


.
.
, ,
Properties (). Group Policy ( )
Block Policy Inheritance ( ) (. . 11-8).
, ,
, . ,

OU, .
, ,
( Run )
,
.
, ,
OU
.

. 11 -8. 0U

.
, .
.

No Override (He ).
, -

. ,
, ,
, Properties () . Group
Policy, , Options No Override
(. . 11-9).

. 11-9. No Override

No Override ,
, . ,

- .
, , .
No Override,
.
No Override , GPO ,
GPO. GPO
No Override,
. No Override
GPO, .. GPO, OU,
No Override GPO, OU.
. No Override
, .

. .



Active
Directory.
. Security ()
. 11-10, Security
GPO , Authenticated Users (
) Read () Apply Group Policy (
). , , ,
.
,
Apply Group Policy .
Authenticated Users Security Apply Group Policy.
(ACL)
Read Apply Group Policy. , -
, ,
Active Directory .

. 11-10. Security() Properties ()


GPO GPO

. ,
. ,
, ,
, ,
.
, .
, ,
. ,
, OU
. , , GPO
, ,
GPO- , .
, GPO,
OU, , OU.
, -, , ,
, Apply Group
Policy . -, ,
, ,
Deny () Apply Group Policy ( )
, . .
Apply Group Policy , Read
Access ( ). ,
,
, .
. Active Directory Windows Server 2003
, Windows Management Instrumentation (
Windows) (WMI). WMI, WMI-,
, .
, ,
, 200
, , 64 .
(Help And Support Center) WMI Software
Development Kit - Microsoft http: // msdn.microsoft.com/
library/default.asp?url=/library/en-us/wmidsk/wmi/ wmi_start_page.asp.


,
, . ,
Properties () GPO (. . 11-11),

, .

ffy
. Cteete*

12/3/2002 &.45'5)PM

Modified;

i2/3/20cea5ziaPM

I
Revision
'.
Ursquen

0 [Compulei]. 1 lUsei)

..,..:

am (C8E 3EE4FA8024MD e846-75WO?3B !13)


e

To impfOVQ performance. ? these options to tfcsable tnused parts


this GTOUP Pcicy ObtscL
1* ||?^.^..^-'-I
.DisablsUsttConf^abo^ flings

OK

Caned

. 11-11. GPO

. ,
, ,
, . ,
,
. ,
, .


,
, . ,
Properties () GPO Options () (. . 11-9).

. , ,
, , .
, ,
. .


, , GPO
Active Directory Windows Server 2003, ,
.
, .
1. ,
. DNS-,
IP- , .
2. DNS-,
. , ,
GPO-, .
3. GPO- ,
. GPO
. ,

, LSDOU-. 4. ,

GPO, .
. .
Windows XP ,
Windows 2000 - , .. ,
,
- , . ,
Windows XP .
.

UserConfiguration\Administrative
Templates\System\ Group Policy Computer Configuration\Administrative Templates\ System\Group
Policy. 11-12 , Computer Configuration
.
,

. - :1- !..!-!-

Fjjft . Action.' ^evv <1-:

>. -. mm 4;'j%
? DesHopPdicytDCl.CQnltcso.ccJ^j
^ Corriputer Configuration . #! l*i Software Settings i+J ^JU
:
Window!
Settings
[=1
Administrative Template**! gj-T-%1
:
Windows Component .-i Si)
System
j User Profiles
Scripts '"''l Logon ' -dO
Disk Quotas It: G3 Net
Logon ^ Group Pdfcy
fj Rerrrate Assistar ;
j- -^J System Restore ]
$ Error Reporting j-g| Windows File Pr|
^J Remote ProeeoV;
.+ ^J Windows Time Sj
i+; ! Network 0
Printers
(^ User Cor^gurabon.

<

5&t^ ..:::.; ....


^. ... : _ _______________:'_>^i...>j.i
^ Turn oFf background refresh of wotfj Policy
]|jj &oup refresh Interval for computers

" =i---: ' State.:::,:


Not configured
Mot configured

i=ji Group Policy refresh interval for domain controkrs


ifVLteer Group Policy bcpback processing mode

Not configured
Not configu'ed

?$( Allow Cross-Forest User Policy and Roaming User Profites


4 Group Policy flow link detection
Turn off Resultant Set of Policy logging
t Remove users ability to invoke mecKrie policy refresh
I^DtsaBaw Interactive Users from generating Resultant 5et of Policy,
Registry pobcy processing
configured
Internet Explorer Maintenance policy processing
configured
[=Jf Software instaBatlon poficy processrg
i$i Fodder Reelection policy processing
$ Scripts policy processing
Security pcrtcy processing
$j( IP Security poficy processing
Wireless pobcy processing
EFS recovery policy processing
Disk Quota policy processing
'^Always use local ADM Files for Group Pdcy Object Edtor

Not configured
Not configured
Mot configured
Mot configured
Not configured
wot

Not
Not configured
Mot ccnflgiFed
Mot configured
N$t configured
Not configured
Mot configured
Mot configured
Not configured
Not configured

-.Jed X :

. 11-12.

.
, 90 , 30-
,
.
5 .

.
,
, .
,
(
).
, ,
ping .
, , .
, -
ping - .
. Ecjfti
500 /,
. ,
500 /,

.
.
Computer Conf iguration\Administrative
Templates\System\Group Policy. Group Policy Slow Link
Detection ( ) Properties
() (. . 11-13).
Enabled (), , .

. 11-13.
,
,
.
, .
Computer Conf iguration\Administrative Templates\System\Group Policy .
, Internet Explorer
.
Group Policy ( ) Properties. Enabled
() , (. . 11-14).

. 11-14. Internet
Explorer

, Allow
Processing Across A Slow Network Connection (
). ,
, ,
, .
GPO
loojpback. ,
, ,
, .
loopback,
,
. loopback User group Policy
Loopback Processing Mode ( Loopback )
Computer Configuration\Administrative Templates\System\ Group Policy (. . 11-15).
loopback,

. Merge ()
,
,
,
.

.

. Replace ()
,
.
loopback .
, ,
,
.
, ,
. 11-15. loopback

, , .
, OU
OU. loopback
OU. , ,
, loopback
.

GPO
9, Active Directory
.
-
. ,
.

,
GPO. Domain Admins (
) Group Policy Creator Owners (- ). Group
Policy Creator Owners , ,
,
.
, ,
.
, GPO
, .
Active Directory GPO
%systemroot%\Sysvol\domainname\ Policies, GPT.
GPO,
Read () Write () GPO.
.
- GPO,
GPO .
Delegation Of Control Wizard ( ). Active Directory
Users And Computers ( Active Directory)
, ,
Delegate Control ( ), .
OU
(. . 11-16).

Resultant Set of Policy (RSoP) ( ). Delegation Of Control Wizard
RSoP (. . 11-16).
, ACL ,
Write gPLink.

.


Windows Server 2003
,

.
,


. GPO
. 11-16.

Active Directory Windows Server 2003

, OU. , GPO
, GPO.
GPO , ,
. ,
OU , GPO,
. ,
-, .
, GPO , ,
WAN-,
.
, , ,
, , , , Read GPC Active Directory GPT
Sysvol. GPO
GPO .
,
. Active Directory Windows Server 2003 ,
. ,
,
. , ,
. ,
, .
, ,
.

.

.

, GPO .




.
- Group Policy Object Editor.
.

RSoP
. ,
, .
GPO ,
, ,
GPO .
RSoP, ,
, .
RSoP : .
,
.

.
( ) .

RSoP, -
Resultant Set of Policy ( ).
Resultant Set Of Policy Generate RSoP Data ( RsoP). Resultant
Set Of Policy Wizard .
.
, .
, GPO
.
, , ;
, (. . 11-17).

. , ,
, ,
loopback. ,
Active Directory
.
.

. 11-17.
RSoP

GPResult
GPResult - ,
RSoP. Gpresult -
, ,
, , .
, , ,
. , ..
, ,
.
.
GPResult , Windows XP
Professional Windows Server 2003. GPResult
(Help And Support Center).

GPUpdate
GPUpdate Secedit/ refreshpolicy,
Active Directory Windows 2000.
. gpupdate , ,

.
.
Gpupdate ,
,
,
. ,

. /logoff /,
.



, OU,
.
, ,
, .
Microsoft
(GPMC - Group Policy Management Console) (. . 11-18).
.

Microsoft
,
GPMC

Windows Server 2003.


2
GPMC.

. 11-18. GPMC ,

, . GPMC
,
. 11-4
GPMC.
. 11 -4. GPMC

GPO
Settings
(
GPO.
GPO)
GPO Links (
GPO)
, GPO
.

GPO
Delegation
( GPO)
,

GPO
RSoP.

Security
Filtering
( ) ,
.
RSoP Planning (RSoP
Group Policy Modeling
)
( ),

RSoP.
RSoP Logging (RSoP Group Policy Results (
)
) ,
RSoP.
Modify
Inheritance
(
No Override (He ) Block
)
Inheritance ( ).
Search ()
,
. ,
GPO,

Folder
Redirection
( ).
Backup And Restore
GPOs
( GPO

GPO .


GPO)
GPO

.
Scripting
Interface GPMC
( -,
)

.
- Microsoft

http://
www.microsoft.com/windowsserver2003/gpmc/
default.mspx.
, GPMC
.


,
.
, ,
.
, .
. 12 13
.
,
, , .
GPO,
GPO
GPO , .
GPO ,
.
, GPO .
.

, ,
.
,
OU. GPO
. , GPO
, - , .
, .
OU
, rpytm
,
. ,
.
.
, , .
.

Active Directory Windows Server


2003, .
,
Windows Server 2003,
.
, OU, GPO
.
, . 12 13
, . 12 ,

-, 13
.

12.

11
Adive Directory Microsoft Windows Server 2003.

, 13 .
- ,
. ,
, .
,
Microsoft Office, , .
.

,
. ,
, .
,
, .

, .
, Active Directory
, .
,
.
, ( )
, , , ,
. Active Directory .

Windows

Windows Microsoft. Windows
, Windows.
.
(.msi-). .msi
, ,
.
Windows (Msiexec. exe).
.
(DLL) Msi.dll .msi.

, , ,
msi.
Windows .
, . .
, ,
, . , -
, ,
. Windows, .msi,
,
. .msi
.
. Windows Windows Server 2003,
Microsoft Windows XP Professional Microsoft Windows 2000, Windows
. Windows,
.
Windows

Microsoft Windows NT, Windows 95 Windows 98.



Windows Server 2003, Windows XP Professional Windows 2000.
.msi
.
(native) Windows.

.msi
Windows -, ,
. Windows
, .msi
. .msi, .
,
.
.
, ,
. Windows 2000
Windows XP, .msi.
,
, .
(, Wise).
.
.
, . ,
,
. ,
.
,
.
.msi.
.msi , Group Policy Software Installation
( )
.



Windows ,
Active Directory Windows Server 2003.
,
.

, .
,
, .msi-, .
, .
,
Read (). ,
Read. (
.)



GPO,
. GPO .
GPO ,
. Computer Configuration\Software
Settings Group Policy Object Editor ( ),
, .
, User Conf iguration\Sof tware
Settings ,
.
. 11 Microsoft
Group Policy Management Console (GPMC),
.
, ,
,
Active Directory. GPMC-
, , 11, 12 13,
,
- Windows Server 2003.
,
. ,
, .
, , .
,
, ,
, .
, ,
. , ,
Start ().
Add Or Remove Programs (
).
, Start Add Or Remove Programs.
, ,
, .
, Microsoft Word .
.doc, Word .
(extension activation).
Active Directory Windows Server 2003, Active Directory
Windows 2000,
.
, ,
, .
, .
, Add Or
Remove Programs . ,
,
.
,
. Add Or
Remove Programs. , .

.
,
. ,
Microsoft Visio, .

Visio.
,
, , .

.
1. .
, ,
Read () .
2. : , (OU),
, .
Group Policy ( ). GPO
Edit () GPO.
3. ,
User Conf iguration\Sof tware Settings (
) ,
Software Installation ( ), New (),
Package ().
, Computer Configuration\Software Settings
( ) GPO,
Software Installation ( ),
New (), Package ().
4.
. ,
, .
.msi.
.
, . ,
.
5. .msi ,
. 12-1
. , ,
.
1

^rVmr??^f^^^^^^

; -2J.2JJ

Sefeci depbsimeri mtthbd'

. 12-1.

6. , .
Advanced (),
Properties,
.
GPO ,
.
(
) (
). GPUpdate,
Windows XP Professional Windows Server 2003,
,
. ,
gpupdate /logoff gpupdate /reboot.



.
,
, -
. ,
.
.
, GPUpdate.
,
.
. ,
. ,
, , ,
.
, ,
.
,
(Distributed File System - DFS). DFS
, ,
. , DFS \\serverl\softinst,
.
D*FS
. DFS,

. DFS , , ..
, DFS
, ,
WAN , .
, .
,
, . ,
GPO, ,
OU, OU,
GPO- OU.
,
. ,
GPO OU,
, GPO-.
, ,

,
.


,
Windows
.msi ,
. ,
,
.
(.zap) .
. zap , ,
. .zap-
:

[Application]
FriendlyName = "applicationname"
SetupCommand = "\\servername\sharename\installapplication.exe""

FriendlyName , Add Or Remove


Programs . SetupCommand ~
. UNC-
SetupCommand.
,
SetupCommand, , ,
. :
SetupCommand = "\\servername\sharename\se\up.exe" /parameter

, ,
,
.
.zap
.
Add Or Remove Programs,
. , .zap,
, ,
.
.zap
Windows. -, .zap
, ..
, . ,
.zap ,
, ..
. , .zap,
. -
,
. , ,
.zap, . -

, ,
.


.
Properties. 12-2 Deployment
(). 12-1 Properties.
. 12-1.

Deployment
Type
(

Auto-Install This Application By .


File Extension Activation
( ,
,
)
.
, .

Uninstall This Application When ,


It Falls Out Of The Scope Of
Manage
ment . ,
(

, - OU,
)
,
,
. Do Not Display This Package
In The Add/ Remove Programs
Add/ Remove Control Panel (He
Programs (/ ).
Add/Remove Programs )
Install This Application At Logon
(
)
,
.
, .
Installation
User
Interface ,
Options
(

.
)
Basic () ,

.
Maximum ()
.
Advanced
(

)

.
32- 64 ,
, ,

, ,
Active Directory (. . 12-3).

. 12-2.

. 12-3. Advanced Deployment Options (


) ,

, ,
, ,
GPO. ,
Software Installation ( ) Properties () (. .
12-4).

. 12-4. ,

,
GPO.

.


,
Windows. ,
, ,
.
Microsoft Office, Microsoft Word
Microsoft Excel, .
,
.
, (.mst).
.msi .
.mst ,
. , Microsoft Custom
Installation Wizard ( ) Microsoft Office 2000
Resource Kit Microsoft Office XP Resource Kit. .msi,
.mst. ,
.
, Microsoft Office,
.
,
,
.
(, ),
, Microsoft Office
.

. Advanced
() ,
. Properties () Modifications

(), . 12-5
Modifications.
. 12-5.


, ,
GPO,
.
.
,
, .. ,
,
.

. :
() (service pack)
. Microsoft Office 2000,
Service Release I for Office 2000
, Office XP .
.
(patch file) ,
.msi patch- (.msp) . (
,
.) .msi
, .msi,
. . ,
, All Tasks
( ), Redeploy Application ( ).
,
.
.
.
Upgrades ().
, ,
. Add ()
Upgrades, , .
, ,
. 12-6
Office 2000.

. 12-6.

, Upgrades (. . 127). Upgrades .


, GPO,
.
,
, Start () Add Or
Remove Programs ( ).
GPO,
, . .
, , , ,
, .
,
. ,
. ,
. , ,
, ,
, , , .
,
.

. 12-7. Upgrades Properties ()


,
.
, GPO ,
, Add Or
Remove Programs, . ,
,
, .

. , 12-8 ,
. Administration
(), Administration
.
Active Directory Windows Server 2003 -
, . ,
GPO, Software Installation
( ) Computer Configuration User
Configuration, Properties, Categories () (. . 12-9).
GPO-, GPO- .

.

. 12-8. Add Or Remove Programs

. 12-9. GPO-


, ,
.
.
. , Word 2000 Word XP
.
, ,
.
Group Policy Object Editor Software Installation Properties (
) Computer Configuration User Configuration.
File Extensions ( ) (. . 12-10).
, .
!) Advanced Fit? Extension j'Cstejorie* j."," .-.
:

'i. , In ^he'Gs* below, detect the precedence with which Window* v& invoke
:.. ?'plitaiiuni>jhen.a.us** a document.

Select File emersion'


Apptaaiior. ttfeede.rjce:
Mbosolt Office 2000 SR-1 Premium

Mir n'fi-:f ;ip Pni's lorwl u*vR(jrtF;


r

fit>Pit

. 12-10.

,
.
.
1.
.
2. ,
.
3.

.
.
. GPO,
,
GPO. , Software
Installation ( ), All Tasks ( ), Remove
(). 12-11 ,
. Immediately Uninstall The Software From
Users And Computers (
),
.
Allow Users To Continue To Use The Software, But Prevent New Installations (
,
), ,
, GPO-.

. 12-11.


Windows
,
, Windows, , ,
, Windows Installer. Active Directory Windows
Server 2003 , .
, GPO
Computer Configuration ( ).
Administrative Templates ( ), Windows Components
( Windows), - Windows Installer ( Windows) (. . 12-12).
: User Configuration\ Administrative
Templates\Windows Components\Windows Installer. 12-2
.

. 12-12.

Windows

. 12-2. Windows

Disable Windows Installer (

Windows)
(
)

Windows. ,

Windows,
,
,
.
Always Install With Elevated Privileges

( ) ,
(
)
,
.
,
Windows

.
Prohibit Rollback ( ) ,
(

)

Windows

.
Remove Browse Dialog Box For New
Source ( Browse (),
) ( ,
)
Windows.
Browse, ..

,

Prohibit
Patching

)
)

(
( ,

Windows.

,

,
.
Disable IE Security Prompt For Windows

Installer Scripts ( IE , ,

Windows)
(
Microsoft
)
Internet Explorer.
,

-.
Enable User Control Over Installs
( .
) ( ,
)
,

.
Enable User To Browse For Source While
Elevated (
,

)
( .
)
Enable User To Use Media Source While
Elevated (

)
(
.
)
Enable-User To Patch Elevated Products
( ,
,

)
( .
)
Allow Admin To Install From Terminal

Services
Session
(

)
( ,
)
.
Cache Transforms In Secure Location On
Workstation
(-
,


) ( .
)

Logging
()
)

Windows

.
Prohibit
User
Installs
( ,
) ( ,
)
. ,

,

, .
,

.
,
Windows v2.0 (
).

Turn Off Creation Of System Restore


Checkpoints (
Windows XP Professional,
) (
)
System Restore
( ).
Search Order ( ) (
)
,

Windows

.
Windows
,

, - URL .
Prevent Removable Media Source For Any
Install (
)
( ) .

^-
Windows




,
.

.
.
, .
, , -
.
,
.

.

.
, ,
( ),
.
- ,

. ,
OU.
Active Directory
GPO .
,
, GPO . ,
GPO
, ,
GPO-.
GPO-, .
,
GPO.
. , GPO
, , .
GPO , (
), ,
.
,
.
, Active Directory,
. ,
, ,
500 /.
(LAN)
, .
, ,
.

, , ,
LAN. ,
LAN. LAN,
Active Directory. ,
-,
.
,
.
(RIS Remote Installation Services)
.
, .
,
, ,
.
, .
RIS ,
RIS- .


.
, ,
, .
OU Active Directory

.
.

.
, ,
. -

.
,
.
Windows Update ( Windows)
. , ,
.
, . Microsoft .msi
, . Microsoft
(Software Update Service SUS)
, . SUS
. SUS,
Windows 2000 Windows
Server 2003.
Windows Update. .
,
. SUS
Windows 2000 Professional Server ( Service Pack 2
), Windows XP Professional Windows Server 2003. Windows 2000
Service Pack 3 Windows XP Professional Service Pack 1 SUS-.
SUS
SUS, .
SUS .
, Computer Configuration,
Administrative Templates, Windows Components, Windows
Update
(. . 12-13). , SUS .

. 12-13.

SUS ,

-
Microsoft
,

http://www.microsoft.com/windows2000/ windowsupdate/sus/susoverview.asp.


, .

Microsoft Systems Management Server (SMS) LANDesk Intel.
,

Windows 2000 Windows XP Professional.
, Windows NT
Workstation, Windows 95 Windows 98 .


, .

.
,
. ,
, SMS, . ,
SMS LANDesk ,
wake-on-LAN,
.
, ,
, .
, , ,
- .
, ,
.
, .
,
.
. , ,
, ,
.
,
.
,
. Active Directory ,
,
.

, ,
GPO , .
(,
SMS LANDesk) .
, ,
, , . ,
. ,
Office ,

.
, ,
. ,
VPN.
.
-,
. ,
. ,
, ,
.

, . ,

. ,
Windows 2000 Windows XP
Professional, ,
. ,

.

Active Directory Windows Server 2003



. Windows,
,
.
,
.

13.

12 Active
Directory Microsoft Windows Server 2003
,
.
.
,
, ,
,
. ,
.
-
.
,
. , ,
.
, ,
.
, - ,
. ,
. , ,

.
,
. ,
, .

.

,
. ,
,
,
. ,
,
- ,
. , ,

.
,
.


.
Microsoft Windows NT 4 Active Directory Microsoft Windows
2000,
.
.
,

.

.
, ,
.
,
, .
, ,
.

. -
,
. ,
,
,
, , .



Active Directory Windows Server 2003 ,
.
Group Policy.

. 13-1
GPO. 13-1
.

. 13-1. Default Domain Policy (


)

. 13-1.


Computer
Software Settings (
Configuration
and
,
User Configuration )

(
.

)
Computer
Windows
Settings\
Scripts
Configuration and (

User Configuration Windows\)

(
.

)
Computer
Windows Settings\ Security ,
Configuration and Settings (

User Configuration Windows\


( )
.

)
,

.


User Configuration Windows
Settings\
Folder ,
( Redirection
(

)
Windows \- ,
)

My Documents
(
), .
User Configuration Windows Settings\ Remote
( Installation Services (
)
Windows \ (RIS).
)

User Configuration Windows


Settings\
Internet
( Explorer
Maintenance

)
(
Microsoft
Internet
Windows\
Internet Explorer

Explorer)
.
Computer
Administrative
Templates
Configuration and ( )
User Configuration
,

.
)



, ,
. ,
, ,
.
.
.
. ,
, ,

, ,
. ,
.
, ,
, .
Active Directory
.
- , -
.
, .
,
, ,
.
,
Active Directory, , ,
.
Active Directory
,
.



. HKEY_CURRENT_USER
( Ntuser.dat),
. , My
Documents ( ), Start Menu ( ), Desktop ( ) Application Data
( ). 13-2
Windows Server 2003.

. 13-2.

,
.
, %systemdrive%\Documents And Settings.
, ,
, , ,
Documents And Settings ( ).
, ,
, .
- .
, ,
. , ,
,
. ,
.
.
, , ,
, . Windows 2000
Windows XP Professional
, . ,
, , ,
. ,
Profile () Properties ()
Active Directory Users And Computers ( Active Directory).
.

. ,
,
. Account Operators (
), Domain Admins ( ) Enterprise Admins
( ),
,
. ,
.

Ntuser.dat Ntuser.man. ,
. ,
, ,
, .
Windows Server 2003.
,
.
.
Computer Configuration\ Administrative Templates\ System\User Profiles.

User Configuration. 13-2 .

. 13-2.

Do Not Check For User


Ownership Of Roaming ,
Profile Folders (He

Microsoft Windows 2000 Service

Pack 4 Microsoft Windows XP Professional Service


Pack. )
. ,
. Delete Cached Copies Of
Roaming Profiles (
- , .
- ) ,

Windows 2000 Windows XP Professional,

.
Do Not Detect Slow
Network Connections (He

)
.
,
,
.
Slow Network Connection
Timeout For User Profiles . ,
(

- 500 /, (

, IP-)

120 .
)
Wait For Remote User ,
Profile ( .

,
)
,
.
Prompt User When Slow
Link
Is
Detected ,
(

,
,
. ,
)
.
Timeout For Dialog Boxes
( ,
)

. ,

, .

Log Users Off When


Roaming Profile Fails , .
(
, ,
,
, .
(
)
.)
Maximum Retries To
Unload And Update User Ntuser.dat,
Profile (
.

60 .
Add The Administrators

Security Group To Roaming


User Profiles ( . Windows 2000

Windows
XP Professional

,

)
Prevent Roaming Profile
Changes From Propagating .
To
The
Server ,
(
,
.
)
Only Allow Local User ,
Profiles (
. ,
)

Connect Home Directory To
Root Of The Share ,
( Windows NT. ,
) ' ,
(

User
Configuration)
. (
), ^
,
.
Limit Profile Size
(

,

) ( User ,
Configuration)
,
.
Exclude Directories In
Roaming
Profile

( .
)
(

User
Configuration)
13-2, Active Directory Windows Server 2003
.

. ,
, ,
, ,
. ,
, , ,
. ,
,
. (OU),
,
.
,
. ,
, , .
.
, . ,
My Documents ( ) .
- , .
. ,
, , ,
, , , , .
, .
.


Active Directory Windows Server 2003
.
, ,
, . ,
, , My Documents.
, ,
.
, ,
.
, ,
, - My Documents.
,

. , Start Menu Desktop ,
, .
Read () , Write (),
.
Active Directory Windows Server 2003: Application Data,
Desktop, My Documents Start Menu
User Configuration ( ), - Windows Settings
( Windows), - Folder Redirection ( ).
, .
My Documents , My Documents
Folder Redirection ( ), ,
Properties (). Properties - Target () (. . 13-3).
. Setting ( )
Not Configured (He ), .. .
, , .
Basic - Redirect Everyone's Folder To The Same Location ( -
). , ,
. , ,

, \ \servernam \sharenam .
Advanced - Specify Locations For Various User Groups ( -
).
, Active
Directory . ,
.

. 13-3.

. Advanced
. ,
,
, .
Advanced, ,
,
. ,
.
,
. ,
.
Redirect To The User's Home Directory (
). My Documents
() ,
. , .
, .
My Documents.
Create a Folder For Each User Under The Root Path (
). ,
. ,
.
%username %.
Redirect To The Following Location ( ).

. UNC- .
%username % .
.
, Start Menu
, .

Redirect To The Local Userprofile Location (


).
, .
.
.
, Settings Properties (. . 13-4).

: | Seteti tf* jedffectioA w^ngi! Hy Docum&'iti

G? Jove ibe contenti cJ My (1 it tt'* new


...' .FoJb&Rwiavuf

Rtfdiretf rh? iotrJef bscfc to &e- loca} tJicfpfoEle toctfwn wbw


?jfcy removed
-Ld _______ ...................................

-'"l
.

-Mj-FicUittPrateienee*- ': . o hot speerfy

ffAnirrstrativ* fur My Ppcfcnrt

. 13-4.

Settings ( ) .
Grant The User Exclusive Rights To foldername (
).
. Administrator ()
. ,
.
Move The Contents Of foldername To The New Location (
).
. ,
.
Policy Removal ( ).
. Leave The Folder In
The New Location When Policy Is Removed ( ,
),
, . Redirect The Folder Back
To The Local Userprof ile Location When Policy Is Removed (
, )
, .
My Pictures Preferences (, My Pictures).
, My Pictures
My Documents.
, My Documents,
,
. ,
. , ,
. Desktop ( ).
,
, . ,
,
, ,
.


My Documents ,
, ..
, ,
My Documents, .
, , , .
, .
Windows 2000,
,
.
, Windows XP
Professional. Windows 2000,
My Documents, , Make Available Offline
( ). ,
, ,
, , .




.
.
.
, ,
, - .


Account Policies ( ), Computer Conf
iguration\ Windows Settings\Security Settings, ,
. Account Policies
: Password Policy ( ), Account Lockout Policy (
) Kerberos Policy ( Kerberos) (. . 13-5). ,
Kerberos Policy, , ,
. Kerberos Policy
, - Windows 2000, Windows XP
Professional Windows Server 2003.

. 13-5.

,
. 13-3 .

. 13-3.

Enforce Password History 24


( ,
)
,
-

;
0

.
. :
0 24 Maximum Password Age
, 42 . (

)
,

0.
: 0 999
Minimum Password Age , 1
( )
,
; 0 -
.
.
,
0.
: 0
998
Minimum Password Length
7

(

,
)
. -
, ;
0 -
0. .
: 0
14
Passwords Must Meet

Complexity Requirements :
(
, -

- .

.
)
,

6
, ,

,
0 10,
( !, $,#)

Store Password Using .


Reversible
Encryption ,
(
,

)

,



, .
13-4 .
. 13-4.

Account
Lockout
Duration
(

Account
Threshold

Lockout
(

Reset Account Lockout


Counter After (


.


.

,
0. ,

, ,
Reset
Account Lockout Counter After.
: 0
99999


,
,

0
,
.
: 0 999

,


,

0.
, ,
,
,
Account
Lockout
Duration.
: 1
99999

1,

30
,

.

0
.

.

30 ,

1
.

Kerberos
Kerberos Kerberos TicketGranting Ticket (TGT), .
13-5 .
. 13-5. Kerberos

Enforce User Logon , .


Restrictions ( (Key Distribu tion Center - KDC)


User

Rights ( )
)

Maximum Lifetime For , 600 (10 ).


Service
Ticket
( .
: 10, ,
)

Maximum Lifetime For User Ticket,
99999. 0
,
, Maximum
Lifetime
For
User
Ticket

^ 1, a Maximum
Lifetime For User Ticket Renewal
23
Maximum Lifetime For , 10 .
User
Ticket
(
TGT. ,

TGT. : 0
)
99999. 0 ,
,
Maximum Lifetime For User Ticket Renewal
Not Defined
Maximum Lifetime For , 7 .
User Ticket Renewal TGT
( ,

. 0 ,

)
Maximum Tolerance For 5 .
Computer
Clock
Synchronization
,
( Kerberos. ,

Domain Security Policy (


) .
.
OU, , .
OU, ,
OU. OU,
, .
, .



.
Account Policies,
Computer Conf iguration\Windows Settings\Security Settings.
User Configuration\Windows
Settings\Security Settings. 13-6 ,
Security Settings ( ), 13-6
.

. 13-6. , Security Settings


.
, ,
. , , -
, GPO Active
Directory. , GPO,
.
.
, , .
,
.
,
, .

. 13-6.


Local
Policies\Audit
Policy
( .
\
,
)
, ,
,
.
Local
Policies\User

Rights
Assignment ,
( - .
\ ,
)
,
, ,
..
Local
Policies\Security

Options
(

\
.
)

, , ,
, Microsoft .NET
.. Event Log (
)

,
.
,
, .
Restricted
Groups
( ) ,

.


Windows 2000 .

, ,
,
,
,
.
System
Services

( )
:

.
Registry (
)
.
,
.
File System(
)
.
,
.

Wireless Network (IEEE


802.11)
Policies ,
(

)
,
.
Public Key Policies ,
(
). .
,
Computer Configuration, ,
User
Configuration. (Encrypting File System - EFS).
User
Configuration

Enterprise
Trust
(

).
IP Security Policies On IPActive
Directory (IP Security - IPSec).
(domainname) ( , ,
IP Active
Directory)
IPSec,
.
. Software Restriction ( )
Security Settings User Configuration, Computer
Configuration. .


Active Directory Windows Server 2003 ,
Active Directory Windows 2000 -
. ,
% .
.
,
, .

.

, , , -.
, ,
. ,
, .
, , ,
, .
,
.
, .

, , .
Hash rules (-). - ,

. Security Levels ( )
Unrestricted (He ),
, -,

. ,
- .
, -
.
Certificate rules ( ). ,
.
, , ,
,
, .
Path rules ( ). , ,
, .
, ,
. ( %systemroot %),
( *.vbs).
Registry path rules ( ). ,
,
.
,
, ,
, .
, ,
, New Path Rule ( )
.

.
,
.
Internet zone rules ( ).
-, . ,
, ,
Trusted Sites ( ), ,
, Restricted Sites (
).
, ,
, ,
. , ,
, .

Computer Configuration\Windows Settings\Security Settings, -
User Configuration\Windows Settings\Security Settings. Active Directory
. ,
Software Restrictions Policies (
) New Software Restrictions Policy ( ).
(. . 13-7).

. 13-7.

Security Levels ( )
. : Disallowed ()
Unrestricted (). ,
,
Unrestricted Set As Default ( ).
, Disallowed
.
Additional Rules ( )
. ,
Additional Rules , .
, - New Hash Rule. -,
Browse () , . - . -
, (.
. 13-8).
Enforcement ()
,
.
,
, , DLL.

, ,
. Designated File
Types ( )
,

.
.

. 13-8. -

Trusted Publishers ( ) ,
, . ,
.
,
.


, ,

Windows Server 2003. ,
. ,
. , Microsoft ,
.
,
. ,
, , ,
, . ,
, ,
. , ,
. .
, ,
, .
, ,
. ( IPSec
.)
. , ,
GPO.
.inf .


, Microsoft
.
, default ( ), secure () high
security ( ). %systemroot %\security\templates.
Windows Server 2003 Windows XP Professional,
Setup Security.inf.
, ,
.
. ,
,
.
. ,
- . , .
,
, .
Windows Server 2003 Windows XP Professional
,
. ,
.
,
, .
,
. Microsoft Windows Server 2003.
Compatwsinf. .
Windows Server 2003 , ,

Windows. , ,
, Windows Server
2003 Windows XP Professional. -
, .
,
Power Users ( ),
, . ,
,
Users () . Compatws.inf
.
,
Users .
Securewsinf Securedcinf.
, .
NTLM-,
(Server Message Block - SMB). Securews.inf
, Securedcinf -
.
Hisecwsinf Hisecdc.inf. ,
. ,
. ,
Windows Server 2003, Windows 2000 Windows XP,
, ,
. Hisecws.inf
, Hisecdc.inf - .
DC security.inf. , -
Windows Server 2003 .
,
.
Notssid.inf. SID
Terminal Users ( )
DACL .
, ,
,
Terminal Users. Windows Server 2003,
.
Rootsec.inf.

, .
, .
, ,
. ,
Security Settings Import Policy (
). %systemroot %\Security\Templates,
. ,
.
.
, .
, .

Windows Server 2003 ,


. - Security
Configuration And Analysis (- ),

. Security Configuration And Analysis


. ,
, ,
. 13-9 .
.
Security Configuration And Analysis Configure
Computer Now ( ).
.

. 13-9. Security
Configuration And Analysis

Security Configuration And Analysis


. ,
,
.
.
Secedit .
, ,
.
Secedit , .
, .


,
,
.
Windows 2000 Server, Windows 2000
Professional, Windows XP Professional Windows Server 2003.

, 700. , , ,
. 13-7
, .
Active Directory Windows 2000, Windows Server 2003 150
. 13-7 ,
Active Directory Windows Server 2003 Windows XP Professional.


se

r
Computer Conf iguration\
C
Administrative Templates\
,

on
System\Net Logon
f
DNS ig
.
ur
Computer Configuration\
ati
Administrative Templates\
Remote Assistance ( on
System\Remote Assistance
), Windows \
A
Professional.
Computer Conf iguration\
, d
Administrative Templates\ Windows mi
Components\ Terminal Services
Terminal Services n
ist
.
User Conf iguration\ Administrative rat
Templates\ Network\Network
, iv
e
Connections
,


Templates\Control Panel

User Conf iguration\ Administrative
Templates\ Windows Components\ .
Internet Explorer

,
Internet Explorer.
Internet Explorer 5.01
.
. 13-7.

.
http:// www.microsoft.com/windowsxp/prdytechinfo/administration/ policy
/winxpgpset.xls. Active Directory Windows Server 2003
. Active Directory
,
. ,
Administrative Templates
Help ().
. 13-10 , System
(). Windows NT ,
Active Directory Windows Server
2003.
.
.
, ,
. , ,
, ,
. ,
, , .
Active Directory , ,
. ,
User Configuration, HKEY_CURRENT_USER
\Software\Policies \Software\Microsoft\Windows\CurrentVersion\Policies. ,

Computer Configuration,

Y_LOCAL_MACHINE.
,
.
, ,
, . ,
() , ,
Policies . ,
, .

. 13-10.

.adm.
%systemroot %\Inf . 13-8
, Windows
Server 2003.
. 13-8. , Windows Server 2003

.
System.adm


Internet
Explorer.
Wmplayer.adm
Microsoft
Windows Media Player.
Conf.adm
Microsoft
NetMeeting.
Wuau.adm
Windows Update.
Inetres.adm

, ,
. .adm 13-11.
13-9 , .

. 13-11. System.adm

Sysvol,
,
. Registry.pol, %systemroot%\ SYSVOL\
sysvol\ domainname\ Policies\ GroupPolicyGUID\ Machine
%systemroot%\ SYSVOL\ sysvol\ domainname\ Policies\ GroupPolicyGUID\ User
.
. 13-9.


Policy
() .
Keyname ()
,
.

Supported
()


,
.
Windows XP Professional, Windows
2000 Windows 2000 ,
Microsoft Windows Media Player, 9.
Explain () ,
.
.adm.
Part ()
,
.
Valuename (^) ,

.
.
, ,
.
.
, , ,

. ,
, ,
, . ,
. ,
,
,
. ,
, ,
.



,
- .
.
. .
Windows NT.
Active Directory Windows Server 2003
Windows NT 4, .
.
Active Directory
. Windows NT .
LocalSystem.

. Windows NT . Active
Directory .
.
Active Directory
. Windows NT
.
Active Directory,
, .
Windows Script Host. Windows
NT MS-DOS
. Windows Server 2003, Windows XP Windows 2000
Windows Script Host (WSH).
WSH
. WSH
, . Active Directory
Windows Server 2003 ,
.
Windows NT Workstation, .
Windows 2000 Windows XP Professional
.
, ,

, .
Active Directory, ,
. , .
- %systemroot %\SYSVOL\sysvol\ domainname\scripts.
NETLOGON,
, .
%systemroot %\SYSVOL\
sysvol\domainname\GlobalPolicy
GUID\Machine\Scripts

%systemroot
%\SYSVOL\sysvol\domainname\GlobalPolicy GUID\User\ Scripts.
GPO Scripts (Startup/Shutdown) (
(/ ), Computer Conf iguration\ Windows Settings,
Scripts (Logon/Logoff) ( ( / )),
User Conf iguration\Windows Settings. , ,
Scripts (Startup/Shutdown) Startup.
GPO. Active Directory Windows Server 2003
,
.
Computer Configuration\ Administrative Templates\System\Scripts, - nanKeUser
Conf iguration\ Administrative Templates\System\Scripts. ,

, ..
. , ..
, .
.
, , , ,
, .

Active Directory Windows Server 2003 ,


.
,
, .
, ,
,
.
,
. ,
.

IV. Active
Directory Windows Server 2003
I, II III ,
Active Directory Microsoft Windows
Server 2003, .
Active Directory
. 14 , Active
Directory, Active Directory
. Active Directory. 15
Active Directory. Active Directory
,
, .

14. Active
Directory
, Active Directory
.
Active Directory ,
(
, ).
, Active
Directory, .
Active Directory:
Active Directory.

Active Directory
Active Directory
.
,
, , .

Active Directory.
, Active
Directory, . Active Directory
, -
( , ,
..) (
). . ( ,

, , ,
.) ,
, ,
Microsoft Windows Server 2003. ,
Active Directory .
Active Directory, ,
, .

, ,
. ,
,
, . ,
, , Active
Directory, , .

Active Directory?
Active Directory ,
,
.
(service-level agreement - SLA) ( ).
Active Directory,
, , .
. SLA - ()
,
,
. Active Directory SLA
(IT )
, ,
.

,
, , 10000 Active Directory.
Active Directory ,
. Active
Directory ? (GC)
? , ,
, ?
, ,
, .

Active Directory
, Active Directory,
.
SLA- , .
Active Directory
, .

.

Active Directory,
.
IT-
.

Active Directory
Active Directory .
, .
,
-.
, ,
, .

Active Directory .

- ,
, . ,
,
Microsoft Operations Manager (MOM).
MOM ,
Windows Server 2003,
, .
.
, ,
.
.

, Windows Server 2003.
. MOM ,
, .
, , (,
), , ,
.

, .
MOM ,
, . Base
Management Pack Windows Server 12003,
Active Directory, (DNS) - Microsoft
Internet Information Services (IIS). Application Management Pack
Microsoft .NET Enterprise Servers, Microsoft Exchange
2000 Server Microsoft SQL Server 2000. MOM
http://www.microsoft.com/mom.

Active Directory
Active Directory,
,
.
, , (
) .
,
..
Active Directory .
1. , .
( SLA- .)
2. ,
.
3. . ( ,
, ,
.)
4. ,
. :
;
, ;
, .
5. ,
Active Directory.
6. ,
,
Active Directory.
.

, ,
.
, .
, ,
. ,
,
. ,
, ,
,
.

. ,
, -
. ,
, ,
.
. Active Directory (,
),
.
Active Directory, .
- .
, ,
. , Microsoft,
. ,
, ,
.
. ( , Microsoft,
.) .
,
. , ,
, Active Directory.


,
Active Directory,
Microsoft. ,
, .
,
.
Active Directory
(. . 14-1)
Active Directory. ,
. , Start () >Administrative Tools
( )>fmance(), Add
() . , , .



. ,

. 14-1. Active Directory

NTDS

DS Search sub-

15

operations/sec

(DS
/ )

NTDS

% Processor
Time(Instance=ls
ass) (%
)
LDAP Searches/
sec (LDAP
/ )


,
Active Directory.

15



.

.
,

,

.

NTDS

LDAP Client
5
Sessions (LDAP

Private Bytes
15
(Instance=lsass)
( )

,
.
,
,
.
,

,
.

,
.

(
)

, ,
,
.

Handle Count
(Instance=lsass)

Virtual Bytes
(Instance=lsass)
(
)

15

.
15 ,

Active Directory

,
. ,

(service pack),

,
.
,
2-
.

,
-
NTDS DRA
.
(. . 14-2) .

, , .
. 14-2. ,

Inbound
Bytes Compressed 15
(DRA
) (
/ )
NTDS DRA

Outbound

Bytes Compressed 15
(DRA

)
(

/
)

NTDS


,

,

Active Directory.
-
, .


,
Active Directory.

DRA
Outbound -
Bytes
Not 15 ,
Compressed
, .
(

DRA
)

NTDS

DRA Outbound
Bytes Total/sec 15
(

DRA
/ )

-
,
.

,

Active Directory. ,
.


(. . 14-3) , .
, .

. 14-3. ,

NTDS

15 ,
NTLM

Authentications
(NTLM

) , NTLM Kerberos
(, , Windows 2000,

).

NTDS

KDC AS Requests
(
KDC
AS)

NTDS

Kerberos
15 ,
Authentications

,
(
KDC.
Kerberos)
.

NTDS

KDC
TGS 15 TGT ,
KDC.
Requests (

KDC TGS)
.

15 ,

(KDC).

.


(. . 14-4) ,
, Active Directory.

. 14-4.

Memory
Page Faults/ sec
5
() ( /
)

700/

Physical

Disk
()

Current DiskQueue
length (

)

Processor % DPC Time


15 10
( (Instance=_Total) (%
)
DPC)

System
Processor Queue

() Length (

Memory
Available MBytes
() (
)

15


Ntds.dit .log. ,

/ .


.

,
-
.

.



.
,


,
.

,
.

.

Processor % Processor Time


( (Instance=_Total) (%
)
)

85 %

System
Context Switches/sec 15
() (

/ )

70000

System
System Up Time
() (
)

15


.
,

Active Directory,
Process, % Processor Time,
Isass instance.


. ,

,

.

.

,
.

. ,
Microsoft ,
.
Directory Services Guide Microsoft Windows Server 2003 Resource Kit.
http://
www.microsoft.com/windowsserver2003/techinfo/reskit/reso urcekit.mspx.


, ,
.
Performance, Windows Server 2003,
. .
Active Directory Installation Wizard Active Directory,
NTDS Performance,
. ,
GC.
Active Directory ESENT (Ntds.dit)
Active Directory. .
,
Active Directory, Install Active Directory Database Performance Counters
( Active Directory)
Microsoft http://www.microsoft.com/technet/treeview/defa ult.asp? url /technet/scriptcenter
/monitor/ScrMonO8.asp. ,
.vbs,
ESENT.
-
Kerberos ( 20- ) , .

1. Performance () Administrative Tools (


).
2. Performance Logs And Alerts ( ),
Alerts ().
3. Action () New Alert Settings (
).
4. Name () ,
. Performance Logs And Alerts,
, .
5. General () ,
ADD (), Performance
(. . 14-1).

. 14-1.

6. , .
(. . 14-2).

. 14-2.

7. Action () , ,
. ,
, Schedule
(). Action ,
, (. . 14-3):
;
.
IP- ;

;
.
. 14-3.
,

,
Actions,

.
, ,

, ,
.

(,

) .

, ,

.

Active Directory, - Active
Directory. -
Active Directory.

System Monitor ( )
Performance. ,

. ,
Performance Logs And Alerts.
.
,
.
Memory\Pages/sec (\/).
PhysicalDisk (_Total)\Avg. Disk Queue Length ( (__ot1)\
).
Processor (_Total)\%Processor Time ( (_Tot1)\ ).
. ,
( ).
.
/ .
(
). 14-4 .
.
, ,

, Highlight ()
. , ,
, .
, ,
, .
HTML-.
,
Save As ( ). HTML,
.
HTML- , . ,
Freeze Display, Performance .


,
HTML

System Monitor.


.
Windows Server
2003
,
,

. 14-4. ,
:
Performance Log Users (, ) Performance Monitor Users (,
).
, .
1. , Add
Counters ( ).
2. Add Counters Use Local Computer Counters (
), ,
.
, , Select Counters From Computer
( ) IP-.
3. Performance, ,
. ,
, .
4. 5.

Active Directory Event Viewer

Performance Active Directory


,
Event Viewer ( ).
.
Add (), Close ().

Application log ( ). ,
.
System log ( ).
, , , ,
.
Security log ( ). ,
Windows.
, ,
Windows Server 2003, .
Directory Service log ( ). ,
Active Directory.
File Replication Service log ( )
, .
Windows Server 2003 DNS,
.
DNS Server log ( DNS). ,
DNS.
Event Viewer
Administrative Tools. , , .
14-5
Windows Server 2003, DNS.

. 14-5. Event Viewer

Errors () Warnings
(). ,
. 14-6 Warnings (ID- 13562)
File Replication Service ( ).


Active Directory ,
, , , .
, Active Directory ,
, .

. 14-6. Event Properties ( )

Active Directory.
.
Active Directory.
NTDS Performance.
Active Directory. ,
Active Directory Ntds.dit .log,
, .
DNS . Active Directory
DNS , DNS
, Active Directory
.
(File Replication Service - FRS). FRS
, , (Sysvol)
.
.
, , ,
.
. ,
.
. FSMO,
. , GC,
.


Active Directory, , . ,
Performance Monitor,
Windows Server 2003 Support Tools (
Windows Server 2003): Repadmin.exe, Dcdiag.exe
(. ). Repadmin ,
.

DC1, Contoso.com:

repadmin/showreps dd .contoso.com

Dcdiag - , DNS-
. (SID)
(naming context) ,
.
Dcdiag dcdiag/?.
: dcdiag/test: replications
, , ,
.
, Error () Warning
(). ,
.
ID 1311. ,
Active Directory Sites And Services ( Active Directory),
. ,
- (bridgehead) ,
- (NC).
ID 1265 (Access denied ).
,

, ,
,
,
.

Active Directory
Active Directory
Active Directory.
Active Directory ,
.
Active Directory,
, . ,
Active Directory, Windows Server 2003
Ntdsutil.


,
Active Directory, . - ,
12 .
Active Directory.
- (tombstone) .
- , Active Directory.
.
isDeleted true, -,
. ,
: - (GUID),
SID, (USN) . -
.
- , .
- 60 . ,
-,
.
-
. , - Active Directory,
,

. ,
- .

. , garbageCollPeriod
DS (NTDS).
, Adsiedit.msc. ADSI Edit (
ADSI) Run () CN=Directory
Service,CN=Windows NT, CN=Services, CN=Configuration, DC=f orestname.
garbageCollPeriod , .
1 . 14-7
ADSI Edit.

. 14-7. garbageCollPeriod ADSI Edit



Active Directory.
Active Directory ,
. Active Directory
, .
Active Directory , ,
, . Active
Directory
.
.
, , . Active Directory,
,
, .

. - , ,
, .
, ,
.
, Active Directory.
Active Directory,
, .
.
12
. ,

, , . 14-8
.
;

: ::

.:. ,; 1/.4/2003

%wsctr

*i

NT DS ISAM

%[
Qe'scEpMcn.
5.149] MTOSA '.inline & completed a hJ pass Oft
^beFba^B^VWfNOO W \N T D S'Mildj.*'.
Ft^priofe jrifofba&ctf, tee Help arnl Support t*rtto

. 14-8.

Active Directory
,
Active Directory. ,
, ,
Active Directory. ,
, -
. , GC- ,
, , -
GC.
, , GC
. , .
1. Active Directory (. .
15).
2.
. F8,
Windows. Directory
Services Restore ( ) (
Windows).

, Administrator ().
3.
,
, .
ntdsutil. Ntdsutil files.
File Maintenance ( ) info.
Active
Directory .
7. compact to drive:\directory. ,
.
, .
8. Ntds.dit
.
.
9. , quit,
. 10. Ntds.dit
Ntds.dit

Active Directory. 11. .


. ,
Active Directory, .

Active Directory
Ntdsutil
Ntdsutil
Active Directory , Active Directory.
Ntdsutil ,
Active Directory.
, .. ,
Active Directory, .



. ,
.
, Ntdsutil.
. 15 , Active
Directory.
, .
1. .
Ntdsutil.
2. ntdsutil.
3. Ntdsutil files.
4. File Maintenance recover.

, , .
, , .


, ()
.
. -,
.
, integrity File Maintenance Ntdsutil.


,
.
Active Directory.
, GUID, SID
. ,
.
1. ntdsutil.
2. Ntdsutil semantic database analysis.
3. Semantic Checker ( ) verbose on.
Ntdsutil
.
4. Semantic Checker go.
. Active Directory Windows 2000, , ,
, Windows 2000 Repair (). ,
Active Directory,
Windows Server 2003.


Ntdsutil Active Directory
. ,
, .
, , , .
,
, .
1. ntdsutil.
2. Ntdsutil files.
3. , , Ntdsutil
info.
.
4. , File Maintenance
move db to director, dirctor .
,
.
5. , File Maintenance
move logs to directory.

,
Active Directory , .
,

, . Active Directory
,
.
,
, Active Directory
.
,
.
, , Active
Directory -.

15.

Active Directory ,
. Active Directory ,
, .
Microsoft Windows Server 2003
Active Directory, - .
,
.
Active Directory Windows Server 2003 Active Directory
.
Active Directory.
Active Directory
.

Active Directory.
. Active Directory.
, Windows Server 2003.
Active Directory, .


,
. ,

, .
,
, Active Directory .
.

.

.
.
Active Directory.
Active Directory ,
. .

, -
. ,
Active Directory , .
, Active
Directory .
Active Directory .

. ,
,
.

, , - .
,

Ethernet
, , , ,
. Active Directory (circular)
,
. ,
Active Directory
, .
. ,
,
DNS, .

.

Active Directory
. 2, Active Directory Ntds.dit,
%systemroot %\NTDS.
.
Edb.chk - , ,
Active Directory.
Edb.log - . - 10 .
Edbxxxxx.log. Active Directory ,
, ,
, .
; ,
, ,
Edb.log. ,
, , Active Directory.
10 .
Edbtemp.log - , ,
(Edb.log). Edbtemp.log,
, Edb.log
. Edbtemp.log Edb.log.
Resl.log Res2.log , ,
. ,
,
, Active Directory,
, ,
Active Directory. 10 .
. - Microsoft Exchange Server,
Active Directory
. Active Directory - ,
Exchange Server 4 .
Active Directory .
. ,
(OU) , OU- ,
OU- . ,
, , ,
. ,
. , Windows Server 2003 ,
.
, Active Directory - (,
), .
,
, ,
. .

,
, , (
). Active Directory
. ,
Active Directory.
,
, . ,
, ,
.
,
,
. , , Active Directory,
, ,
. ,
. ,
, .
.
. ,
, .
, ,
, ,
.
.
.
,
.
Active Directory Windows Server 2003 (circular)
, .
, ,
.
.
,
. , Active Directory
, 17:00,
.
,
Active Directory. ,
, , ,
.
,
, , .
,
, , ,
.

Active Directory
Active Directory
Active Directory. , Active Directory
.
:
Active Directory ;
, Windows;
;
DNS, Active Directory;
Sysvol;

+;
(
);
;
- Microsoft (IIS) ( IIS
).
-
. , ,
Active Directory, (
) Active Directory ( ,
) .
, .
(backup) ,
, , ..
, ,
System State ( ) .
. Administrators ()
Backup Operators ( )
.
? ,
.
, ,
.
,
, .
, ,
, .
.
,
- . Active Directory ,
-,
. -
60 . , Active Directory
-. , ,
-. , . -
. - , ,
.
, -,
, . ,
,
- 60 .
, 60 ,
-,
, - ,
. ,
.
,
, -.
-
, , ,
, 60 . ,
, , .
Active Directory ,
.
, , ,

, .
- , ,
.
,
. .

Active Directory
, Active Directory.
, ,
,
, . ,
- OU,
. ,
.
Active Directory,
, .
, Active Directory ,
, , Windows
Server 2003, .
, Active Directory
.
Active Directory .
(nonauthoritative).
Active Directory , ,
Active Directory ,
.
Active Directory, -
, . Active
Directory , ,
.
(authoritative), ,
, .

Active Directory

Active Directory
, .
, , Windows Server
2003 Active Directory 2003,
. Active Directory
Active Directory .
.

- . ,
,
Active Directory .

,
.
Active Directory,
, .
Active Directory ( 100 ),
,
,
.


(WAN),
.
.
Windows Server 2003 Active Directory ,
, ,
. ,
,
.
. , , ,

. Windows Server 2003
, Last Known Good Configuration
( ) Safe Mode ( ).
,
, .
, ,
Windows Server 2003 ( )
.
.
(GC)
, , .
GC- .
, Windows Server 2003
Active Directory
.
,
, , ,
WAN.
,
.
Active Directory
,
DNS.
,
. ,
.
,
Windows 2000, Windows XP Professional Windows
Server 2003 / .
ntdsutil.
Ntdsutil metadata cleanup.
Metadata Cleanup ( -) connections.

.
Server Connections ( ) connect to server servername
( servername), servername -
.
Active Directory, .
, set creds domain username password,
, .
help Server Connections, ,
connect to server %s ( %s). %s
, .
DNS- , IP- .
Server Connections quit, Metadata Cleanup.
select operation target ( ).

, , .
Select Operation Target list domains ( ).
.
select domain number ( ), number ,
. help ,
select domain number, , -select domain %d
( %d). %d .
list sites ( ). .
select site number ( ), ,
, .
list servers in site ( ). ,
, . select server
number, , . Ntdsutil
* , (. . 15-1.)
select operation target: 1 Pound 2
server<s>
0 - CN=DCl^CN=SerueT*sJCN=Contuso-SiteIPCN=Sites,CM=Cofifiguration,DC=Contoso,DC^c on
1 - 0M^I>C3^CN^Eerueira,CK=Conto3o-Sitei,CH^Sites,CH=Confiyuratiun.DC-Contuuu.DC-u on
select operation target: select server 1
Sits - CH-Contoso-Sitei,CHDGites,CN-Configurntion^DC-Gontoso,DC-con
Dnnain - DCM^ontoso^C^coin
Server - CN-DC3,CN=Seruers ,CN=Contoso-Sitel,C*(-SitflS,CW=Cont igurationDC=Gontoso
,DC-on

object - CN^NTDS Settings,CH=DC3,CN=eroers,CK=Contoso-itei,CN-=Site s,CH=Conf


iyuration^DOCutitoso^DC^coiTi
DNS host name - ric3.Contoso.con

Conuuter abject - CN=DC3,0H=Vamain Contra Hers,DC^Cantoao^DC^cOfl Ho current


Naming Content select operation target:

. 15-1. , Ntdsutil

quit. Metadata Cleanup.


remove selected server ( ). ,
. Yes ().
Ntdsutil, quit ,
.

Ntdsutil
14 Ntdsutil
Active Directory. Ntdsutil - ,
Active Directory . Ntdsutil
, .
Ntdsutil, ntdsutil.
Ntdsutil.
,
. help , ,
. 15-2 ,
Ntdsutil.
FtatJioritatiue restore

Configurable Settings
Dome) i man a gene t

Files
Help
LDAP policies
Hetadata cleanup
Popups xs
Quit
Roles

Security account nanagenent D


Cleanup
Semantic riatabase analysis
Set DSP.M Password tor
account password

Show this help information


Authoritatively restore the DJT database
Manage ctrnfigurable settings
Prepare for neu domain creation
Manage NTDS database Files ,
Show this help information
Manage LDUP protocol policies
Clean
up objects at decomnissioned &&vv&r-
<en/rdls>able popups uith "on" or "off4'
Quit the u t i l i t y
Manage NTDS role owner tokens
Manage Security Account Database - Duplicate SI
Semantic Checker
Reset directory service restore node admin1stra

. 15-2. , Ntdsutil

Ntdsuti
Active Directory. Ntdsutil
Help And Support Center.
Ntdsutil DNS . DNS- DNS, ,
, GC-
(PDC). ( ,
.) DNS,
DNS .
.
Active Directory Users And Computers ( Active Directory)
, , OU Domain Controllers ( ).
Active Directory Sites And Services ( Active Directory)
, , Servers () ,
.


Active Directory
.
.

.
. ,
, Active Directory.
.

.
,
.
,
.
, -
.
.
, :
Active Directory
. ,
, Windows Server 2003,
, ,
Active Directory , 100 . ,

, ,
.
. ,
,
, .
Active Directory,
. , Active
Directory, Active Directory
. ,
, .
,
, ,
. Windows Server 2003 ,
, ,
. Windows Server 2003
, ,
. , (hardware

abstraction layer - HAL), . ,


, .
, Windows Server 2003
, .
.
Windows Server 2003,
, .


Windows Server 2003 -
(Automated System Recovery - ASR).
.
ASR, ASR-, .. Backup
ASR.
, ,
. , ASR-
.
- Active Directory ,
.
.
,
, . .
, .

Windows Server 2003. 1. F8, Windows Advanced Options
Menu ( Windows).
2.
Directory Services Restore Mode (Windows Domain Controllers Only) (
Windows)).
, Active Directory.
3. , .
4. , Administrator Directory Services
Restore ( ),
Active Directory.
5. ,
System State ( ) .
6. .
7.
,
, .
. Active Directory
. Active Directory
. .
Ntdsutil.


,
. , - OU,
, ,
, .
, OU
, , Active Directory Users And Computers,
OU .
,
OU .

, Active Directory,
, ,
.
(USN)
. , , USN
100000,
.


.
.
,
. ,
, (, OU),
. OU
. ,
-,
. -
, , , ,
, .
- ,
.
, . ,
.
,
,
. ,
, .

. ,
.
, , ,

.
, ,
. USN
, USN,
.
, , ,
,
.
.
.
.
, Microsoft Windows NT, Windows 2000,
Windows XP Professional Windows Server 2003, ,
- .
.
. ,
, .
- ,
- .
NTLM Active Directory Windows NT ,
, .
,
. ,
NetDom ,

.
. ,
, .
.
, , .
,
. ,
.


, ,
. , - OU,
OU, .
, .
1. ;
, .
2. ntdsutil.
3. Ntdsutil authoritative restore ( ).
4. Authoritative Restore restore subtree objectname (
objectname). , OU Managers
NWTraders.com, restore subtree ou=managers ou,dc~nwtraders,dc=com.
,
(, restore subtree enmanagerl,oumanagers ou, dcnwtraders,dc=com)
.
5. , restore database
( ) Authoritative Restore.
6.

Ntdsutil

.
.
Active Directory, .
- , ,
- .
USN
100000.
.

Sysvol
Active Directory,
. Sysvol
, ,
,
. Sysvol
, Active Directory.
Sysvol ,
, .. , Sysvol
.
, ,
, ,
Sysvol .
(File Replication Service - FRS),
Active Directory.
,
Sysvol. , -
, Sysvol, ,
. , ,
, ,
.

, .
, (primary)
Sysvol. Windows Server
2003 ,
,
. Advanced Restore Options
( ) When Restoring
Replicated Data Sets, Mark The Restored Data As The Primary Data For All Replicas (
-
) (. . 15-3). Sysvol
, Sysvol.

,


.
. 15-3. Sysvol

, .
, , ,
. ,
.
, ,
.
,
. ,
,
.
.
,
, , .
, ,
. ,
,
, , .
,
, .
. - , - ,
.
.
, , , ,

, .
, , ,
PDC. PDC
, , 15 .
,
.
,
. , ,
. ,
, ,
, .
,
, repadmin/
showvector namingcontext, ,
.
, Ntdsutil
Active Directory Users And Computers ( PDC
). RID,
Ntdsutil.
Ntdsutil,
.
1. ntdsutil.
2. Ntdsui^l roles ().
3. Fsmo Maintenance ( Fsmo) connections
().
4. Server Connections ( ) connect to server
servername.domainname ( servername.domainname), servername , .
quit ().
5. Fsmo Maintenance seize operations_master_role (
). operations_master_role , :
schema master ( ), domain naming master ( ),
infrastructure master ( ), RID-master ( RID) PDC.
6. .
. ,
, . 15-4
RID.
'~^*1\0$**&*:>'^ ;-" ! i " i - ; ; - M . J /., ^;-r^:v^.;;xZ^:K':^l7%^'JiFsno maintenance: seize rid naster
^ttenpting safe transfer of RID FSMO before seizure*
ldap_modif3J_slf error 0x34(52 (Lfnavaikble>
Ldap extended error message is 0000Z0fiF: SocErr: n^*0-03210710, problem 5002 <UN
MflJLflBLE), data 1722
Jin32 error returned is 8x20af<The requested FSMO operation failed. The current
PSHO bolder could not be cgntact^d->

>

depending on the error code this nay indicate a connection*


Ldap, or role transfer error.
rransfep nf 111 FSMO failed, proceeding with seizure ...
inarching Fur highest rid1 pool in domain
Jeruer "dcl-nutraders.coft' knows about 5 roles
Jchena - CN-NTDS Settings,CN^DCi^CK-Servers,CN-Default-First-Site-Nane,CH=Sites,
JH - i" igurat ion, DC =nwt ratters, DC=con
Domain - CN=NTDS Settings,CK=DCi,CH=Seruers,CK=DefauIt^First-SIte-HaHe,CK=Sites,
CN=Conf igurat ion,DCantraders,DC=com
PDC - CN-NTDS Settings,CH=DC3,CH-ServerEFCH='DeFault-First^Site-Naiie,CH=Sites,CH11
Conf iguration,DC=nutradars,DC^com
RID - CH=NTDS Settings,CH=DCl,CH-Seruers,CM=Default-Firat-Site-Hane,CN^Sltes>CM^
So n f igurat io ,DC"flirt radars,DC ~c n
Infrastructure - CN=NTDS Settings,GH=DG3rCM=Serve.'s,CH=l>efauU-First-Site-Hamel,C

. 15-4. Ntdsutil RID

7. quit () , Ntdsutil.
PDC
Active Directory Users And Computers. Active Directory
Users And Computers Connect To Domain Controller (
), , ,

.
Operations Masters ( ). ,
(. . 15-5). ,
. PDC
, ..
, Ntdsutil, .

. 15-5. ,
Active Directory Users And Computers

PDC
PDC ,
. ,
Windows 2000 mixed () Windows Server 2003 interim (), PDC
(primary)
Windows NT (BDC). PDC BDC-
. , Windows
NT, Windows 95 Windows 98 ( )
PDC, . ,
Windows 2000 native ()
, PDC .
PDC -
. PDC ,
, . PDC
, PDC
.
PDC ,
, PDC , .
, PDC Windows NT. PDC Windows NT,
, PDC-KOH-.
Windows Server 2003. PDC ,
.
, .
PDC ,
PDC .


Windows Server 2003,
. ,
. ,
,
.
,
. ,
. ,
,
, , .
,
, Ntdsutil.
, .

. , PDC ,
. ,
, ,
. ,
, ,
. , .
,
, .


, .
.
,
. ,
, .
, ,
,
,
, .
.
, ,
, .
,
. ,
, , . ,
, , , ,
, , (
, ).
,
, , ,
.



. -
, .
, ,
.
- , .

, , ,
- GC-.
.

RID
RID - , RID-
. RID
,
RID,
. ,
RID, RID RID.
RID , 512 RID.
RID ,
, RID RID. RID
. ,

RID , .
, RID , ,
, .
,
RID, . ,
RID, .
RID, RID -
(SID).

GC-
(GC)
, ,
. , ,
, GC-
, .
GC-, ,
GC-.
Active Directory, ,
GC-.
GC-
, Windows 2000 native ( )
(UPN). GC- ,
Microsoft Exchange Server 2000.
GC- , .
, GC-, ,
Exchange Server 2000,
, , GC-,
.

Active Directory Windows


Server 2003 .
, . ,
, -
.
Active Directory,
Active Directory.
Active Directory .

, .

Оценить