Вы находитесь на странице: 1из 325

. , .

Active Directory Windows Server 2003. /, . .:


, 2004. 512 : .

.
.
, .

I. Active Directory Windows Server 2003.


1. Active Directory.
2. Active Directory.
3. Active Directory .
4. Active Directory .

II. Active Directory Windows Server 2003.


5. Active Directory.
6. Active Directory.
7. Active Directory.

III. Active Directory Windows Server 2003.


8. Active Directory.
9. Active Directory.
10. Active Directory.
11. .
12.
.
13. .

IV. Active Directory Windows Server 2003.


14. Active Directory.
15. .

Active Directory Microsoft Windows Server
2003, ,
Active Directory Windows Server 2003.
Active Directory Microsoft Windows 2000.
Active Directory, Windows 2000,
Windows Server 2003, , . ,
Active Directory,
, , Active
Directory . ,
, , Active Directory .


Active Directory Microsoft Windows Server 2003 ,
Active Directory.
Active Directory Windows 2000,
Active Directory .
, Active Directory.
, Active Directory,
.
, . I
Active Directory . II
, Active Directory .
Active Directory , III
, Active Directory,
Active Directory . IV, ,
Active Directory.
I, Active Directory Windows 2003,
Active Directory Windows Server 2003. Active
Directory , Microsoft.
Active Directory ,
, , -
. ,
Active Directory .
I, .
1, Active Directory, ,
Microsoft Windows 2000
Windows NT. Active Directory
.
, Windows Server 2003 ,
Windows 2000.
2, Active Directory,
, Active Directory.
Active Directory, Active
Directory, Active Directory, , .
3, Active Directory ,
Active Directory. Active Directory
(DNS - Domain Name System),
DNS,
Active Directory.
DNS, Active Directory DNS,
, DNS,
, Active Directory.
4, Active Directory ,
Active Directory. , Active Directory, ,
Active Directory .
Active Directory ,
,
.
Active Directory,
Active Directory
. II, Active Directory Windows Server 2003,
. Active Directory
. , , ,
(OU - Organizational Unit),
,
. Active Directory Windows Server
2003 , Active Directory. ,
Active Directory Windows Server 2003,
, Microsoft Windows NT 4. Active
Directory Windows Server 2003 Windows NT,
. II
.
5, Active Directory,
, Active Directory.
:
Active Directory.
, , , ,
OU.
6, Active Directory, ,
Active Directory. Active
Directory ,
.
7, Active Directory, ,
Microsoft Active Directory Windows
Server 2003. ,
Windows NT, Active Directory Windows 2000.
, , Windows NT
Active Directory Windows Server 2003, Active Directory Windows
2000.
Active Directory ,
. III,
Active Directory Windows Server 2003, ,
. III :
. ,
Active Directory,
Active
Directory. .
Active Directory ,

.

. - ,
. III
.
8, Active Directory, ,
Active Directory Windows Server 2003.
Kerberos,
Active Directory.
9, Active Directory,
Active Directory,
. Active Directory
,

. , Active
Directory.
10, Active Directory,
Active Directory: ,
. Active Directory Windows Server 2003
, inetOrgPerson, , .
11, , .
,
Active Directory, ,
, ,
.
12,
, .

.
, .
,
, .
13, ,

. ,
, ,
,
. ,
.
,
Active Directory .
Active Directory.
, - ,
. , ,
Active Directory . IV,
Active Directory Windows Server 2003,
.
14, Active Directory,
, Active Directory,
Active Directory .
, Active
Directory.
15, , ,
Active Directory. Active
Directory ,
, .
, ,
Active Directory. Active Directory Microsoft
Windows Server 2003 - , , .
,
.
. , 5 , ,
, , 2.
, (.
12), ,
11.

,
, .
, ,
, .
. ,
.
. ,
, - ,
.
. ,
. ,
.
.
.
.
. ,
.
.
. ,
.
. , ,
. , .
I.
Active Directory Windows
Server 2003
Active Directory Microsoft Windows Server 2003 ,
Microsoft. Active Directory
, ,
. ,
Active Directory , .
. 1, Active Directory, ,
Active Directory Windows Server 2003. 1 2
, Active Directory. Active Directory
(DNS - Domain Name System), 3
, DNS
Active Directory. , , Active
Directory, , Active Directory
. 4 , .

1. Active Directory
Microsoft Windows Server 2003
, Microsoft - Active Directory.
Microsoft Windows 2000, Active Directory, Windows Server 2003,
, .
. Windows Server 2003
Microsoft Windows Server 2003,
Active Directory: Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise
Edition; Windows Server 2003, Datacenter Edition.
,
Active Directory Windows Server 2003, .
Active Directory , -
, Windows Server 2003.
Active Directory Active Directory,
.
, ,
Active Directory. .

Microsoft
Active Directory
Microsoft Windows. Active Directory Windows Server 2000,
Windows Server 2003.
Microsoft
. ,
, ,

. -
, , ( ) ,
.

LAN OS/2 MS-DOS


1987 ,
Microsoft ( OS/2 MS-DOS),
Microsoft LAN Manager. LAN Manager

, ,
. .
,
.

Windows NT SAM
Microsoft Windows NT 3.1 Advanced Server. Windows NT Server
32-
Microsoft Windows for Workgroups,
. Windows NT NOS (Network Operating System
) SAM (Security Accounts Management -
). ,
.
,
Windows NT.
SAM
Microsoft Windows NT NOS, Windows NT 3.5 Windows NT Server 4.
SAM ,
- .
Windows NT Windows NT.
SAM ,
. SAM 40
. ,
, 40000.

, .
,
,
. Windows NT 4 , ,
,
.
,
. ,
,
.
,
,
.
,
: (single domain), (master domain),
(multiple master domain, multimaster)
(complete trust). 1-1.
. 1 -1. , Windows NT 4


.
, Windows NT 4
, ..
. , ,
,
. , Windows NT
. -
, Windows NT,
.
SAM .
, SAM, NOS.

. , SAM

, (UI - User Interface) Windows NT 4, User
Manager For Domains ( ) Server Manager (
). SAM
Windows NT
Windows-NOS.
Microsoft Exchange Server.

Windows 2000 Active Directory


SAM NOS,
Exchange Server.
Exchange Server, - Exchange
Directory. Exchange Directory
,
. , Exchange Directory
(LDAP) TCP/IP
( ) .
NOS- Windows, Microsoft
Exchange Server .
-
Exchange Server , Exchange Server
, ,
Exchange Server. Windows 2000.
Active Directory,
Exchange Server 4, Windows 2000. Active Directory
SAM Microsoft.
Windows NT 4
SAM . Active
Directory Windows 2000 , .
70 ,
SAM 40 . , Active
Directory, .
Active Directory
, .
Compaq Computer Corporation, Hewlett-Packard,

. ,
, , ,
. Active Directory ,
,
.
,
,
. ,
,
Active Directory. ,
Windows NT 4,
(OU - organizational unit),
Windows NT 4. 1-2
Windows 2000.
Active Directory .
Active Directory , LDAP
.500. Active Directory
.
Active Directory, LDAP-
, Active Directory Service Interface (ADSI) Edit Ldp.exe (LDAP--
Active Directory). Active Directory
LDAP, .
,
, (GUI).

. 1 -2. Windows 2000


Windows Server 2003 Active Directory
, , Active Directory,
Windows 2000, Windows Server 2003
Web Edition, Active Directory .
Active Directory Windows Server 2003
, ,
.
, ,
MS-DOS, LAN Manager, Active
Directory , .
, Active Directory
Windows Server 2003, .

Active Directory

, Microsoft
NOS .
, , ,
NOS,
. Windows
Novell Netware, Intel, UNIX-,
RISC ( ),
Linux, ,
. NOS
.
. ,
, ()
,
.
,
Active Directory: .500 LDAP.

.500
.500 (namespace) , Active
Directory. .500 ,
.
.
.500 (OID -Object Identifier),
. Active Directory
.500, Microsoft ( )
.
(dotted), .. ,
(string). , .500 OID, 2.5.4.10,
Organization-Name ( ) ( LDAP- - ).

.500, .
Active Directory
.500, (OSI - Open Systems
Interconnection). :
cn=Karen Friske, cn=Users, dc=Contoso, dc=com
.500, Users
() Contoso.com Karen Friske.
Contoso.
.500 , ( OU),
.
.500 Request for Comments (RFC)
1779, http://www.faqs.org/rfcs/rfcl779.html.
.500 OID, (snap-in) Active
Directory Schema ( Active Directory), ADSI Edit ( ADSI).
.500 OID Organization-Name,
ADSI Edit : CN=Organization-Name.
1-3 attributelD ( .500) http://Organization-Name.

. 1 -3. Organization-Name, ADSI Edit



. , ,
, ,
.
, ().

, , ,
Active Directory Windows Server 2003.
,
. :
Windows,
,
, , ,
;
Windows Novell,
Intel NOS
- .
-,
(IT),
NOS. ,
, .
Windows 2000 Active Directory, Windows Server 2003 Active Directory, Novell Directory
Services Novel Netware 5
;
(DNS) UNIX, DHCP (Dynamic Host Configuration
Protocol - ), /
(firewall/proxy) NAT (Network Address Translation -
), RISC. ( )
- UNIX-
. ,
, , ,
;
Linux ,
Intel RISC. Linux, ,
, ,
. Linux-
, Windows- SMB (Server Message Block -
). ,
Windows-.

(LDAP)
LDAP , Active
Directory Windows Server 2003. LDAP
X.500/OSI. (API) LDAP
Active Directory Windows Server 2003 Wldap32.dll. Active Directory
, LDAP
ADSI (Component Object Model ).
LDAP TCP/IP , LDAP-
. LDAP
,
Active Directory .
LDAP ,
, :
LDAP: // cn=Karen Friske, cn=Users, dc=Contoso, dc=com
,
LDAP- . LDAP-
( ) RFC 1777,
http://www.faqs.org/rfcs/rfcl777.html.
Active Directory, LDAP, LDAP-
Ldp.exe,
Suptools.msi, Support\Tools - Windows Server 2003.
Ldp.exe, Active Directory
UDP (User Datagram Protocol )
LD- , . Active
Directory, Ldp.exe, ,
Active Directory, UDP 389, ,
-
. 1-4
Karen Friske,
Ldp.exe.
. 1-4. Karen Friske, Ldp.exe


Active Directory
: Active Directory?.
Windows Server 2003,
Active Directory . ,
Active Directory, Microsoft Exchange Server 2000.
Exchange Server 2000 Active Directory ,
Active Directory, Exchange Server 2000.
Active Directory
Windows Server 2003.


Active Directory ,
. ,
,
. ,
, Exchange Server 2000.
,
.


(forest - Active Directory) Windows
Server 2003
(UPN -User Principal Name), , mike@contoso.com.
,
,
. UPN
Active Directory, Active Directory,
.


Windows NT 4 SAM ,
.
, Domain
Admins. , ,
, Domain
Admins. .
, Active Directory
. Delegation Of Control Wizard (
) Active Directory,
. ,

, , -
.


, Active
Directory .
Microsoft ( Microsoft Management Console).
Active Directory

. Active Directory Active Directory Users
And Computers (Active Directory: ), Active Directory Domains And
Trusts (Active Directory: ) Active Directory Sites And Services
(Active Directory: ). ,
Windows Server 2003, , DHCP DNS.


Active Directory Windows Server 2003

. Windows Server 2003
. Windows Server 2003
Windows Server 2003: Kerberos v5
NT LAN Manager (NTLM). Kerberos
, ,
Windows 2000 Professional Microsoft
Windows XP Professional. ,
(Windows NT 4, Microsoft Windows 98 )
NTLM. NTLM
Windows XP Professional Windows 2000, ,
Windows NT 4,
Windows 2000 Windows Server 2003.
Active Directory
Windows Server 2003. Windows Server
2003, Active Directory ,
(SID - Security Identifier) ,
SID , .
SID Active Directory.
, , ,
.

, ,
, Active Directory
, .
,
.
Active Directory
Active Directory, . ,
Active Directory,
,
, .
Active Directory
Windows Server 2003
Active Directory, ,
, Active Directory Windows Server 2003.
Windows Server
2003. .

Active Directory Users And


Computers
Active Directory Users And Computers (Active
Directory: ). Windows Server 2003
.
, ,
. ,
,
(Account Options: Password Never Expires - :
), ,
, .
Active Directory Users And Computers
. , , ,
,
,
.


Active Directory Windows Server 2003 ,
,
.
, ,
Active Directory Windows Server 2003.
,
Windows Server 2003.
.
Windows Server 2003, NOS, , Windows NT 4
Windows 2000.
, , Windows 2000 (
Windows 2000 mixed). , Active Directory
, ,
Windows Server 2003 Windows Server 2000.
Active Directory,
Windows
Server 2003 , .. ,
Windows 2000 Windows NT 4.
. Active Directory Windows Server 2003
mixed-mode ( ) native-mode ( ) Windows
2000. Windows Server 2003
Microsoft Active Directory,
Active Directory.
.
. . 2-1 2-2.


Active Directory
(GUID Globally Unique Identifier)
(SID - Security Identifier) . ,
, ,
Active Directory, ,
. IT-
.
,
.


( )
Active Directory .

, ,
. Active Directory.
Active Directory,
DNS.
Active Directory, DNS. ,
DNS , DNS-
, DNS-- .
, ,
.

,

Active Directory.
Windows 2000
( )
,
, . Active Directory
Windows Server 2003
System State ( ) Windows Server
2003. , ,
.


Windows Server 2003 ,
, , .

- . , ,
-
, integer
( ). , , (string)
, , .

.

. , , ,
, .

Active Directory Windows Server 2003 , Windows 2000,


. ,
,
, .
( ),
.
,
.


, Windows 2000 (native-mode),
(GC - Global Catalog)
. ,
. ,
- GC,
Active Directory ,
.
Windows Server 2003 ,
,
GC. ,
GC-. , GC-
, , .


Windows 2000 , ,
,
.

, ,
. Windows Server 2003
.

UI-
(object picker) (UI),
Active
Directory. ,
UI- , ,
.
, .
,

.
, , . , UI-
,
Active Directory.


, -
(tombstone) ,
. - ,
, . ,
, -,
Active Directory .
, -
,
. ,
-, -
,
. ,
.

inetOrgPerson
Active Directory Windows Server 2003 inetOrgPerson ,
RFC 2798,
http://www.faqs.org/rfcs/rfc2798.html.
Active Directory inetOrgPerson LDAP--,
inetOrgPerson Active Directory Windows Server 2003.

, Microsoft
, . Windows
2000, NOS Windows Active Directory.
,
.
, Active Directory,
.
2. Active
Directory
Active Directory Microsoft Windows Server 2003 :
. Active Directory
, ,
. Active Directory
, ( ,
) . ,
.
Active Directory.
Active Directory.
,
.
.

Active Directory
Active Directory ,
. Active
Directory , .
Active Directory ,
.
, .
(operations master roles). ,
, (GC Global Catalog).
Active Directory ,
.


Active Directory Ntds.dit
. %SystemRoot%\NTDS,
. ,
, ,
.
Ntds.dit %SystemRoot%\ System32. -
(, ) ,
Active Directory. Microsoft
Windows Server 2003,
.
Active Directory (Dcpromo.exe) Ntds.dit System32 NTDS.
, NTDS, .
,
.


, Windows Server 2003,
Active Directory, .
,
.
(multimaster), . 4,
.
, Active Directory,
, Active
Directory .
(GC) (operations masters).


(GC). ,
(NC - Naming
Context) . GC ,
NC. GC
,
Active Directory.
. GC, .
, GC,
Active Directory Schema ( Active Directory),
. GC, Replicate This Attribute
To The Global Catalog ( ) .
isMemberOfPartialAttributeSet true
(). , ,
.
GC.
, ,
. GC,
Global Catalog Server ( )
Active Directory Sites And Services ( Active Directory).
. GC ,
. 5 GC-,
, , .
, GC-. -,
Active Directory. GC ,
, , ,
. GC-
( ), GC- ,
, GC-,
. , GC-, LDAP-
(Lightweght Directory Access Protocol ),
3268 ( GC-).
-, GC- .
, , GC-.
, , ,
. (
, Microsoft Windows 2000 Windows Server
2003. Windows Server 2003, -
Active Directory , .)

. ,
,
, .. (GC).
, ,
GC-
.
. Windows Server 2003
, Windows Server 2003
GC-. -
, GC, ,
. GC-,

( 8 ).
,
GC-.
, Active Directory: Sites And Services (
Active Directory) .
NTDS Site Settings ( NTDS),
Properties (). Properties Enable Universal Group Membership
Caching ( ), ,
.
, GC.


Windows Server 2003
. ,
, .
, .
, mixed ()
Windows 2000; Windows 2000.
2-1 ,
.

. 2-1.
,


Windows 2000 mixed Windows NT 4, Windows 2000,
() ( Windows Server 2003.
)
Windows 2000 native () Windows 2000, Windows Server 2003.

Windows Server 2003 interim Windows NT 4, Windows Server 2003.


() Windows Server 2003.
Windows Server 2003

2-2 ,
.

. 2-2.
,


Windows 2000 ( Windows NT 4, Windows 2000,
) Windows Server 2003.

Windows Server 2003 interim Windows NT 4, Windows Server 2003.


() Windows Server 2003.
Windows Server 2003

Windows Server 2003, ,


Windows 2000 native Windows
Server 2003. , Windows 2000 native,
Windows Server 2003, -
Windows Server 2003. , ()
,
. .
, (GC) ,
, -
(, usernarae@contoso.com). GC
(UPN - User Principal Names),
. , GC,
, ,
.


Active Directory .
,
. ,
(authoritative) .
, , ;
FSMO (Flexible Single Master Operations ).
Active Directory:
;
;
RID;
PDC (Primary Domain Controller );
.
. ,
.
, ..
. Active Directory ,
. ,
.

. ,
.


,
. , (
Schema Admins )
. ,
, . ,
.
, (
) .
Active Directory Schema ( Active Directory)
Ntdsutil.
fSMORoleOwner .


,
.
, .
, .
,
(RPC) , .
Dcpromo.exe
, Active Directory.
. Dcpromo.exe
, .
, .
Ntdsutil.
,
.
Dcpromo.exe .


(RID) - .
RID-,
, , .
(RID),
(SID),
. RID RID-.
RID- RID-
, RID- RID-.
RID-
, RID- .
.
RID- - ,
.
RID- ,
, , RID-
. RID- ,
, , RID-,
.
, RID-
,
.

PDC
PDC , Windows Server 2003
, , Windows 2000.
, Windows 2000 mixed (),
Windows Server 2003 (PDC)
(Microsoft Windows NT 4 3.51) (BDC
Backup Domain Controller). PDC
, BDC-
(Domain Master Browser Service). PDC , ,
, , .
, Windows 2000 native () Windows
Server 2003, PDC .
, , PDC.
, PDC,
, PDC. PDC
, .



. , ,
,
, .

. ,
.



, .
.
:
- Active Directory Schema;
Active Directory Domains
And Trusts ( Active Directory);
RID, PDC Active
Directory Users And Computers ( Active Directory).

: .
.
. ,
, , ,
. . . 15.

, Active Directory.
Active Directory, .
, . ,
, ,
.


. ,
.
. User ().
, Active Directory, User.
, .
.
, ,
. ,
User,
organizationalPerson, User.
,
, ,
.
, Active Directory ,
. , display Name,
, -
. .
Active Directory .
.
. , Computer
() User (),
Computer , User. Computer
, . Active Directory Schema
. 2-1
Computer (). , User,
organizationalPerson, ..
,
, ,
.
. 2-1. Computer (), Active Directory Schema


Active Directory ,
.
Category 1 ( 1), .
, , Active Directory
. ,
, , , . ,
, Category 2 ( 2).
, ,
Active Directory. Microsoft Exchange
Server 2000, Active Directory
.
, Active Directory,
.
, LDAP Data Interchange
Format Directory Exchange (LDIFDE) Comma Separated Value Directory Exchange (CSVDE).
, Active Directory Service Interfaces (ADSI)
Microsoft Visual Basic.
.
LDIFDE CSVDE
. ADSI ADSI
Edit Microsoft Windows
Platform (SDK), - http://
www.microsoft.com/msdownload/platformsdk/sdkupdate.ac ADSI Platform SDK
http://msdn.microsoft.com/library/default.asp?url=/library/
en-us/netdir/adsi/directory_services.asp.
Windows Server 2003
Active Directory Schema. ,
Regsvr32 Schmmgmt.dll .
Schema Admins ( ). ,
, , ,
, .. -
Active Directory.
, .
Active Directory Schema
User. .
1. Active Directory Schema ( Active Directory).
2. Attributes () .
3. Action () Create Attribute ( ).
4. Schema Object Creation ( )
Continue ().
5. Create New Attribute ( )
Identification ():
Common Name ( );
LDAP Display Name ( LDAP-);
Unique X500 Object ID ( 500);
Description ().
6. Syntax And Range ( ) :
Syntax ();
Minimum ();
Maximum ().
7. , (Multi-Valued) .
, ,
F1.

500 Object ID
.
, Active Directory
(OID Object Identifier) ,
OID. , OID,
(ISO International
Standards Organization) (ANSI - American
National Standards Institute).
OID, .
, 1.2.840..
:
1 - ISO;
2-ANSI;
840 - ;
, .
, .
, Employee Start Date (
), 1.2.840..12.
OID Active Directory 1.2.840.113556.1.5.15.
ISO, ANSI . 113556 ANSI
Microsoft, 1 - Active Directory, 5 Active Directory, 15 -
Contact ().
Microsoft Windows Server 2000 Resource Kit
OIDGen, OID
OID.
, .
Microsoft OID.
. http://msdn.microsoft.com/certification/ad-registration.asp.
2-2 Active Directory Schema
( Active Directory).
. 2-2.

. ,
.
, Active Directory Users And Computers (
Active Directory),
, . ,
,
. ,
, . Directory Services ( ) Platform SDK
http:// msdn.microsoft.com/library/default.asp?url=/library/en-us/
netdir/ad/extending_the_user_interface_for_directory_objects.asp.


,
, .
. ,
() . Windows Server 2003
,
, .
,
. ,
, .. Category 2. Category 1
. , , .
,
.
Category 2,
isDefunct true (). ,
ADSI Edit ( ADSI) Active Directory Schema ( Active Directory).
2-3 ,
EmployeeStartDate, , .
, .

, , .
,
, .
isDefunt false ().
.
/ .
. 2-3. Active Directory Schema ( Active Directory)

Active Directory
Active Directory
, ,
Active Directory. ,
, .
Active Directory :
;
;
;
;
;
.
,
,
. 5 ,
(, )
. (,
) .

Active Directory
, Active Directory
. ,
. Active Directory (NC -
naming contexts). Ldp.exe ADSI Edit (. 2-4).
. 2-4. Active Directory ADSI Edit


.
, , : ,
Active Directory Users And Computers (
Active Directory).
. ,
,
.


, ,
, .
. Exchange Server 2000, Microsoft Internet Security And Acceleration (ISA)
Server Active
Directory, . ISA-
, ,
ISA Active Directory.
ISA-, ,
Active Directory.
.
,
. ,
.
,
.


. ,
, Active Directory,
. .
, ,
. - ,
.

GC .
,
. GC GC-,
.
isMemberOf Partial Attributes et. true (),
GC.


Active Directory Windows Server 2003 -
. Active Directory
, (DNS -
Domain Name System). (integrated) Active Directory
ForestDnsZones DomainDnsZones.
Active Directory, .
,
,
GC.
,
. ,
.
, .
, .
, ,
.
Active
Directory. , DNS- Contoso.com -
dc=Configuration, dc=Contoso, dc=com.
AppPartitionl Contoso.com, DNS- dc=AppPartitionl, dc=Contoso, dc=com.
, ,
, . ,
AppPartitionl. ,
dc=AppPartition2, dc=AppPartitionl, dc=Contoso, dc=com.
DNS-, .
Contoso.com, DNS- dc=AppPartition, ,
.
. DNS-
.
LDAP-, .
LDAP, ,
.

. Active Directory
.
Domain Admins ( )
.
,
.
,
. Domain Admins
, , .
, .
,
.
, ,
, .
, ,
.
. ,
.
.
Ntdsutil,
.
Windows Server 2003 Help And Support Center ( Windows Server
2003). , ,
, Using application directory partitions
msdn.microsoft.com.
,
, .
Active Directory . . 4.

Active Directory.
Active Directory , Windows Server 2003,
. , -
. , ,
( ).
Active Directory .
, .
Active Directory. ,
Contoso Contoso.com.
(dedicated) (non-dedicated) . ,
, -,
Active Directory.
() .
,
, , Administrator
() Domain Admins ( ).
- ,
. -
. 5.
(peers)
, .
, . 2-5
, .

. 2-5. Active Directory,


, , ,
. Active Directory
. , Contoso
Contoso.com, NAmerica.Contoso.com
Contoso,
. ,
, , Sales.NAmerica.Contoso.com.
2-6 -- Contoso.
. 2-6. - Contoso


, Active Directory ,
Active Directory
. ,
. ,
,
.
,
. , , .
.
DNS, . 3.
,
(forest root domain),
. Contoso,
Contoso.com, ,
, , Fabrikam.com. ,
Fabrikam,
Fabrikam. 2-7 Contoso
.

. 2-7. Contoso


.
Active Directory. .
:
. .

, .
.
,
. ,
Active Directory (Echange Server 2000 ISA).
GC. .

, UPN.
.
(security groups). ,
. Schema Admins
, , Enterprise Admins
( ) ,
, .
Enterprise Admins
Administrators () .
.
, .
.
2-8 Contoso.


.
, (,
)
. , ,
Active Directory.
,
,
. , :
;
;
;
.



. , ,
NAmerica.Contoso.com Contoso.com,

NAmerica.Contoso.com Contoso.com.
NAmerica.Contoso.com Contoso.com,
. , Contoso.com -
( ),
NAmerica.Contoso.com.
-
, (tree root).
--
NAmerica.Contoso.com Contoso.com. -
, , Contoso.com Fabrikam.com.
. ,
. Contoso.com
NAmerica.Contoso.com Europe.Contoso.com Contoso.com,
, Europe.Contoso.com
NAmerica.Contoso.com. NAmerica. Contoso.com
, Europe.Contoso.com, .
.
NAmerica.Contoso.com Contoso.com, Contoso.com
Fabrikam.com. NAmerica. Contoso.com Fabrikam.com
.


,
,
. ,
, .
-
,
.
(shortcut trusts).
,
, .
Contoso, 2-9.

. 2-9. Contoso
Sales.Europe.Contoso.com
Research.NAmerica.Contoso.com,
Sales.Europe.Contoso.com
, ,
. ,
.
,
Sales.Europe.Contoso.com
Research.NAmerica.Contoso.com ,
. 2-10 .
,
, .
(
,
).


Windows Server 2003.

. ,
,
. , ,
UPN.


. , Forest 1 Forest2, Forest2
Forest3, Forestl
Forest3.
,
. ,
GC, .
,
.

.
,
.
2-11 Contoso.
. 2-11. Contoso Contoso.com
NWTraders.com,


(Realm
Trusts). Windows Server 2003 Windows-
Kerberos v5. Kerberos ,
-
, Kerberos.
Kerberos--, Kerberos v5.
,
.

Active Directory, ,
. ,
, , .
,
.
Active Directory.
Active Directory
. ,
, .
(IP), (LAN)
(WAN),
WAN-.
,
, .
Windows Server 2003
.
. ,
,
GC-. ,
, .
,
.
, . (
4
.)
. Windows Server 2003 ,
Windows 2000 Microsoft Windows XP Professional,
,
, . 3 ,
(SRV), .
, DNS-
. , .
Windows 2000 native ()
Windows Server 2003, GC
. GC-, . (
. 3.)
. , Windows NT 4 SP6a,
Active Directory,
Directory Services Client ( ),
http://www.microsoft.com/ windows2000/server/evaluation/news/bulletins/ adextension.asp.
, Windows 95 Windows 98,
Directory Services Client - Windows Server 2000.
, . ,
,
,
. , (DFS -
Distributed File System),
. DFS ,
, DFS-
, WAN-,
.
Windows Server 2003 . Active
Directory Windows Server 2003, ,
Default First Site Name ( ),
, .
, IP. ,
Windows Server 2003, ,
, IP- .
Active Directory
Sites And Services (Active Directory: ).
,
. , ,
.
, , -
.
. IP-,
, Default First Site
Name. , Windows Server 2003,
.
,
Active Directory. ,
. 2-12 , Seattle
: Contoso.com NAmerica.Contoso.com. NWTraders.com
.
. . 3 DNS
. 4 ,
. 5
Active Directory.



Active Directory Windows Server 2003 ,
. Active Directory,
, ,
,
, .
(OU - Organizational Unit) ,
Active Directory. OU ,
,
Active Directory. OU
. .

. .
2-13 OU Contoso.

. 2-13.

OU , :
;
;
;
inetOrgPerson;
;
;
;
.
.

.



.
,
OU. ,
, (,
). ,
,
OU.

OU. Windows Properties ()
. OU
(ACL Access Control List), OU.
OU ACL-. ,
, - .
, Help Desk ()
OU, . Human
Resources ( ) ,
OU, .

OU ,
.
(, ,
), OU
Logon Locally ( ) OU.
OU.
,

. OU,
(group policy)
.
OU . Group Policy
Object Editor ( ) ,
.
,
, ,
. 2-3 ,
Group Policy Object Editor.
. 2-3.

Administrative ,
templates ,
(
) ,

,
.
Security
() ,
,
,

.
Software installation
( .

)
Scripts () ,

,
.
Folder redirection
( .
) My Documents ( )
, ,
,
.

OU.
, (GPO Group Policy
Object), , ,
OU.
. .
, OU
. OU .
.

Active
Directory Windows Server 2003. ,
, . -
Active Directory .
Active Directory.
3. Active Directory

Active Directory Microsoft Windows Server 2003


(DNS). DNS
, Microsoft Windows
2000 Microsoft Windows XP Professional , ,
Microsoft Exchange Server 2000, .
, DNS , Windows Server 2003
. , Active Directory
DNS Windows Server 2003.
DNS . ,
Active Directory DNS, .
DNS Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise
Edition; Windows Server 2003, Datacenter Edition. Windows Server 2003
,
Active Directory.
. Windows Server 2003, Web Edition
Active Directory.

DNS
DNS . ,
, , , www.microsoft.com, IP-,
207.46.230.219. Web- Microsoft
IP-. DNS .
, , a DNS
IP-.
. Active Directory,
DNS , .
DNS, , - Microsoft
http://msdn.microsoft.com/ library/en-us /dns/dns_concepts. asp.


DNS . 3-1
. (.).
DNS, .
,
(generic) (com, edu, mil, net, org),
(, uk, fr, br), (biz, info, pro ..), 2001 .

. 3-1. DNS
,
.
.
. DNS-
, .

(FQDN Fully Qualified Domain Name), ,
www.NAmerica.Contoso.com. FQDN -
,
DNS. , FQDN
DNS, . (.),
, .
com , Contoso NAmerica.
FQDN www - .


DNS ,
.
, , ,
.
, . DNS,
.
, DNS (
) ( ). DNS-
DNS.
. . ,
, .
DNS-cep-,
. ,
, .
DNS-, ,
, . ,
, ..
, ,
. ,
, ,
DNS. , com,
Contoso, .
Contoso ,
Contoso.com.
,
DNS.
,
, , , DNS-
. DNS- ,
(forwarders) , DNS-
. .


DNS ,
IP- .
(. . 3-1), , DNS ( ),
- , -,
www.NAmerica.Contoso.com. IP- .
1. - IP-
DNS- ( DNS-
). : IP-,
, , ,
.
2. DNS- ,
IP- . ,
, .
, ,
DNS-, . DNS-
IP-,
www.NAmerica.Contoso.com.
3. , ,
.
DNS-
(referral). DNS- -
IP-.
4. ,
Contoso.com. DNS- DNS- Contoso.com,
DNS-, NAmerica.Contoso.com.
5. DNS- NAmerica.Contoso.com ,
DNS- IP- .
6. DNS- , -
, IP- Web-.
7. www.NAmerica.Contoso.com.
8. . DNS-
,
. - DNS-
, .
9.

, DNS, (RR
Resource Records). .
DNS- Windows Server 2003.
3-1.

. 3-1. Windows Server


2003

Start of Authority
(SOA) - , ,
,

(TTL Time to Live) (. . 3-2).
Host (A) - IP-
. , DNS-cep-
.
Mail Exchanger (MX) - -
.
-
.
Name Server (NX) - .

Pointer (PTR) - ,
IP-.
.
Canonical Name
(CNAME) - . ,

Service Locator (SRV) IP-.
- ,
. Active Directory
SRV .

. 3-2. SOA Contoso.com

. 3-2 SOA DNS. DNS


. ,
Webl.Contoso.com Webl.Contoso.com IN A
192.168.1.100.

DNS-,
DNS ,
DNS.


, ,
. , ,
DNS, . ,
Contoso.com. ,
DNS, .. .
DNS- , DNS
DNS-.
DNS. DNS.
DNS:
. IP-
. ().
SOA NS, MX, CNAME SRV.
, - DNS-,
IP- .
. ,
IP- , .
SOA NS, - PTR. PTR
, .
. . 3-1.
.
, IP- , ,
. , , IP-
. , 192.168.1.0,
L168.192.in-addr.arpa. in-addr.arpa DNS
. ,
.
(150.38.0.0), 38.150.in-addr.arpa.


(Primary Name Server) ,
(
- primary zone). , DNS-
, - .
,
, .


(Secondary Name Server) ,
.
.
DNS , ..
DNS . Request for
Comment 1995 ( )
, (incremental zone transfers),
,
. Request for Comment
1996. ,
, .

, SOA .
. DNS- Windows Server 2003 ,
. (integrated) Active Directory,
Active Directory.


- , (caching-only).
, ,
. ,
.
, DNS
. ,
DNS- , .
DNS-,
( -1 ). , DNS-
.
. DNS- Windows Server 2003,
, , (caching-only) .
,
.


DNS, (zones of
authority) (authoritative) .
. , DNS-
Contoso.com,
.
DNS-.
DNS- , 3-3.
DNS-, Contoso.com. DNS1
Webl.Contoso.com, a DNS2-cepBep
. DNS1, IP- Webl.
DNS2 IP- Webl, ,
. DNS2 Contoso.com,
DNS1. ,
,
.

. 3-3. DNS-

.

, DNS-,
, - DNS
DNS ( . 3-3). DNS1
, DNS2 - .
DNS2 DNS- ,
DNS1 SRV- Active Directory.
(Contoso.com),
.

DNS-. DNS-, ,
, - -,
. DNS-
, ,
, ,
.
DNS. ,
www.Contoso.com, ,
-, -
.
DNS1. ,
-.

DNS ,
. , ,
,
Contoso.com, corn- ,
Contoso.com. (delegation records).
,
. , 3-4 ,
DNSl.Contoso.com Contoso.com. DNS2 DNS3
NAmerica.Contoso.com. DNS1
NAmerica.Contoso.com,
. DNS1 ,
DNS2 DNS3 .
DNS1, NAmerica.Contoso.com,
.


DNS
.
DNS ,
DNS-.
DNS- ,
. , DNS- Contoso.com.
, Fabrikam.com
(. . 3-1), DNS- Contoso.com - .

. 3-4.


. (forwarder) - DNS-,
DNS-, . ,
Contoso.com Fabrikam.com.
DNS- Contoso ,
, .
. DNS-,
.
IP- . , DNS-
, .
DNS- , DNS-
, .
3-5. DNS-
DNS-, -. DNS-
, ,
IP-.

. 3-5.

, DNS- ,
, .
DNS- Windows Server 2003, ,
. - ,
. DNS-
DNS, ,
.
, ,
.
. , DNS-
, Cache.dns,
DNS-.
DNS- ,
DNS-, .
DNS- Windows Server 2003 ,
. ,
.
, DNS-cep-
, . DNS-
, .
, Do Not Use Recursion For This Domain (He
) Forwarders () Properties
() DNS-. DNS-
- ,
.
, DNS- ,
. , .
. DNS Windows Server 2003
.
.
DNS
DNS ,
. RFC 2136
DNS-. RFC 2136 ,
DNS- ,
. DNS (DDNS).
DNS- Windows Server 2003 DNS.
Windows 2000 Windows XP Professional, Windows 2000 Server; Windows 2000
Advanced Server; Windows 2000 Datacenter Server; Windows Server 2003, Standard Edition; Windows
Server 2003, Enterprise Edition Windows Server 2003, Datacenter Edition
DNS. Windows 2000 Windows Server 2003
SRV- DNS-,
. DNS- Windows Server 2003

(DHCP). DHCP- Windows Server 2003
DNS- , Microsoft Windows 95, Microsoft Windows 98, Microsoft
Windows Me Microsoft Windows NT.
DNS . - ,
DNS, , ,
DNS,
. DNS Windows Server 2003
.
Active Directory. ,
DNS-. Authenticated Users
( ) DNS.
, ACL (ACL - Access Control List) DNS-.
DNS , DNS.
, Active Directory Windows Server 2003 SRV-
,
DNS- Windows Server 2003.

DNS Active Directory Windows Server 2003


Active Directory DNS.
, Windows 2000
Windows XP Professional .
DNS , Active Directory, . ,
Exchange Server 2000 Active Directory,
, Exchange Server 2000, ,
Exchange Server 2000.
. , Windows 95, Windows 98, Windows Me
Windows NT DNS Windows Server 2003.
NetBIOS, Windows (WINS - Windows
Internet Naming Service) - NetBIOS IP-. Windows
Server 2003 , NetBIOS
WINS.

DNS Locator
DNS Locator ( DNS) Active Directory, DNS
, .
,
.
. Windows NT NetBIOS.
NetBIOS Domainname <1>
WINS. ,
, .
, . SRV Windows Server 2003
,
Windows 2000 Windows XP Professional. SRV
Windows Server 2003.

DNS, Active
Directory
, Active Directory
(service locator) SRV. SRV - DNS-,
RFC 2782, TCP/IP-. ,
Active Directory, , SRV
(. . 3-2).
_ldap._tcp.contoso.com. 600 IN SRV 0 100 389 dc2.contoso.com

. 3-2. SRV

_ldap , .

_kerberos, _kpassword _gc.
_tcp , .
TCP

(UDP).
contoso.com , .

600
(TTL ( ).
- Time to
Live)
IN DNS- .
SRV SRV.

0
. SRV-
,

,
.
100 .
SRV-
,
,
.

389 , .
dc2.contoso.co , ,
m .

, ,
(LDAP) Contoso.com, dc2.contoso.com.
Windows Server 2003 SRV-
DNS. , .
contoso.com. 600 IN A 192.168.1.201
_ldap._tcp.contoso.com. 600 IN SRV 0 100 389 dc2.contoso.com.
_ldap._tcp.Default-First-Site-Name._sites.contoso.com. 600 IN SRV 0 100 389
dc2.contoso.com.
_ldap._tcp.pdc._msdcs.contoso.com. 600 IN SRV 0 100 389 dc2.contoso.com.
_ldap._tcp.gc._msdcs.contoso.com. 600 IN SRVO 100 3268 dc2.contoso.com.
_ldap._tcp. Default-First-Site-Name._sites._gc._msdcs.contoso.com. 600 IN SRV 0
100 3268 dc2.contoso.com.
_ldap._tcp.64c228cd-5f07-4606-b843-d4fd114264b7.domains._msdcs.contoso.com.
600 IN SRV 0 100 389 dc2.contoso.com.
gc._msdcs.contoso.com. 600 IN A 192.168.1.201
175170ad-0263-439f-bb4c-89eacc410ab1._msdcs.contoso.com. 600 IN CNAME
dc2.contoso.com.
_kerberos._tcp.dc._msdcs.contoso.com. 600 IN SRVO 100 88 dc2.contoso.com.
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.contoso.com. 600 IN
SRV 0 100 88 dc2.contoso.com.
_ldap._tcp.dc._msdcs.contoso.com. 600 IN SRV 0 100 389 dc2.contoso.com.
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.contoso.com. 600 IN SRV 0
100 389 dc2.contoso.com.
_kerberos._tcp.contoso.com. 600 IN SRV 0 100 88 dc2.contoso.com.
_kerberos._tcp.Default-First-Site-Name._sites.contoso.com. 600 IN SRV 0 100 88
dc2.contoso.com.
_gc._tcp.contoso.com. 600 IN SRV 0 100 3268 dc2.contoso.com.
_gc._tcp.Default-First-Site-Name._sites.contoso.com. 600 IN SRVO 100 3268
dl2.contoso.com.
_kerberos._udp.contoso.com. 600 IN SRV 0 100 88 dc2.contoso.com.
_kpasswd._tcp.contoso.com. 600 IN SRV 0 100 464 dc2.contoso.com.
_kpasswd._udp.contoso.com. 600 IN SRV 0 100 464 dc2.contoso.com.
DomainDnsZones.contoso.com. 600 IN A 192.168.1.201
_ldap._tcp.DomainDnsZones.contoso.com. 600 IN SRV 0 100 389 dc2.contoso.com.
_ldap._lcp.Default-First-Site-Name._sites.DomainDnsZones.contoso.com. 600 IN
SRV 0 100 389 dc2.contoso.com.
ForestDnsZones.contoso.com. 600 IN A 192.168.1.201
_ldap._tcp.ForestDnsZones.contoso.com. 600 IN SRV 0 100 389 dc2.contoso.com.
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.contoso.com. 600 IN
SRV 0 100 389 dc2.contoso.com.
. Windows Server 2003,
Netlogon.dns, %systemroot%\
system32\config. DNS-,
DNS.
SRV- , SRV.
:
_ldap Active Directory , LDAP-,
, LDAP-. _ldap SRV
LDAP , .
Windows Server 2003 LDAP-;
_kerberos - Windows 2000
Windows XP Professional. SRV- _kerberos
(KDC - Key Distribution Centers) .
Windows Server 2003 KDC-;
_kpassword kerberos (
Windows Server 2003
kerberos);
_gc - , Active
Directory. Active
Directory.
SRV- ,
3-2. Active Directory
IP-, .
,
, , .
,
, . ,
, , .
SRV- _msdcs,
. , SRV, ,
Microsoft. , LDAP kerberos-cep-
, Microsoft. SRV
DNS. Windows Server 2003 (generic)
(, _ldap._tcp.contoso.com), , _msdcs.
, Microsoft, .. Windows Server 2003
Windows 2000.
: gc ( ), dc ( ) pdc (
).
(GUID -
globally unique identifier) . GUID
.
. , - ForestDnsZones
DomainDnsZones.
.

Active Directory
, Windows Server 2003,
( ) , . , ,
Windows 2000 Windows XP Professional, .
, .
1.
(RPC) ,
. RPC-, ,
, , Net Logon ( ).
2. (domain locator),
API- DsGetDcName (), ,
3-3.

. 3-3. DsGetDcName
DsGetDcName DNS

DS_PDC_REQUIRED _ldap._tcp.pdc._msdcs.domainname
DS_GC_SERVER_REQUIRED _ldap._tcp.sitename._sites.gc.
_msdcs.Forestrootdomainname
DS_KDC_REQUIRED _kdc._tcp.sitename._sites.dc
._msdcs.domainname
DS_ONLY_LDAP_NEEDED _ldap._tcp.sitename._sites._
msdcs.domainname

. DsGetDcName sitename.
, DS_PDC_REQUIRED, ,
. DNS- ,
. , DS_KDC_REQUIRED ,
_kdc._tcp.dc._msdcs.forestrootdomain. ,
, DNS.
DomainGUID DsGetDcName ().
_ldap._tcp.domainGUID.domains._msdcs.forestname.
, .
3. DNS ,
. LDAP , UDP- 389
, .
0,1 , ,
.
, .
4. , , ,
. ,
.
, ,
Active Directory, .
,
Active Directory,
. ,
,
, . ,
?
-, Active Directory,
. IP-,
, .
Active Directory, IP-
IP- . ,
.
.
(,
),
. DNS- ,
. IP- ,
, .

.
, Active Directory,
.

Active Directory
DNS Windows Server
2003 (integrated zones) Active Directory.
Active Directory .
DNS-,
Active Directory. .
Active Directory.
Active Directory,
Active Directory. ,
, .
, .
Active Directory
DNS.
DNS-
. Active Directory DNS
. ,
,
. Active Directory DNS-
,
.
DNS.
.
Active Directory, ,
. , ,
Active Directory.
Active Directory
DNS Windows Server 2003,
.
. Active Directory .
,
, . DNS-
, DNS ,
Windows Server 2003, DNS.
Active
Directory.
Active Directory,
DNS Active Directory
(. . 3-6). Microsoft (MMC -Microsoft Management
Console) , Active Directory Users And Computers (
Active Directory) . Active Directory Users
And Computers ( Active Directory) View (),
Advanced Features ( ). ,
System (), - Microsof tDNS.
Active Directory .

. 3-6. Active Directory

. DNS
DNS Windows Server 2003
, ,
, Active Directory
Windows 2000 Advanced Server.
; ,
(dedicated)
(. . 3-7).
.

. 3-7. Active Directory

,
.

, . ,
- Contoso.com Fabrikam.com,
DNS- Contoso.
Fabrikam, ,
. DNS- Contoso
DNS- Fabrikam,
.
TailspinToys.com .
DNS Windows 2000
(. ),
.
DNS
.

DNS DNS--
, DNS ,
DNS .
, DNS
,
.
. Windows Server 2003
. ,
(stub zones) .

DNS
DNS, , Windows 2000.
Windows Server 2003 , ,
DNS. (. )
DNS ,
Windows Server 2003.


(conditional forwarding)
. Windows Server 2003
, . - ,
,
.
, .
: DNS-cep-
DNS, .
, , , .
.
.
, .
,
. , DNS
.
Windows Server 2003 DNS
, DNS
. DNS ,
, . ,
Contoso.com Fabrikam.com, DNS-
Contoso.com. DNS- , ,
, .
, .
Fabrikam.com, DNS- Contoso.com
DNS.
Fabrikam.com, DNS Contoso.com,
, -
, .
. , DNS-
, . DNS-
, .
Properties ()
DNS (. . 3-8).
.
DNS , DNS-
DNS- .
-, Forwarders (),
DNS- ,
DNS-. ,
, , DNS,
All Other DNS Domains ( DNS).

. 3-8.

DNS-
. -
, , Fabrikam.com
Europe.Fabrikam.com, Webl.Europe.Fabrikam.com, DNS-
DNS- Europe.Fabrikam.com.


(stub zones) - DNS Windows Server 2003.

. .
IP- .
, , .
,
SOA, NS () , .

. DNS- ,
. .
DNS-
. ,
, ..
(. . 3-9). NAmerica.Contoso.com IP-
SAmerica.Contoso.com DNS NAmerica. Contoso.com
, .
, . DNS
Contoso.com ,
DNS- NAmerica. Contoso.com .
IP-
SAmerica.Contoso.com NAmerica. Contoso.com. NAmerica.
Contoso.com DNS SAmerica. Contoso.com IP-
, .
, DNS- NAmerica. Contoso.com
DNS .
, SAmerica.Contoso.com. ,
,
SAmerica. Contoso.com.
.
, .
,
.
DNS . - DNS
, DNS- ,
.

. 3-9. DNS

.
, IP-
. , ,
, .
,
. Contoso.com,
NAmerica.Contoso.com DNS Contoso.com.
Contoso.com, .
,
. DNS Contoso.com ,
,
.
, New Zone Wizard ( )
DNS. Forward Lookup
Zones ( ) Reverse Lookup Zones ( ))
New Zone ( ). (. . 3-10).
. 3-10.


DNS, ,
.
DNS Active Directory Windows Server 2003
DNS . DNS,
, Active Directory
. DomainDnsZones ForestDnsZones. (
Active Directory,
ADSI Edit Ldp.exe; ADSI Edit 3-11.)
. DomainDnsZones
DNS, . ForestDnsZones
DNS, .
DNS , ..
.
DNS (. . 3-12)
Zone Properties ( ) DNS.
DNS.
All DNS Servers In The Active Directory Forest domainname (Ha DNS
Active Directory). ForestDnsZones,
DNS .
_msdcs Active Directory.

. 3-11. DNS ADSI Edit

All DNS Servers In The Active Directory Domain domainname (Ha DNS
Active Directory). DomamDnsZones,
DNS, .
, Active Directory,
.
All Domain Controllers In The Active Directory Domain domainname (
Active Directory).
, .
,
, DomamDnsZones
, DNS.
All Domain Controllers Specified In The Scope Of The Following Application Directory
Partition (
). ,
.
DNS ,
.
. DNS ,
DNS .
DNS ,
, .
DNS
DNSCMD. DNS
DNS Create Default Application Directory Partitions
( ).
DNSCMD dnscmd DN S
servername/CreateBuiltin-DirectoryPartitions /forest.
ForestDnsZones. DomainDnsZones, /domain
.
Active Directory, Enterprise Admins
( ).

. 3-12. DNS

.
, DNS,
DomainDnsZones
, DNS. _msdcs ,
Active Directory , ForestDnsZones.
.

DNS Windows Server 2003.



Windows Server 2003. DNS.
, DNS
, DNS Active Directory.
,
Active Directory SRV DNS,
. , DNS
Windows Server 2003.
4. Active Directory
, Active Directory Microsoft Windows Server 2003,
.
.
(WAN).
, -
.
, ,
.
, . ,

, .
Active Directory ,

. Active Directory.
, , ,
.

Active Directory
2 , Active Directory .

. ,
, .
,
.
, , .
, Active Directory.
,
Microsoft Windows NT, Active Directory .
Windows NT (PDC Primary Domain Controller)
, .
,
(BDC Backup Domain Controllers).
, .
(, ) PDC,
, . PDC
, ,
, PDC.
, PDC . ,
,
BDC- PDC.
Active Directory
, .. ,
PDC . ,
.
,
, .
, .
. 2 , Active Directory
, .
,
.
, Active Directory,
, . ,
, , .
, ,
.
, .. ,
,
.
(store and forward). ,
,
. , ,
, WAN-.
.
, ,
. , ,
,
.

Active Directory Windows


Server 2003
Active Directory Windows Server 2003, , ,
Microsoft Windows 2000, .
, . Windows 2000
.
.
.
,
,
. Active Directory Windows Server 2003 ,
, ,
.
, 5000 . Windows 2000
5000 - ,
.
5000 . ,
. Active Directory Windows Server 2003
, ,
.
. ,
(interim) Windows Server
2003. Windows Server 2003 ,
Windows Server 2003.
Windows Server 2003 , ,
Windows Server 2003 Windows NT.
. . 7.
.
Active Directory Windows 2000, Active
Directory Windows Server 2003.
. Active
Directory Windows Server 2003 .
.
, .
Active Directory Windows Server 2003 ,
. , - (bridgehead server)
, , - ,
.
, .
.
, ADSI Edit Options
() - (site link object) - (connection object).
, Options () ;
, .
. Windows 2000
100 . ,
(Knowledge Consistency Checker ),
.
Active Directory Windows Server 2003 .

Active Directory ,
. ,
,

. ,
.
.
. Microsoft Exchange Server 5.5 ,
. Active Directory
Exchange Server 5.5.


,
.. ,
. .
, Active
Directory. 15 ,
,
. 3 ,
. 15
,
.
Windows 2000 Windows Server 2003 (
Resource Kits ).
Windows Server 2003
, ADSI Edit.
.
, .
.

.
,
-. -
, .

(RPC). -
, .
, .

.
;
.
.
- Active Directory Sites And
Services ( Active Directory), (,
) (
Resource Kits )
Partition (), Windows Server 2003.
.


, ,
- .
.
, , .
, ,
. ,
. , ,
.
, , ,
.
10 - 15
, 32 . ,
-
.

.
.
, ,
(IP) (SMTP). ,
,
, .
, -.
- (
) , - .
-
.
,
.
. Active Directory
, ,

.
, , , 5.


Active Directory Windows Server 2003 ,
, ,
. (replication
latency). ,
. , ,
,
15 . 15 ,
.
15- , , ,
.
,
45 .
. ,
. ,
, -
, - . -
-, ,
, .
3 .
, 3 .
- ,
.
. ,
15 ( ).

.
, ,
45 .
WAN- ,
, .


, ,
, . Active Directory
(urgent replication),
. ,
, . ,
.
.
.
.
(RID)
.
(LSA - Local Security Authority),
, .

.
.
.
,
PDC-.
- . ,
, RPC- PDC--.
PDC-
. ,
, , , PDC-,
, .


Active Directory .

Active Directory. ,
, , .

(Knowledge Consistency
Checker)
(Knowledge Consistency Checker) ,
,
. Active Directory ,
, ,
.
, ,
. ,
.
, ,
.
15 .
Active
Directory Sites And Services ( Active Directory). ,
, NTDS Settings
( NTDS) , All Tasks ( ),
Check Replication Topology ( ).


(connection object),
Active Directory.
,
. , ,
. ,
.
pull ()
, pull-,
- - .

, .
. Replication Monitor ( )
push () .
pull-. ( ,

.)
, , ,
. , , ,
. , ,
,
. ,

.
:
, , .

,
- ,
- .
,
, . ,
, 15 . (
4-1.)
, <automatically generated> (
) (GUID).
.
. 4-1.


,
. ,
.
.
, .
,
. ,
, .


Active
Directory. (spanning tree),

. , ,
, . ,
,
.
, .
spanning tree .
,
.
.
Active Directory
. ,
Active Directory .
,
,
. ,
Active Directory .

Active Directory, KCC .
. 4-2
.
. 4-2.

(. . 4-2),
. ,
. ,
- .
.

-
. ,
(hop).
,

. , 4-3 .
, , , .

. 4-3. ,

. ,
. ,
,
. ,
4-4. (. . 4-4) ,
. 4-1.

. 4-1.


,

,

.
DCl.Contoso.com, DC2.Contoso.com,
Contoso.com DC3.Contoso.com, DC4.Contoso.com.
DC5.Fabrikam.com, DC6.Fabrikam.com.
Fabrikam.com
(GC) DCl.Contoso.com, DC4.Contoso.com,
DC5.Fabrikam.com.
DC2.Contoso.com, DC6. Fabrikam.com.1.
AppPartitionl

. 4-4. ,

. DNS (ForestDnsZones DomainDnsZones)


. , 4-4
. 3 ,
, .
4-4 GC.
GC .
Replication Monitor
( ).
, - Windows Server 2003.
, Suptools.msi Support\Tools
- Windows Server 2003. , Run
() replmon. 4-5
, .
. 4-5.

- , ,
.
,
. , ,
.
4-5 DCl.Contoso.com DC4.Fabrikam.com.

. ,
.
Show Replication Topologies ( ). View
(), Connection Objects Only ( ),
Properties (). Inbound Replication
Connections ( )
, , . 4-6,
(
Fabrikam.com), . ,
, ,
.
. 4-6. ,


,
. GC . ,
GC .
GC , ,
isMemberOfPartialAttributesSet true ().
, GC , GC.
GC- GC- .
4-7 ,
; . DCl.Contoso.com
. GC-
Contoso.com, GC-
Contoso.com .
Fabrikam.com ,
DCl.Contoso.com GC- Fabrikam.com DC2.Fabrikam.com.
Fabrikam.com ,
DC2.Fabrikam.com DCl.Contoso.com.
GC- DCl.Contoso.com.

. 4-7.

4-8 GC .
,
GC-. DCl.Contoso.com DC2.Contoso.com,
DC4.Fabrikam.com DC6.NWTraders.com.
DCl.Contoso.com. GC-
. , GC
GC .


,
. , , -
,
. ,
.
,
, .
, ,
.
, ,
. , ,
, .

. 4-8. GC-

,
,
.
(ISTG - Inter-Site Topology Generator) .
ISTG- , ,
. ISTG
. .
- (bridgehead server) ,
.
- - . ,
.
-
. -,
.
ISTG ,
. ISTG ,
. , ISTG
- . ISTG
, -. -
- ,
.
4-9 , .
.
, , GC- . ,
, GC,
. -,
. -
Contoso.com. -
Fabrikam.com. ,
4-9, DCl.Contoso.com DC6.Fabrikam.com GC-.
, - GC-
.
,
.
.
Active Directory.
, .
.

. 4-9.


Active Directory.
. ,
,
, ,
.


Active Directory,
. - (originating update).
,
. - (replicated update).
, , ,
. ,
, , ,
. ,
Active Directory, .
Active Directory :
Active Directory ;
Active Directory ;
.
,
;
Active Directory .
,
.
Active Directory . ,
, ,
.



, .
, , 15
. ,
,
.
,
.

. Active Directory
,
. ,
, , .
Active Directory (USN -
update sequence number), (high-watermark value), (up-to-dateness
vectors) (change stamps). .


,
. (USN update sequence number)
. ,
USN 5555, ,
, USN 5556. USN
.
(, , ),
USN.
USN . -,
USN , .
USN . -, USN
uSNChanged .
USN . . ,
, USN, 5556.
USN, uSNChanged 5556.
, ,
, USN uSNChanged
5557. USN
5556, USN .
USN uSNChanged ,
. USN USN .
,
.
, USN USN.
, USN
,
. USN uSNChanged
, USN ,
. USN ,
.


(high-watermark values) ,
.
. -
uSNChanged,
. ,
uSNChanged .
.
.
, -
-. -
-
, uSNChanged.
.
.


(up-to-dateness vectors) ,
.
,
- . ,
DC1, USN, 5556.
DC2, USN .
, GUID DC1 . DC2
, , ,
, DC1, 5556.
. -
-, .
-
, -. ,
. ,
, , DC3,
, DC1, DC2, DC3. DC3 DC2
, , ,
, DC1, USN 5556.
15 DC2 DC3,
. DC3 DC2,
. DC2 ,
DC3 DC1 USN.
, ,
DC2 DC3 .
, ,
. ,
- . ,
, ,
. ,
,
. , ,
.

USN
USN (update sequence number)
, Windows Server 2003.
USN , USN
(time stamp)
Repadmin. ( Repadmin
.) repadmin
/showmeta object distinguished name ( ) .
uSNCreated uSNChanged ADSI Edit .
Ldp.exe, ,
, Advanced (), Replication Metadata (-
). USN (. . 4-10).
,
Show Attribute Meta-Data For Active Directory Object (
Active Directory). (credentials)
Active Directory, . USN-
.
USN Active Directory Users And
Computers, Advanced Features ( ) View (),
Object () Properties () .
.
,
, - .
,
, , -
, -
.

. 4-10. - Replication Monitor (


)


, ,
(change stamp). , ,
.
, .
, ,
. .
. ,
. ,
1, .
, 1.
,
.
. ,
. ,
,
.
(Originating server). GUID ,
.
.
, .
,
, .
.
1. . .
3, -
4, 4.
2. . ,
.
3. GXJID . ,
GUID , .
, , GUID.
GUID , a GUID .
.
, ,

. . -
, . (

, ,
.) -,
,
, ,
, .

,
. , ,
Active Directory,
.
Active Directory , ,
.
, .

,
. ,
(OU) Accounting ().
OU Accounting.
, ,
Active Directory LostAndFound.

(relative distinguished name) . ,

BDiaz OU Accounting,
,
, OU OU.
, , ,
GUID,
. , GUID, ,
GUID BDiaz#CNF:userGUID,
(#) . ,
.


Active Directory ,
. , .
- (tombstone). - ,
isDeleted true (), .
, GUID, SID, USN ,
.
- .
, ,
, . -
,
- (tombstone lifetime).
-, 60 ,

. -
(garbage collection). , ,
12 . 12 ,
-, .
1 , Active Directory Windows Server 2003
Active Directory. (lingering object)
, ,
-
. Repadmin.
. -
ADSI Edit Ldp.exe. CN=Directory
Service,CN=Windows NT,CN=Services,CN = Configuration, DC=ForestRootDomain.
garbageCollPeriod tombstoneLifetime .
.


Active Directory
, ,
WAN-.
, .
. ,
, - ,
. 5
.
Active Directory,
.
2, Active Directory ,
. Active
Directory , ,
.

Active Directory, Default-First-Site-
Name ( ). ,
.

, .
Active Directory
Sites And Services ( Active Directory). ,
Sites (), New Site ( ). Link
Name ( ) ,
. IP
Active Directory. Subnets ()
Active Directory Sites And Services . ,
, GC-.
,
Servers () Move ().
, .
, ,
IP IP- .
, .


Active Directory, , (Site
Links). Active Directory
DEFAULTIPSITELINK. ,
,
. WAN-
, .
, .
.
- ,
.
ISTG.
ISTG. , ISTG
, Active
Directory .
.
(Cost) - ,
.
, .
, , ..
.
.
(Replication schedule) ,
.
24 .
, .
(Replication interval) - ,
- -
.
180 .
. ,
22:00 5:00 , -
3 .
(Replication transports).
RPC IP, SMTP.

.
. , .
, , ,
4-11.
Active Directory Windows Server 2003 (transitive)
. 4-11, Sitel Site2 Site4, a Site2
Site3 Site5. - , Sitel
Site3 Site5.
,
. ,
. ,
4-11, Sitel Site5:
Site2, Site4. Site2 - 300 (100
+ 200), Site4 700 (500 + 200). ,
Site 2, .

. 4-11.

,

. , Site1 Site3
24:00 4:00 ( ) 60 (
Site2-Site3).
. ,
- . , Sitel-Site2 2:00 6:00,
Site2-Site3 22:00 1:00, Sitel Site3
. Sitel Site2, Site2
Site3. ,
, Site2 2:00, Site3 22:00.



(site link bridges).
, , -
. ,
, .. (-
, ,
).
, ,
, ,
.
.
. 5 ,
.
, .
, ,
; , ,
. , , ,
Site1, Site2, Site4 Site5. ,
, - Sitel
- Site5. Site2 Site3
, . Site3
Site2, .
, Bridge All Site Links (
) General () IP-Properties ( IP). IP
Inter-Site Transports ( )
Active Directory Sites And Services. , ,
,
.


Active Directory Windows Server 2003
.
RPC IP .
RPC no IP. ,
..
. RPC- (dynamic port
mapping). RPC- RPC (RPC
endpoint mapper port) (IP 135). ,
- .
.
,
, . ,
DWORD :
HKEY_LO-CAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\ Parameters\TCP/IP Port.
RPC no IP . RPC-
, ,
, .
. RPC IP
Active Directory Sites And Services, , -
. RPC no IP RPC, a RPC no IP
IP.
SMTP . SMTP
,
. SMTP , ..
.
SMTP . -, SMTP
,
. SMTP
, GC. , SMTP
, SMTP (IIS)
, SMTP .
, Microsoft Certificate
Authority (MCA) ( ).
SMTP,
.
-
, -.
(ISTG - Inter-Site Topology Generator)
-
. , -,
Replication Monitor
( ). ,
, Show Bridgehead Servers ( -
). -: ,
, . -
Repadmin. repadmin
/bridgeheads.
,
-. -
,
. -
Active Directory Sites And Services,
, Properties () (. .
4-12). (preferred)
- SMTP IP.

. 4-12. -

-
, - , .
, -,
- ,
. ,
Contoso.com, Fabrikam.com, GC ,
, ,
. , ISTG
, - .
-,
ISTG - .
- ISTG
-, .. ,
.
- , ISTG
-, ,
-.
- ,
ISTG -,
-.
. - ,
, . -
,
, .

,
, Replication Monitor ( ).
Suptools.msi Support\Tools - Windows
Server 2003. Replication Monitor, replmon.
.
Edit ,
. ,
Active Directory. ,
, ;
; .
,
. - Repadmin.
Suptools.msi. ,
repadmin. Repadmin
-
, Replication Monitor, . Repadmin
, .
.
Replication Monitor Repadmin, Help And Support Center (
). Support Tasks ( ) Tools (),
Windows Support Tools ( Windows).
,
, , .
Help And Support
Center.

. -Event Viewer ( ).
Directory Service ( )
, . ,
, , ,
. Performance
() , ,
. ,
NTDS Performance.
, ,
Active Directory.
. Active Directory ,
, - DNS.
DNS .

Active Directory Windows Server 2003


, .
,

. :
Active Directory
, , ,
.
II. Active
Directory Windows Server 2003
I ,
Active Directory Microsoft Windows Server 2003. II
Active Directory.
Active Directory . , ,
(OU) ,
. 5
. Active Directory,
. 6 , Active
Directory. , Active Directory Windows Server 2003,
Microsoft Windows NT 4. Active Directory Windows Server 2003
Windows NT, 7.

5. Active
Directory
Active Directory Microsoft Windows Server 2003
. Active Directory
,
. Active Directory
.
, .
, ,
Active Directory Windows Server 2003. ,
, .
, , ,
.
.
.
, (OU)
, .
. Active Directory Windows Server 2003
Active Directory Microsoft
Windows 2000. Windows Server 2003 Windows
2000, Active Directory .
, Active Directory Windows 2000,
Active Directory Microsoft Windows NT 4 .


, , -
. -
Active Directory ,
.
, ,
. ,
, :

.
. - Active
Directory
Active Directory ,
. -
,
(IT), ,
.

. , ,
.
, , .
,
. ,

.

Active Directory
Active Directory , .

.
.
Active Directory, , .
, .
. (GC). GC
,
.
.
.
, Active
Directory, ,
.
.
. , .
.
Microsoft Exchange Server 2000.
Exchange Server 2000. Exchange Server 2000
,
. (GAL - Global Address List)
GC. Exchange Server 2000
.
, .
,
.
Active Directory ,
, ,
. .
. .
,
. ,
, . , ,
,
, ,
, .
, .
.
. ,
. ,
, , Schema Admins
( ). ,
, - Enterprise Admins ( ).
Enterprise Admins Administrators
() .
. ,
Windows NT 4,
.
.
,
.
.
. ,
, ,
. ,
.
, ,
.


, ,
, - .
, .
-
, .
. , .
.
GC,
,
. Active Directory
. , , ,
, .
,
.
.
,
, . ,
.
.
,
-
. .
.
, ,
,
.

, .
.
.
,
, .
,
,
.
.

. ,
.
.
,
, , ,
, ,
. ,
,

.
.
,
, , . ,
-
.
,
,
, .
,
, ,
.
.
. .
, .
, ,
.
. -
. GC-
, , GC.
, ,
.
.
- ,
.
.
-

,
. Active Directory
,
(, , )
( ,
..)
,
, OU.
. ,
, Enterprise Admins
( )
.
, , ,
.
, ,
.
Active Directory
. , .
OU
OU. Active Directory
.
,
.
, Active Directory. Enterprise Admins
Administrators . Domain Admins
( )
Administrators
.
,
,
. ,
.
,
,
.

.
,
.
(SID) , , Enterprise Admins,
, , .
,
Directory Services Restore ( ),
Active Directory , .
, ,
,
.
,
.
,
.
,
.
.
,
.
, ,
,
.
.
,
.
Domain Admins ( ),
Administrators (), Server Operators
( ) Backup Operators (
). ,
, .

, .
, .
,
, .
.

, ,
. ,
. Schema Admins ( ), Enterprise Admins
( ) Domain Admins ( )
, ,
. ,
, .
, Schema Admins , Schema Admins
,
.
.
,
.
, , ,
,
, .

. , ..
,
.
, ,
.



. ,
. :
(,
, ).
,
. ,
,
.
,
.
,
.
, .
,
Active Directory.
,
Active Directory .

, .


,
. ,
,
,
. .
Active Directory

.
Active Directory.
.
, Sysvol
. ( ,
GC) ,
.
.
. ,
,
.
.
. , ,
Kerberos,
.


,
.
, .
.


Active Directory Windows Server 2003
, Windows NT.
-
Windows NT Active Directory.
, Windows
NT, Windows Server 2003.
,
Windows NT.
.
Active Directory
Active Directory
, .
, Active Directory,
Active
Directory. Windows NT 4,

Active Directory Windows Server 2003.
Active Directory.
,
Active Directory,
. , Active
Directory, .
, ,

. , ,
.

.
Active Directory,
Active Directory, ,
. ,
- .

Active Directory:
. ,
, , ,
, .
, , Active Directory .
,
, .
,
.
, . OU
.
Active Directory,
. , ,
Active Directory
.
Windows NT ,
. Active Directory OU
,
.
,
, OU .
.
,
. ,
.
.
Sysvol
. ,
.

. ,
.


,
.
.
. ,
,
.
(
).
,
.
,
.
,
(SMTP), .
,
SMTP.
,
Kerberos .

, .

.
,
.
.
.

. ,
.
, ,
. -
, .


, Active Directory
,
( ). (dedicated root domain) -
, .
, , .
5-1.
, ,
. - Active
Directory. ( Enterprise
Admins Schema Admins) (
). , ,
, ,
, . , ,
, .

. 5-1.

, ,
. ,
.
,
.
.
.
, (generic) .
, ,
. , ,
, .
,
. ,
.
, .
,
. , , Restricted Group ( )
Domain Security Policy ( )
. DNS ,
. -
,
DNS ,
.


,
, DNS . ,
. - Windows NT,
Windows Server 2003
.
Windows NT,
,
, .
.
,

. 5-2 ,
.
Active Directory, .
.
Active Directory ,

Active Directory. ,
,
Active Directory. . ,
Exchange Server 5.5. Exchange
Server 2000 Active Directory. ,
Exchange Server 5.5, , Exchange .
5-3 , Windows NT
4.
. 5-2.
Windows NT


, .
, .
, , ,
. ,
,
, , , ,
. , ,
, .
, ,
, .

. 5-3. Windows NT 4 Active Directory Windows Server 2003



. ,
, .. .
,
.
,
.
, , ,
.

.

, GC .
DNS DNS.
(conditional forwarders) (stub zones)
Windows Server 2003 .
, ,
, , ,
(shortcut trusts) .

. -
Active Directory -,
. -
, .
, , .
, , ,
. ,
, 5-4.
Asia.Fab-rikam.com Canada.NAmerica.Contoso.com Contoso.com,
.
NAmerica,
Contoso, Fabrikam , , Asia.
. ,
Canada Asia,
Asia .
.
, .
,
,
, .
. 5-4.


,
. Windows Server 2003
, Windows Server 2003.
,
. ,
,
. , ,
.
-
Active Directory (ADMT - Active Directory Migration Tool v.2)
. ADMT /I386/ADMT -
Windows Server 2003.


, Active Directory,
.
, .
. ,
. ,
,
.
.
.
. ,
Kerberos.
Group Policy ( ) .

OU.
OU- . OU-
OU
OU.
.
(
, ..),
OU.
. ,
,
.

, .

DNS
,
DNS . Active Directory
Windows Server 2003 DNS,
DNS. , ,
Active Directory .
DNS.
DNS, ,
, DNS- Windows Server 2003
DNS.

DNS
DNS
DNS. DNS Active Directory
DNS.
DNS,
DNS- Active Directory DNS Windows
Server 2003. Active Directory , DNS, ,
.
DNS, .
DNS- ,
. , , .
,
. .com,
.net .org.

.
DNS.
DNS-, (
DNS- Windows, BIND - Berkeley Internet Name Domain Lucent
VitalQIP). , DNS
,
.


DNS,
Active Directory.
DNS
,
, ,
DNS , .
,
.



DNS , .
DNS- . ,
5-5 , Contoso Contoso.com ,
.

. 5-5. DNS
. ,
, DNS
. DNS- ,
, , (
DNS - DDNS). ,
, .
, , SMTP, Web-
. ,
DNS- .

, .
. SMTP
(UPN)
-. ,
, ( ).
,
DNS-.

.
DNS .
DNS,
DNS ,
.
. , - ,
,
, -.
.


.
, Contoso.com
Contoso.net ADContoso.com (. . 5-6).
. ,
, . , Contoso.com
, Contoso.net, ADContoso.com AD.Contoso.com
. AD.Contoso.com DNS, ,
.

. 5-6. , ,

,
. ,
DNS .
,
DNS .
, . ,
, ,
.


, DNS,
DNS.
DNS ( Windows NT),
, Active Directory,
. DNS
, DNS .
DNS ,
, , DNS
.
,

(. . 5-7).
. 5-7. DNS DNS

.
, ,
.
,
-,
. ;
, ,
, SMTP
.

, .

, .
,
, . , Contoso
Contoso.net Contoso.com
.
, . SMTP
alias@contoso.com, -
- Contoso.com. , UPN
alias@contoso.com,
.
5-7 , DNS . DNS-
Contoso.com (authoritative)
NAmerica.Contoso.com Europe.Contoso.com,
Fabrikam.com. DNS- Fabrikam.com
Contoso.com.
,
, , .
DNS , DNS.
.
DNS Active Directory, .
, Contoso Contoso.net ,
DNS- BIND DNS. Contoso.net
Active Directory DNS ( ,
SRV- ).
, DNS DNS-,
Windows Server 2003.
DNS-. DNS
.
. DNS
.
, DNS-
DNS-. .
,
. , DNS-
.
DNS DNS-
Active Directory. , Contoso Contoso.net
DNS Active Directory,
AD.Contoso.net (. . 5-8).
DNS- AD.Contoso.net
NAmerica.AD. Contoso.net Europe.AD.Contoso.net. DNS-
DNS-,
Contoso.net, DNS-.
DNS- Active Directory,
.
DNS Active Directory
. , Contoso
AD.Contoso.net Active Directory (. . 5-9). DNS- Contoso.net
AD.Contoso.net. DNS-
AD.Contoso.net , DNS-
Contoso.net.
DNS, - , ,
DNS
. , 5-10 , , , Contoso.net
Fabrikam.net . Active Directory,
,
NWTraders.net. DNS-
DNS .
. 5-8. DNS

. 5-9. DNS

DNS Active Directory.


5-10 AD.Contoso.net Active Directory
NAmerica.AD.Contoso.net Europe.AD.Contoso.net AD.Fabrikam.net
NWTraders.net,
Active Directory.
. 5-10. DNS

DNS
DNS.
DNS UNIX
DNS . DNS DNS-
BIND, UNIX-.
Windows NT NetBIOS
Windows (WINS), DNS,
Windows- DNS. Active
Directory Windows 2000 Windows Server 2003. 3 , Windows
Server 2003 DNS , .
Active Directory
DNS.
DNS ,
Windows Server 2003.
DNS Active Directory
DNS.
, BIND
DNS. , DNS-
Microsoft Active Directory DNS.
, , . DNS -
SRV. , , , DNS
(, IP
DNS) (incremental) .
BIND DNS, BIND 8.1.2 SRV .
BIND 8.2.1 .
BIND, DNS- BIND. (
DNS- Lucent VitalQIP, 5.2 BIND
8.2.2.)
. DNS
, DNS- Windows Server 2003
DNS- Microsoft,
.
DNS- BIND, DNS- ,
DNS Microsoft.
, DNS
Microsoft.
:
, DNS-. DNS-
SRV, Active Directory Windows Server 2003
DNS. , DNS
. ,
Active Directory.
: DNS- , Active
Directory?.
, ,
.
, : DNS-

?.
Windows Server 2003
,
Active Directory. DNS-
DNS.
Active Directory .
DNS- BIND,
- .
DNS DNS- Microsoft
DNS- BIND .
, DNS- ,
, .
DNS Windows Server 2003 BIND
DNS. DNS- BIND
. , Contoso BIND
Contoso.com. Active Directory
DNS- Windows Server 2003, .
Contoso Contoso.com DNS- Active Directory,
DNS- Windows Server 2003 DNS BIND
. DNS- Windows Server 2003
DNS- BIND.
. DNS- BIND DNS- Windows
Server 2003 . DNS-
, .
Active Directory, DNS-
BIND . Active
Directory .
Contoso Active Directory, ,
, DNS- BIND. , Contoso.net
DNS- Active Directory. DNS- Windows Server
2003 Contoso.net, BIND -
Contoso.com. DNS- Windows Server 2003
DNS- BIND Contoso.com.
Active Directory AD.Contoso.com
. DNS- BIND Contoso.com
, AD.Contoso.com DNS Windows Server
2003. DNS Windows Server 2003
, DNS- BIND.
. , DNS,
DNS. DNS-,
, : BIND Windows
Server 2003. DNS Windows Server 2003
DNS, DNS BIND Active Directory.

,
OU . 2 , OU
.

.

Active Directory
Windows NT , ..
.
,
. OU Active Directory -
. OU,

.
OU,
. ,
. OU,
(Group Policy),
. ,
. ,
, OU,
, OU
.
.
OU DNS. OU
DNS. ,
OU=ManagersOU,OU=AdministrationOU,
DC=Contoso, DC=Com. Contoso.com DNS--, LDAP-
DNS OU.
.
Group Policy ( ),
OU, OU.
.
0U .
Active Directory,
GC-. OU,
Active Directory.
Active Directory, ,
OU . OU
Move ()
.

OU
OU .
.
. OU

. ,
.
, .
, .
OU
. -
OU.
, OU, , .

, OU .

(IT).

, -- .
OU, 1-
, .

OU,
OU
. , Windows NT
Active Directory, , ,
.
, , ,
.
. ,
,
.
OU Active Directory
.
OU. OU ,
.
OU,
OU -
. OU ,
, ,
. ,
OU, , ,
. 9
. OU.

, . ,
OU
. OU .

0U,
OU .
.

, .
, ,
. Active Directory
OU,
OU. OU ,
. ,
, ,
.
(mapped drives). ,
. ,
. , OU
, .
OU ,
, .
OU. ,
OU,
. ,
, OU
OU. OU ,
.
11, 12, 13 , .

OU
OU .
- OU, . OU
- :
.
OU, , ,
. ,
. OU, , ,
,
. (
) , OU
.
OU, , ,
. ,
,
OU, .
OU .
OU .
,
.
, , , OU
.
,
. - OU
, , OU
, . OU
, ,
OU, .
5-11 OU . OU Domain
Controllers OU (OU ) ( OU) OU
. OU OU
(Service Account), .
OU ,
, . OU
OU , .
OU OU ,
. , ,
.

. 5-11. OU

OU
. OU -
, . OU
OU,
. OU
, . OU
OU.
OU - .
OU OU, ,
.
OU -
OU Windows NT, Windows 2000, Microsoft Windows XP
Professional OU .
OU - , OU.
, , .
OU .
(), ,
OU , ,
, , OU.
. , ,
OU. ,
. OU,
, , - .
OU, .
OU, OU OU.
OU , ,
OU. , OU,
.


Active Directory
. Active
Directory, ,
.

Active Directory
Active Directory
. .
,
, .
,
.
, , ,
.
, Active Directory,
(DFS - Distributed File System),
, .


,
.
:
(WAN) (LAN),
,
;
,
.
, ,
. , ,
.

512 /.
10 /;
, ,
IP.


, .
,
. ?
, ?
?
, - GC-.
,
, ,
. ,
. :
?
.
,
, .
Windows Server 2003 ,
?
. Active Directory ,
, , .
, OU
. ,
WAN-,
. ,
Active Directory, .
Active Directory .
Active Directory IP,
, .
- , ,
, IP .
, , .
.
.
, . -
(bridgehead servers) ,
Active Directory, , -
.
,
.
, Active Directory .
,
.
5-1.

. 5-1.

10 / 10
10 / 1,544 / 100
1,544 / 512 / 200
512 / 128 / 400
128 / 56 / 800
56 / 2000

, 5-1,
. , ,
, . ,
, ,
.
Active Directory (site link
bridging) . ,
, ..
, ,
. . ,
. ,
(hub sites)
,
(. . 5-12). ,
. ,

, , ,
.
5-12 -
.

, -
- - ,
. ,
. ,
, .
,
Active Directory Sites And Services ( Active Directory)
IP- Inter-Site Transports ( ).
General () IP-Properties ( IP) Bridge All Site Links
( ). ,
. ,
,
, .

. 5-12.

. Bridge All Site Links,


, .. .
,
. !


,
Windows Server 2003, .
, ,
.

DNS-
, DNS - Active Directory Windows Server
2003. DNS Active Directory,
. DNS
,
.
DNS Windows Server 2003 .
DNS- , . ,

- , .
DNS- , ,
.
DNS- , ,
, . DNS-
Active Directory.
,
.
.
,
.
Active
Directory . ,
()
. 100
.
, ISTG ( )
, , ,
. ,
6 ,
, -
.
.
, ,
,
.
Windows Server 2003 ,
Active Directory , Windows 2000.
,
ISTG, ,
. Active
Directory
.
, Active Directory
.
, Active Directory Branch Office
Planning Guide ( Active Directory ),
Microsoft http://www.microsoft.com/windows2000/
techinf/planning/activedirectory/branchoffic/default.asp.
Windows 2000, Windows Server
2003.


, ,
. , , .
-, . -,
WAN-
.
. ,
, .
,
. , , ,
, ,
.
, , .
,
. -,
, . -,
IP .
,
. ,
, , ,
, . -

,
.
, .
. -

. ,
,
.
, .


GC- , (native)
Windows 2000,
Active Directory. Windows
2000, GC- .
, GC- .
, GC--
. , -
GC- GC- .
Active Directory Windows Server 2003 ,
GC-
. ,
.
,
GC-.
.
8 GC .
,
Active Directory Sites And Services ( Active Directory)
, .
NTDS Site Settings (NTDS ) Properties
() (. . 5-13). Site Settings ( )
Enable Universal Group Membership Caching (
) Refresh Cache From ( ) ,
GC-.
. 5-13.

. Exchange Server 2000 GC-. Exchange


Server 2000 , GC.
GAL, , GC. Exchange
Server 2000 , ,
GC. Exchange Server 2000, GC
, Exchange Server 2000, GC .



(PDC). ,
Windows 2000 Windows
Server 2003, (BDC) Windows NT4
PDC . ,
Directory Services Client
( ), PDC,
. PDC
. , . PDC
,
.
. ,
, .
,
(RID) ,
.
. , , ,
.
,
.
,
.
RID
(RPC).
RID, RPC ,
RID.
GC-,
.
. ,
, ,
.
GC-, , GC
.
, ,
.
,
, .

Active Directory - . ,
Active Directory ,
. ,
, , DNS , , OU. ,
,
Active Directory.
6. Active Directory
Active Directory , Microsoft
Windows Server 2003, .
Active Directory. Active Directory Windows
Server 2003, .
, ,
.
,
. ,
Microsoft Windows NT4,
Active Directory ,
Windows Server 2003.
, Active Directory
Installation Wizard ( Active Directory),
Active Directory:
. Active Directory
.

Active
Directory
, Windows Server 2003 ,
, Active Directory .
,
Active Directory.
: Active Directory,

LDAP.
2 ,
Ntds.dit. Windows Server 2003 Ntds.dit
%systemroot
%\system32 . Active Directory- Ntds.dit
, ,
%systemroot %\NTDS, . Ntds.dit,
Windows Server 2003, Active Directory
.
. Active Directory
, (DNS)
. ,
- Windows Server 2003 .
, , Active Directory
Windows Server 2003.


, Active Directory,
,
(GC). Active Directory ,
Windows Server 2003,
:
15 - ;
250 - Active Directory Ntds.dit;
50 -
(ESENT). ESENT
,
(rollback),
.
Sysvol
NTFS v.5 (
NTFS, Microsoft Windows 2000 Windows Server 2003).
.
Active Directory
. Active
Directory, Planning Domain Controller Capacity (
) www.microsoft.com/technet/
prodtechnol/windowsserver2003/evaluate/cpp/reskit/adsec/ parti /rkpdscap. asp.


Windows Server 2003 Active Directory ,
.
, UNC IP-
Windows Explorer Ping (,
ping 192.168.1.1).
, .
Network Monitor ( )
,
, .
. Network Monitor Windows Server
2003. Windows Components Wizard (
Windows) Add/Remove Programs (/ ) Control
Panel ( ).

"Network Monitor" ( ) Windows Server 2003 Help and Support Center
( Windows Server 2003).
Active Directory
Local Area Connection Properties ( ).
, Local
Area Connection ( ) Network Connections ( )
Control Panel Properties (). Local Area Connection Properties
Internet Protocol (TCP/IP) ( ), Properties.
Internet Protocol (TCP/IP) Properties ( ), .
General () IP- .
, , DNS,
General DNS, IP-
DNS, (authoritative) .
DNS
Active Directory.
Advanced TCP/IP Settings ( TCP/IP)
Advanced () General, WINS
, IP- Windows
(WINS), .

DNS
, Active Directory DNS
. DNS ,
- , ,
. , DNS
(SRV) .
DNS , Active Directory
DNS Active Directory.
DNS , ,
Active Directory. Dcdiag (
, \Support\Tools\ Support.msi
- Windows Server 2003). :
dcdiag/test:dcpromo/dnsdomain:domainname/newforest
, DNS-
domainname .
dcdiag
dcdiag/? .
DNS , DNS
Active Directory. , ,
DNS, DNS,
(. . 5
DNS).
DNS Active Directory,
DNS ,
Active Directory. Internet Protocol (TCP/IP) Properties ( -
) Preferred DNS Server ( DNS) IP-
(. . 6-1).

. 6-1. DNS


Active Directory,
.
. Active Directory
. ,
,
.
,
, .
,
. ,
Enterprise Admins (
). ,
,
NTDS Setting ( NTDS) .
Domain Admins ( ) .
Active Directory
Active Directory,
.
,
. Active Directory , DNS
,
DNS, DNS- .
Active Directory:
Configure Your Server Wizard ( );
Active Directory Installation Wizard ( Active Directory);
.


Manage Your Server ( ) ,
Windows Server 2003.
, ,
(. . 6-2).

. 6-2. Manage Your Server ( )

Manage Your Server .


, Typical Settings for a First Server (
) .
,
DNS DHCP. Active Directory
, Active Directory Installation
Wizard ( Active Directory). Active Directory
, Configure Your Server Wizard (
) .

Active Directory
Active Directory Installation Wizard ( Active Directory) ,
dcpromo.exe Run . Dcpromo.exe
:
/answer[:answerfil]
Active Directory. ,
, ;
/adv Active Directory ,
.
/adv,
.

Active Directory.


Active Directory ,
, dcpromo.exe/ answer:answerfil, answerfile ,
.
,
Active Directory. , ,
, ,
.
.

Active Directory, (Configure Your


Server Wizard), Manage Your Server (
) Configure Your Server Wizard Administrative Tools (
).
Active Directory, Configure Your Server Wizard,
.
1. Manage Your Server Add Or Remove A Role (
) Configure Your Server Wizard Administrative Tools.
.
2. Preliminary Steps ( ) Next ().
, Local Area Connections
( ).
3. Active Directory, DNS
(DHCP), Configuration Options (
) Typical Configuration For A First Server (
). Active Directory, Custom
Configuration ( ), Next (. . 6-3).
, Custom configuration.

. 6-3. Configuration Options ( )


4. Server Role ( ) Domain Controller ( ),
Next (. . 6-4).

. 6-4. Server Role ( )

5. Summary Of Selections ( )
Next.
Applying Selections ( ).
6. Welcome ()
Active Directory (. . 6-5). ,
Active Directory
Run ().
Active Directory . Active
Directory, Finish (). Active
Directory , ,
.

. 6-5. Welcome () Active Directory


Active
Directory
Active Directory .
.
, ,
Active Directory.
Active Directory, dcpromo
Run () . Active
Directory.


, Windows Server 2003, , ,
Windows,
Active Directory ,
. ,
Windows Server 2003,
: (Server Message Block SMB),
.
.
Windows
SMB, :
Microsoft Windows for Workgroups;
Microsoft Windows 95 Windows 98;
Microsoft Windows NT 4 (Service Pack 3 ).
, ,
,
Windows Server 2003 (. . 6-1).

. 6-1. Active Directory



Windows for Workgroups .
Windows 95/Windows 98
() Directory
Services Client ( ).
Windows NT 4
() Service Pack
4 ( ).

Directory Services Client ( ) ,


(Microsoft Windows 95,
Windows 98 Windows NT 4) Active Directory. (
(DFS) ).
Active Directory http:/
/www.microsoft.corn/windows2000/server/evaluation/news/bulletins/ adextension.asp
Directory Services Client
Windows NT 4 SP6a. , Directory Services
Client Active Directory Client Extension,
- Microsoft.
6-6 Operating System Compatibility (
).

, , -
.
(. . 6-7).
.
, ,
, ,
, .
, Active Directory
.

. 6-6. Operating System Compatibility ( )

. 6-7. Domain Controller Type ( )

, ,
,
(. . 6-8).
Active Directory (. . 5), .

,
.
.
. 6-8. Create New Domain ( )


DNS
NetBIOS (. . 6-9). .
DNS ,
, DNS.
, NAmerica Contoso.com,
DNS, , NAmerica.Contoso.com.
Z, 0 9
(-). DNS (, [.])
63- .

. 6-9. New Domain Name ( )

DNS , NetBIOS (. . 6-10).


NetBIOS Windows
. NetBIOS,
DNS. NetBIOS ,
. , NetBIOS .
. 6-10. NetBIOS Domain Name ( NetBIOS )


Active Directory
Active Directory (Ntds.dit), Active Directory
Sysvol. (. . 6-11).

. 6-11. Database And Log Folders ( )

%systemroot
%\system32. Active
Directory , .
Sysvol - %systemdrive %\Windows.
Sysvol ,
NTFS v5. Sysvol ,
Active Directory, , (. . 6-12).

DNS-
Active Directory , DNS, -
. DNS
SRV. Microsoft .
DNS Microsoft,
DNS-, Windows NT 4 (SP4), Windows 2000 Server Windows Server 2003.
. 6-12. Shared System Volume ( )

, Active Directory, DNS-,


Active Directory , DNS-
, DNS
Active Directory. (
, , DNS ,
.) DNS , ,
DNS Registration Diagnostics ( DNS) Active
Directory .
DNS DNS.
Active Directory
DNS . 6-13 DNS,
Active Directory
. , ,
DNS- ,
, DNS .
,
DNS , DNS DNS
Active Directory. DNS Active Directory,
, .
DNS-cep-
( TCP/IP) DNS-.
( IP-
Active Directory.)

, 6-13. DNS Registration Diagnostics ( DNS)


Active Directory
. DNS
Active Directory, DNS Active Directory.
Active Directory . .
3.



, Windows Server 2003 Windows 2000,
, , Windows NT 4.

.
, Windows 2000 (Microsoft SQL-
Remote Access Service, RAS), Active Directory ,
.
Everyone () Anonymous Logon
( ) Pre-Windows 2000 Compatible Access (,
, Windows 2000).
Active Directory
. Permissions ()
(. . 6-14):
Permissions Compatible With Pre-Windows 2000 Server Operating Systems (,
, Windows 2000);
Permissions Compatible Only With Windows 2000 Or Windows Server 2003 Operating Systems
(, Windows 2000
Windows Server 2003).

. 6-14. Permissions ()

? Windows NT,
, Windows NT ,
: Permissions Compatible With Pre-Windows 2000 Server
Operating Systems. Windows 2000 Windows Server
2003, , , Windows
2000, , Permissions Compatible Only With Windows 2000 Or Windows Server 2003
Operating Systems. ,
Active Directory, .
Windows 2000 Windows Server
2003, Windows Server 2003
. Pre-Windows
2000 Compatible Access (, , Windows 2000).
Windows Server 2003 SID Everyone ()
Anonymous Logon ( ).
Active Directory
Users And Computers ( Active Directory), Builtin
( ), Pre-Windows 2000 Compatible Access
( Name () ). Members ()
SID Remove ().
:
net localgroup "Pre-Windows 2000 Compatible Access" Everyone "Anonymous Logon"
/delete

, ,
.
Finish Replication Later
( ). ,
.

. 6-15. Directory Services Restore Mode Administrator Password (


)

,
, Active Directory Windows Server 2003

, .
. Active Directory
Active Directory Users And Computers ,
, Administrator
Domain Admins, Enterprise Admins.
Authenticated Users ( ) Interactive
(). ,
. ,
.
Active Directory Users And Computers.
-
, View (), Advanced Features ( ).
. Foreign
Security Principals ( ). S-1-5-11 S-1-5-4,
Authenticated Users SID Interactive SID, .
,
.

Active Directory ,
/answer [:filename] Dcpromo. .
, .
Active Directory Windows Server 2003
. E:\I386\winnt32/unattend[:unattend.txt],
unattend.txt - , Windows Server 2003.
(, CD-ROM , .)
Unattend.txt [Deinstall], Active Directory.
Active Directory
Windows Server 2003, , [Deinstall].
Run dcpromo/ answer:answerfile (
answerfile - ). ASCII-,
, Active
Directory. , DNS
, :
[Deinstall]
UserName=admin_ username
Password=admin_password
UserDomain=acmin_domain
DatabasePath=
LogPath=
SYSVOLPath=
SafeModeAdminPassword=password
ReplicaOrNewDomain=Domain
NewDomain=Forest
NewDomainDNSName=DNSdomainname
DNSOnNetwork
DomainNetbiosName=NetBIOSdomainname
AutoConfigDNS=yes
AllowAnonymousAccess=yes
CriticalReplicationOnly=yes
SiteName=
RebootOnSuccess=yes
, ,
, . , ,
, ( ,
).
<
http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b223757.
ReplicationSourcePath ,
, .
, ,
. ( ,
Active Directory.)
Active Directory
.
. Active
Directory, Deploy.cab Support\Tools -
Windows Server 2003, Explore () .
Ref.chm, Extract (),
Ref.chm . Deploy.cab Setupmgr.exe,
Setup Manager ( ), GUI,
Unattend.txt, Windows Server 2003 ( [Deinstall]).
Microsoft Windows Corporate Deployment Tools User's Guide (
Microsoft Windows),
,
[Unattended] [Deinstall] Unattend.txt.
Active Directory

Windows Server 2003 ,
Active Directory, '

. ,
.

. , ,
.

.
.
, ,
,
. ,
Active Directory. ,
- , 60 .
Windows Server 2003
, ;
Windows 2000 . ,
,
, ( UNC (mapped
drives) /adv).
Active Directory . . 15.
,
.
1. System State ( )
.
, ( ) ,
Windows Server 2003 .
2. Active Directory
Run, /adv dcpromo / adv.
3. Domain Controller Type ( ) Additional Domain
Controller For An Existing Domain (
).
4. Copying Domain Files ( )
.
5. Copy Domain Information ( )
.
6. Active Directory ,
.

.
Sysvol, ,
. , ,
, ,
.
.
, ,
Active Directory, Active Directory Branch Office Guide
( Active Directory )
http://www.microsoft.com/windows2000/
techinf/planning/activedirectory/branchoffice/default.asp.
,
Active Directory
.
.

Active Directory
Active Directory ,
-Dcpromo.exe.
, , Active Directory
, , Active Directory
. , ,
Active Directory, .
Active Directory.
, Active Directory?
, , Active Directory, ,
SAM,
. ,
.
Active Directory , dcpromo
Run. ,
.
6-16 .

. 6-16.

Active Directory ,
. - ,
. ,
, , .
, Active Directory, DNS,
, , ,
. 6-17 DNS ,
Active Directory.
,
. Summary
(),
Active Directory . .
-
.
. 6-17. DNS


Active Directory - ,
Active Directory .
,
, .
Active Directory.
.
Sysvol .
NTDS Settings ( NTDS) .
DNS SRV .
SAM .
, Active Directory (, Net Logon
- ), .
- ,
Domain Controllers (
) Computers (). Active Directory
, Domain
Admins Enterprise Admins.
. Active Directory
, GC. GC
, ,
.



. . ,
, . ,
, .
Active Directory ,
. Active Directory , .
, , ,
, .
, , .
.
Active Directory ,
.
Workgroup ( ).
,
,
Enterprise Admins ( )
Active Directory.
Active Directory ,
Administrator (), Domain Admins
( ).

Active Directory
Active Directory ,
. .
.
Active Directory,
Run, dcpromo/ answer:answer file ( answerfile
, ). ,
. IsLastDCInDomain . Yes ()
No (). Yes, ,
Active Directory
. ,
, :
[Deinstall]
RebootOnSuccess=Yes
lsLastDCInDomain=No
AdministratorPassword=passivord
Passwo rd =password
UserName=Administrator

, Active
Directory Windows Server 2003. Active Directory
, Active Directory.
Active Directory ,

. Active Directory

. ,
, .
7. Active Directory
6 ,
Active Directory .
, , ..
. Active
Directory DNS.
. , , Active Directory Microsoft Windows Server
2003, . Active Directory
Windows Server 2003 Microsoft, ,
(SAM) Microsoft Windows NT 4 Active Directory
Microsoft Windows 2000. ,
Microsoft, Novell Directory Services (NDS) NetWare 3 Bindery,
UNIX, .
. - Microsoft ,
Windows Server .
UNIX Linux - Windows Migrating to
Windows from UNIX and Linux ( Windows UNIX Linux) http://
www.microsoft.com/windows2000/migrate/unix/default.asp.
Novell Netware NetWare to Windows 2000
Server Migration Planning Guide ( NetWare Windows
2000 Server) http:// www.microsoft.com/windows2000/techinfo/planning/
incremental/netmigrate.asp. Windows Server 2000,
Windows, Windows
http://www.microsoft.com/windows2000/migrate/.
Active Directory Windows
Server 2003. ,
.
. Windows NT 4.
, ,
. Active Directory Windows Server 2003 Active
Directory Windows 2000, .
Windows 2000 . ,
, , , Windows
NT 4 Windows Server 2003.
, , Windows 2000 Server
Windows 2000 Server, Windows 2000 Advanced Server Windows 2000 Datacenter Server.


,
, -
Active Directory Windows Server 2003. ,
, - , .
, .
. ,
.
,
.
:
;
;
.
Windows Server 2003
. Windows NT 4
SAM Active Directory Windows Server 2003. ,
Windows NT 4 Windows 2000 Windows Server 2003 .
.
, .
.
( ) Active Directory
Windows Server 2003 ( ). .
.
, ,
, .
, ,

. .
-
, . ,
Windows NT 4,
Windows Server 2003.
, .
.


, (in-place),
. .
Active Directory
Windows Server 2003.
, . -
NAmerica Contoso.com, Windows NT 4,
NAmerica Windows Server 2003.
.
. (source domain)
, , .. . ,
, (target domain) - .
Active
Directory, .

Windows NT 4
Windows NT 4
Active Directory Windows Server 2003. , Windows NT 4 Server
(NOS) .
Microsoft Windows NT 4 Server

. Windows Server 2003 ,
Windows 2000, Active Directory Windows Server 2003.

Windows Server 2000


Windows Server 2000,
Windows Server 2003.
, Windows 2000,
Windows NT Server 4. , Active Directory
Windows Server 2003 Windows 2000,
, Active Directory Windows Server 2003.
.
, Active Directory Windows Server 2003, . . 1.
Windows NT 4 Active Directory
. ,
Active Directory Windows Server 2003. Windows 2000 Server
? , ,
Windows NT 4 Server , -
. Windows 2000 Server, ,
NOS, a , .
Windows 2000 Server Windows Server 2003 :
Active Directory Windows Server 2003. \I386 - Windows
Server 2003 : ForestPrep DomainPrep.
.
.
Windows NT 4 Windows 2000 Windows Server 2003 Active
Directory . Active Directory
Domain Rename ( ).
, Windows Server 2003,

. :
-
;

;
.

,
, .
Windows Server 2003 Domain Rename
( ). Rendom.exe Gpfixup.exe -
Windows Server 2003 \VALUEADD\MSFT\MGMT\DOMREN.
Domain Rename - Microsoft http://
www.microsoft.com/windowsserver2003/downloads/ domainrename.mspx. Domain
Rename Windows Server 2003 Windows 2000.
Domain Rename
Understanding How Domain Rename Works (
) http: / /www.
microsoft.com/windowsserver2003 /docs /Domain-Rename- Intro.doc.
Domain Rename Step-by-Step Guide to
Implementing Domain Rename (
Domain Rename) no
http://www.microsoft.com/windowsserver2003/docs/Domain-Rename- Procedure, doc.


Windows Server
2003, .
, Windows NT 4 ,
(pristine forest). , ,
, -
: , . -
, ,
. ( , ..
Windows NT 4 Windows Server 2003 Active Directory.)
- , ,
, .
,
.


, , ,
(security principals), SAM Windows NT 4 Server
Active Directory. :
, .
. - ,
, , .
,
, .
Windows Server 2003 .
, , Windows
Server 2003 Windows 2000 Windows Server 2003.
, ,
.
. SID-History

,
?
.
Windows NT 4 Windows Server
2003. ,
. , X
,
, Windows NT 4 Server,
. X
?
, SID-History.
SID-History Active Directory,
(SID) .
X Windows NT 4 SID, S-1-5-21-
2127521184-1604012920-18879275 27-324294,
SID-History Windows Server 2003.
Windows NT 4 Active Directory SID
Windows NT 4 SID-History .

, Windows Server 2003.
, , Windows NT 4,
. SID,
, SID .
? X
, Windows NT 4,
,
.
SID X SID , ,
SID-History .
(DACL -
discretionary access control list) SID
( SID-History),
.
? .
, ? .

. , ,
,
. , ,
, SID-History .
Active Directory Migration Tool (
Active Directory, ADMT).
SID-History ? :
. SID
. X . SID-
History ? :
, , ..
SID SID-
History. , Active Directory ,
SID , : SID
SID-History.
, .


. Windows NT 4 Windows Server 2003
Active Directory.
Windows Server 2003.
(, , )
( ,
, ).
Windows NT 4 Windows Server 2003
.
- , , .
,
- .
, :
NOS, , - ,
.


, ,

. ,
Windows NT 4 ,
Windows NT 4 Windows Server 2003.
Windows NT 4 ,
, ,
(OU).
.
, .



.
1. ?
Windows NT 4 ?
2. ?
3. ?
4. ?
5. ?
6. ?
7. , Windows
Server 2003, ?
, ,
, -
. ,
, ,
(. . 7-1).

. 7-1.


, ,
.


,
Windows Server 2003,
. ,
. - ,
Windows Server 2003.


,
.
Windows NT 4 Server, .
.
. ,
(PDC), (BDC),
, PDC, .


,
, .
, , ,
, . ,

, .
, , ,
. , -
, , .


, ,
, .
Windows Server
2003. .
,
NOS. Windows
NT 4 (
). , ,
, ,
.


, ,
. ,

, .


, ,
. ,
; , NOS
,
( , - ..).
Windows Server 2003,
.
,
. ,
, (
),
(
).

, Windows Server
2003
- , ,
, ,
Windows NT Server 4 .
, ,
. ,
Windows Server 2003 ,
. ,
Windows Server 2003, :
,
; - ( );
,
Windows NT Server 4, . ,
, Windows NT 4,
- , Windows Server 2003.
. BDC Windows NT 4 Windows Server 2003 ,

Windows 2000 mixed () , Windows Server 2000,
Windows Server 2003 interim ().


,
.


Windows NT 4
: - , ,
.,
,
. Active Directory,
. ,
Active Directory ,
, ,
.


,
. , ,
. , ,
.
, , .
? , ,
.

,
.
-
, , .


, ,
, ,
,
. ,
, , , ,
.

,
.


, ,
. , ,
,
. ,
- , .
,
- , ,
,
.
, ,
. ,
.


,
. , ,
,
. Windows NT 4,
, , .

, Windows NT 4 Server
,
Windows NT 4 Server, , ,
, .
,
,
- , ,
Windows Server 2003.


, ,
,
, , ,
. ,
Active Directory (
, , ),
(
,
).
, , :
Windows Server
2003? ( ,
,
, , .) - , ,
.
.
.
,
. , -
? - SAM (
80 , ,
, 40 - ).
Windows NT 4,
.
- .
,
(, ..)
, .
.
, .
,

Active Directory. Active Directory Windows Server 2003
,
, .
OU ,
Windows NT 4,
Domain Admins
( ). Windows NT 4
Active Directory .
, .
,
Windows NT 4 Windows Server 2003.

Active Directory
Windows NT 4 Windows Server 2003 Active Directory
.
1. .
2. .
3. .
, ,
.
.
.
Windows NT 4 Windows Server 2003 Upgrading
Windows NT 4.0 Domains to Windows Server 2003 ( Windows NT 4.0
Windows Server 2003) http://
www.microsoft.com/technet/prodtechnol/windowsserver2003/ evaluate/cpp/reskit/ad.
Domain Migration Cookbook ( )
http://www.microsoft.co7n/technet/prodtechnol/windows2000serv/deploy/cookbook/cookintr.
Windows Server 2000,
Windows NT 4
. Windows
Server 2003.


Windows Server 2003 Active Directory,
,
.
, .
,
.


Active Directory
. , ,
, ,
. , ,
.
,
.
, ,
Active Directory.
, .
Windows NT 4.
. ,
.
,
, :
o ( );
o (
);
o , ,
;
o ,
;
o ,
.
Windows NT 4. ,
, , .
, .
:
o DNS;
o (DHCP), a
(scope);
o Windows (WINS);
o (RAS) (. );
o .
. RAS- Windows NT 4 NULL-
,
(call-back) . Active
Directory NULL-.

,
. RAS-
, RAS- Windows NT 4.
,
Active Directory, Permissions Compatible
With Pre-Windows 2000 Server Operating Systems (,
, Windows 2000 Server)
Active Directory.
Windows NT 4 Server
. ,

. , ,
, ,
Windows Server 2003.
,
. - ,
:
o ;
o ;
o ;
o NOS, . ( ,
NOS,
.);
o , . ( ,
.);
o , ,
Windows NT 4. ( ,
Windows Server 2003 .)
- .
, . ,
, , .. ,
.


- .
,
. ,
.
, :
PDC BDC, , ,
,
, .
, , ,
, .
, ,
, .
.
.
,
.
.
,
.
1. Windows NT 4 Server
Contoso.
2. Contoso.
3. BDC DC7 .
, .
DC7,
.
4. DC7 .
.
5. Server Manager ( )
, PDC DC1
NOS.
6. NOS DC1,
. ( Active Directory
.)
7.
DC1
.
,
, ( ,
DNS, WINS, RAS).
Active Directory Users And Computers (
Active Directory). ,
.

Upgradel, = P@sswOrd.
.
, .
\\ ITStaff\Policies\
PersonalSoftware.doc. .
? ? -
?
. ,
, . ,
.
. , ,
Upgradel.
,

.

,
,
, . ,

(LAN), - , -
.
, , ,
, , , ..


, , ,
, , ,
.
, ,
, ,
.
, .

Active Directory.

,
.
1. BDC Windows NT 4 .

.
2. BDC PDC. ,
SAM .
3. PDC.
, , .
4. BDC
. SAM,

.
5. BDC
. SAM.
, Windows 2000
(interim) Windows Server 2003 (
Windows 2000 Server).
, Windows Server 2003
BDC .
PDC ,
.
1. . PDC
Windows NT 4 .
2. BDC PDC .
SAM
BDC Windows NT 4.
, , Windows NT 4,
. ,
,
.

Windows NT 4 Active Directory Windows Server
2003, .
- - , Windows NT 4
. ,
,
Windows NT 4.

, .
1. BDC Windows NT 4,
. ,
.
2. BDC PDC.
SAM.
3. PDC.
, , .
, ,
Windows NT 4, ,
. SAM Windows NT 4
,
. ,
User Manager ( ), .


.
, .
,
.

, Active Directory.
.
, .
, Windows NT 4
. ,
, , .
. ,
. ,
.


,
.

.
.
.
.
.

.
.
. .
. ,
, .
.
, .
,
, Active Directory Windows Server 2003.


- Windows Server 2003. (
- NOS.) ,
Windows NT 4 Server Windows 2000 Server, NOS
Active Directory .
Active Directory Windows Server 2003.
.
Active Directory . . 5.
Active Directory . . 6.
Windows .
Windows NT 4
Server, Windows 2000 Server.
. , Windows NT 4,
Windows Server 2003. Windows NT 4
Service Pack 5 ( )
.

Windows NT 4 Server
Windows NT 4 Server Active Directory Windows Server 2003
,
. ,
Windows NT 4 Server Active Directory.
.
Active Directory Windows Server 2003.
Windows NT 4 Server Windows Server 2003,
NOS.
(
) Installing and Upgrading the Operating System (
) - Microsoft http://
www.microsoft.com/technet/prodtechnol/windowsserver2003/ proddocs/entserver/ins.
Microsoft Windows Server 2003
Deployment Kit ( Windows Server 2003) http://
www.microsoft.co7n/windowsserver2003/techinfo/reskit/ deploykit.mspx.


PDC
Windows NT 4, .
SAM. ,
Active Directory. ,
, Active Directory,
Windows Server 2003.
,
Active Directory 10 . SAM
Windows NT 4 User Manager For Domains (
) Net User ( )
:
o ;
o ;
o , ;
o ,
;
o Service Pack 5 Windows NT 4 .
Windows NT 4
- Microsoft
http://www.microsoft.com/ntserver/nts/downloads/default.asp.

PDC
, Windows NT 4 -
PDC. BDC , PDC, ,
, Windows NT 4, PDC.
Windows Server 2003 PDC
Windows NT 4, PDC,
.
. PDC
, BDC Windows NT 4,
PDC, a Windows
Server 2003. ,
, Windows
Server 2003, ,
.

,
BDC. Windows 2000
(interim) Windows Server 2003,
Windows Server 2003 Windows
NT 4. BDC, .
Windows Server 2003,
.

.
PDC, .
- Windows Server 2003 CD-ROM. CD-ROM
Autorun ( ), Setup
(). Setup.exe -
.
Setup Install Windows Server 2003 (
Windows Server 2003).
Setup ,
Upgrading To Windows Server 2003 ( Windows Server 2003).
, Setup.
Windows Server 2003 ,
, Active
Directory.
Active Directory Active
Directory. , ,
Active Directory .

Active Directory
Active Directory
.
, -.
.
, ,
Active Directory. Active Directory Users And Computers
( Active Directory)
. , ,
Windows NT 4 ,
.
Active Directory Domains
And Trusts ( Active Directory).
Event Viewer ( )
- , Active Directory.
, Windows
Server 2003. Active
Directory Users And Computers
.
, . ,
,
.
.
BDC .
User Manager For Domains BDC Windows NT 4 Server
, .
Windows Server 2003 , BDC
Windows NT 4 .
Active Directory Support Tools (
) - Windows Server 2003.
Windows Server 2003, Suptools.msi
\SUPPORT\TOOLS, - Windows Server 2003.
.
Active Directory,
Domain Controller Diagnostic ( ) (
dcdiag).
passed ().
. Dcdiag Support Tool Windows
Server 2003
, .
,
.
Dcdiag dcdiag/? .
Active Directory , repadmin/showreps
, Active
Directory.
.
BDC,
nltest/bdc_query:domainname, domainname - .
status = success ( =
) BDC .
PDC BDC.

BDC
, BDC- Windows NT 4
. PDC Active Directory
Windows Server 2003.
Windows Server 2003
, Windows Server
2003 BDC.
Windows Server 2003, ,
BDC (, , ) .
Windows Server 2003 ,
.
BDC? , , ,
BDC,
.
, BDC, ,
PDC. NOS,
Active Directory Active Directory
. Active Directory fie .
- Windows Server 2003,
SAM . Active Directory
, ,
BDC ,
- .


,
Windows 2000 Professional / Windows XP Professional
, Windows NT 4, PDC Windows Server 2003.
,
Windows Server 2003. , Windows 2000
Professional Windows XP Professional, Active Directory,
, ,
, Windows
2000 Server Windows Server 2003.
, ,
,
( PDC).
,
Windows Server 2003.
BDC Windows NT 4 Server Windows
Server 2003, PDC ,
Windows Server 2003
Windows NT 4 , Windows 2000 Professional Windows
Professional. Windows NT 4,
PDC Windows NT 4.
1. Windows NT 4 Windows Server 2003,
Active Directory (
regedit Run).
2. NT4EMULATOR
HKEY_LOCAL_MACHINE\SYSTEM\CurrentContro lSet\Services\ Netlogon\Parameters.
3. Edit (), New (), DWORD Value ( DWORD).
New Value #1 NT 4Emulator Enter.
4. Edit Modify(). Edit DWORD Value
( DWORD) 1 Value Data (),
.
5. .
6. Active Directory, dcpromo Run.
Windows
Server 2003 Windows NT 4,
Windows Server 2003,
.
, .
Windows NT 4 Windows
Server 2003, NT 4Emulator 0x0,
.
. NT 4
,
NT 4EMULATOR. Windows Server
2003 Windows 2000, ,
Windows 2000 Professional Windows XP Professional,
Active Directory.
Windows Server
2003 .
NT 4EMULATOR, .
( regedit
Run).
NeutralizeNT4Emulator
HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Services\
Netlogon\Parameters.
Edit (), New (), DWORD Value (
DWORD). New Value #1 NeutralizeNT4Emulator
Enter.
Edit () Modify (). Edit
DWORD Value ( DWORD) 1 Value
Data (), .
BDC Windows NT 4 Windows
Server 2003, .
mixed Windows 2000 (
) Windows Server 2003.


Windows Server 2003,
,
.
.
,
.
1. Active Directory Domains And Trusts (
Active Directory).
2. ,
, Raise Domain Functional Level (
).
3. Select An Available Domain Functional Level (
) :
Windows 2000 native
(), Windows 2000 Native, Raise
();
Windows Server 2003,
Windows Server 2003, Raise.
( ,
(native) Windows 2000), Windows
Server 2003. Active Directory .
, .
Active Directory Domains And Trusts.
Active Directory Domains And
Trusts, Raise Forest Functional Level (
).
Select An Available Domain Functional Level (
) 2003 Windows Server, Raise ().
.
.
Active Directory (
), .


Windows Server 2003,
Active Directory ,
. , ,
Windows, .
, .
Windows Server 2003, Active Directory
.

, Windows Server 2000.
Windows Server 2003, Active Directory.
,
.
: Windows 2000 mixed () (
), Windows 2000 native (), Windows Server 2003 interim ()
Windows Server 2003. ,
, Windows Server 2003,
Windows Server 2003.
Windows 2000 Windows 2000 Windows Server 2003
, SID-History, Universal Groups ( ) .
: Windows 2000, Windows Server 2003 interim
Windows Server 2003. Active Directory ,
native Windows 2000 ,
Windows Server 2003.
. Windows Server 2003,
, Windows NT 4 Server
Windows 2000 Server. Windows
Server 2003, mixed native Windows 2000,
.

Windows 2000 Server


Active Directory Windows 2000 Server Active Directory Windows
Server 2003 Windows NT 4. ,
Windows 2000, Active Directory ,
, .
Windows 2000 ,
.
Active Directory Windows 2000 Active
Directory Windows Server 2003. ,
Active Directory.
( , )
Windows 2000 Server Service Pack 2 (SP2), ,
, Windows 2000 Server.
Windows 2000 Server - Microsoft
http://www.microsoft.com/ windows2000/downloads /servicepacks/default, asp.


Active Directory ,
Adprep.exe, Active Directory.
, , Windows
Server 2003.
Windows 2000 Server
Windows Server 2003, .
, . Active
Directory Schema Microsoft Management Console ( ),
Active Directory Schema ( Active Directory),
Operations Master ( ). Change Schema
Master ( ) .
. ,
, .
. 8
.
- Windows Server 2003 CD-ROM.
, CD-ROM \I386.
adprep/forestprep. Enterprise Admins
( ) Schema Admins ( ) Active
Directory, .
, Event Viewer ( )
.
, ,
, .
, Active Directory ( dcdiag
Run), .
,
, ,
.
adprep/forestprep ,
.
Windows 2000 Server Windows
Server 2003. .
. , ,
, . ,
, , .
-
, , ,
.


.
.
Windows 2000
Server Windows Server 2003, .
, .
Active Directory Users And Computers,
, Operations Masters ( ).
Infrastructure () Operations Masters
.
, , - Windows
Server 2003 CD-ROM.
, CD-ROM \I386.
adprep/domainprep. Domain Admins
( ) Enterprise Admins ( ) Active
Directory, .
Event Viewer ( )
.
adprep/domainprep , ,
Windows 2000 Server Windows Server 2003.
, , ,
,
.
, , ,
.
, Active Directory Windows Server 2003,
.


Windows NT 4 ,
Windows 2000, PDC .
Active Directory,
. -
. , ,
.
Windows 2000 , Windows NT 4 Windows
Server 2003. : NOS Windows Server 2003
Active Directory.


,
Active Directory. ,
,
Active Directory .
.
.
( Active Directory ).
Windows NT 4 Windows Server 2003,
. Active Directory Windows 2000 Active
Directory Windows Server 2003
.
Active Directory (
, , )
.
Microsoft, .
, ( )
. , ,
Active Directory Windows Server 2003.

.
Active Directory Migration Tool ( Active Directory) (ADMT).
- Windows Server 2003 \I386\ADMT.
Admigration.msi .
bv-Admin Windows 2000 Windows Server
2003 BindView (http://www.bindview.com/products/Admin/winmig.cfm)
- .
Domain Migration Administrator (
) (DMA) NetlQ (http://www.netiq.com/products/dma/)
- .
Domain Migration Wizard ( )
(DMW) Aelita Software (http:// www.aelita.com/products/DMW.htm)
.

, .
Active Directory ADMT Microsoft.
,
. :
.
, Windows NT 4,
( )
( , ,
). 7-2
.
,
Windows NT 4? ,
, .
.


Windows Server 2003,
Windows NT 4, .. .
. ,
Active Directory,
Active Directory ,
. . . 5.
. 7-2.
Windows NT 4

. Active Directory Permissions ()


Active Directory Permissions Compatible With Pre-Windows 2000
Server Operating Systems (, ,
Windows 2000).

. , Custom
configuration ( ) Custom Options ( )
.
,
.


, Windows Server 2003
native Windows 2000 Windows Server 2003.
Windows Server 2003 mixed
Windows 2000. Windows 2000
Server Windows Server 2003, native
Windows 2000. Windows
Server 2003, Windows Server 2003. ,
,
.


, ,
, .
, , ,
, . ,

Administrator (). ,
( Migrator) (Migrator 1, Migrator2 ..),
, .
, ,
, .
, ,
, Domain Admins ( ) ,
SID-History .
Administrators () Windows NT 4.



, ,
.
Windows Server 2003 Windows NT 4
(, )
(, ).
, Active Directory Domains
And Trusts ( Active Directory) Windows Server 2003
Server Manager ( ) Windows NT 4
Server.



Windows NT 4 .
ADMT,
. ADMT ,
PDC.
(RPC) TCP,
Windows NT 4. PDC
:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentContolSet\Control\Lsa.
TcpijpClientSupport, DWORD, 1.
.
( ,
Windows NT 4
Windows Server 2003),
. ,
PDC ( , )
:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\Lsa.
AllowPasswordExport DWORD, 1.
ADMT.

Active Directory Migration Tool


Active Directory Migration Tool ( Active
Directory) Microsoft . ADMT
. Windows
NT 4 Windows Server 2003 . ADMT
(GUI) ,
Windows 2000 Windows Server
2003.
ADMT 2.0, - Windows Server 2003,
, :
;
;
;
;
;
Exchange;
;
;

.
ADMT ,
Windows Server 2003.
- Windows Server 2003 \I386\ADMT.
. ADMT ADMT
- Windows Server 2003 Readme.doc,
, ADMT.
ADMT .
- Windows 2000 Active Directory Migration Tool :
http://www.microsoft.com/windows2000/downloads/ tools/admt/default.asp.
ADMT. ,
, , - Windows Server 2003.
ADMT ,
.
1. \I386\ADMT - Windows Server 2003.
2. Admigration.msi, ADMT
.
3.
.
ADMT , Administrative
Tools ( )
Start (). ADMT ,
Action () (. . 7-3).

. 7-3. , ADMT

,
, .
Windows Server 2003, .
1. Active Directory Users And Computers
( Active Directory),
Domain Controllers ( ) Properties ().
2. Domain Controllers Properties ( )
Group Policy ( ).
3. Default Domain Controllers Policy (
) Edit ().
4. Default DomainControllers Policy\Computer Conf iguration\ Windows
Settings\Security Settings\Local Policies\ Audit Policy (
\- \ Windows\
\ \ ),
Audit Account Management ( ),
: Success () Failure ().
5.
, - .
Windows NT 4, .
User Manager For Domains (
), Policies (), Audit
().
, Audit These Events ( )
User And Group Management ( )
Success () Failure (). ,
ADMT.
sourcedomainname$$$ (, Contoso$$$). ADMT
, .


Permissions Compatible With Pre-Windows 2000 Server Operating
Systems (, , Windows
2000 Server ), Active Directory Everyone () Pre-
Windows 2000 Compatible Access (, ,
Windows 2000), net localgrowp "Pre-Windows 2000 Compatible
Access" everyone /add Enter.
, ,
Everyone () . Active Directory
Users And Computers ( Active Directory),
Domain Controllers ( ) Properties ().
Group Policy ( ) Default Domain Controllers
Policy ( ). Group Policy Object Editor (
) Default Domain Controllers Policy\Computer
Configuration\Windows Settings\Security Settings\Local Policies\Security Options (
\ -\
Windows\ \- \ )
Network Access: Let Everyone Permissions Apply To Anonymous Users ( :
). Define This
Policy Setting ( ), Enabled (),
.


Windows NT 4 ,
.

. ,
.
, .
Windows Server 2003
Windows NT 4.
.
( ).
.

,
Windows NT 4, ,
, Windows Server 2003.
.
Windows Server 2003.
Windows NT 4 Domains That Trust This Domain
(, ) Properties () ,
Active Directory Domains And Trusts.
, ,
.
PDC Windows NT 4. User
Manager For Domains ( ) Windows
Server 2003 Trusted Domains ( ). ,
, . ,
.


: ,
. ,
, .
Windows NT 4 Windows Server 2003,
SID . SID
SID-History -
. SID SID-History,
, Windows NT,
.
( ADMT),
Active Directory.
,
, .
Windows NT 4 Windows Server 2003
Group Account Migration Wizard ( )
ADMT .
Windows NT 4 Windows Server 2003 Group
Account Migration Wizard, .
1. .
, .
2. Windows NT 4, Windows
Server 2003.
3. OU, .
. ADMT OU
. ,
.
, OU.
,
OU.
4. . , -
.
.
,
- .
( ) ,
.
Windows Server 2003,
.

.
.
, Windows NT 4, ,
. .
-?
?

?

. ,
, .

.
Windows NT 4 Windows Server 2003 Active
Directory User Account Migration Wizard ADMT, .
1. .
2. Windows NT 4, .
3. OU- .
4. , .
ADMT, .
, . ( ,
, [.csv]),
, .
, .
username ( ).
, User
Must Change Password At Next Logon (
).
.
,
.
.
, Password
Export Server ( ) (PES) DLL
. - ADMT,
( BDC) -
Windows Server 2003. DLL
Windows NT 4, \I386\ADMT\PWDMIG
Pwdmig.msi. PES

.
Readme.doc \I386\ADMT
- Windows Server 2003 : http://www.7nicrosoft.co7n/
windows2000/downloads/tools/admt/default.asp.
5.
. ADMT
Account Transition Options (
).
(,
) (
).
. ,
, ,
.
.
,
. ,
Windows Server 2003 ,
ADMT,
.
Windows NT 4 , ADMT,
ADMT.


Windows Server 2003
, ,
Windows Server 2003,
. ,
. (
)
Windows Server 2003,
Windows Server 2003,
- .
.
Windows NT 4 ,

.

account unknown ( ).
, account unknown,
, SID-
History. ,
Windows NT 4.
, ,
. Windows
Server 2003
Windows NT 4. SID-History
, , , ,
.
, Windows Server 2003.


, .
.
, - .
(- ).
.
.
.


Windows NT 4 Windows Server 2003,
, .
1. , Domain Admins ( )

Windows NT 4. -
,
.
2. .
, .
,
.
Active Directory Domains And Trusts ( Active
Directory) , .

- ,
, Windows NT 4
Windows Server 2003. Local System Authority
(LSA) ( ).
, ,
LSA.
.
. ,
Windows NT 4, Windows Server 2003
.
, Windows
NT 4, ADMT, :
1. Service Account Migration Wizard ( ).
2. .
3. ,
. , ,
, . 4. Service
Account Migration Wizard.
ADMT,
.
.


, Windows NT 4,
- Windows NT 4 Server, Windows NT
Workstation 4, Windows 2000 Professional Windows XP Professional.
OU
.
. ,
, Windows NT 4
.
Windows Server 2003.
Windows Server 2003
.
Active Directory, . ,
ADMT,
.
Computer Migration Wizard ( ).
.
, .
OU,
.
,
. (DACL)
, , SID
.
:
;
;
;
;
;
;
.
.
Computer Migration Wizard, , Security Translation
Wizard ( ) ADMT.
Translate Objects ( ),
. ,
.
, Previously Migrated Objects (
).
.
, ADMT ,
.
. ADMT

.
Computer Migration Wizard ( ).
View Dispatch Log ( ),
(dispatch agent).
, .

.


(shared local groups)
Windows NT 4. .
,
.
,
.
. , -
, .
, ,
SAM - . SAM
, .
, SID
. Computer Migration Wizard,
,
.
, ADMT, .
1. Group Account Migration Wizard ( ).
2. .
3. , .
4. OU,
.
5. Migrate Group SIDs To Target Domain ( SID
).
6.
.



.
,
- .
Windows NT 4 Windows Server 2003. ,
, LSA, ,
- .
, ADMT, .
1. User Account Migration Wizard (
).
2. .
3. , .
1. .
, (Dctlog.txt),
%userprofile %\Temp. Windows
2. Server 2003 Migratorl, C:\Documents and
Settings\Migratorl\Temp.
3. OU ,
.
4.
. ,
Password Options ( ), ADMT
. ADMT , ,
, ,
.
. , , ,
, , log on as a service (
), .
Security Translation Wizard ( ).
Translate Objects ( ) Local Groups
( ) User Rights ( ) - ,
, .
, .


, Windows
Server 2003 Active Directory, Windows NT
4. , - .

Windows Server 2003, .
, , ,
, ,
. , ,
, Windows Server 2003.
, ,
. Active Directory Domains
And Trusts,
Windows NT 4 Remove ().


, , ,
. ,
Windows Server
2003 ( ),
,
( ).
, Active Directory
. , Windows
Server 2003, , ,
.
Windows Server 2003
. ,
Active Directory, Active Directory
.

, . ,
,
.
.
,
SID-History, , .
,
,
.
, ,
.

, ,
. (closed set).
Windows NT 4 Windows,
,
. ADMT ,
,
. ,
, ,
- , ,
,
. ( )
, .



, ,
,
Windows Server 2003 , , Windows Server 2003,
, .
Active Directory Windows Server 2003
Windows 2000 Active Directory.
Active Directory Windows 2000
. Active Directory
Windows Server 2003
. .
,
.
.
. ,
, . ,
, (GC)
.
Active Directory,
(name suffix routing) .
,
(UPN) . ,
NWTraders.com Contoso.com,
Contoso.com NWTraders.com,
UPN alias@contoso.com.
, .
UPN- , .
, UPN-
. UPN- Contoso.com
NWTraders.com, Contoso.com NWTraders.com,
UPN.
,
UPN .
.
UPN- , ,
. ,

Name Suffix Routing ( ) .
,
Windows Server 2003. Enterprise Admins ( )
.
, .
1. Active Directory Domains And Trusts.
Properties ().
Trusts ( ).
2. New Trust ( ). New Trust
Wizard ( ).
.
3. ,
(. . 7-4).
.
,
. Forest Trust ( ).
4. (. . 7-5).

. 7-4.
. 7-5.

5. ,
. ( - .)

(. . 7-6).
, Enterprise Admins
( ), .
, ,
.

.

. 7-6.

6. ,
(. . 7-7).
.
,
. ,
.
,
.
.
. ,
Allowed To Authenticate ( ) Active
Directory.
7.
.

. 7-7.

Windows NT 4
Active Directory Windows 2000 Active Directory Windows Server 2003.
: ,
. ,
. ,
,
.
, .
, ,
.
,
Windows NT Server 4 Windows 2000 Server.
Windows NT 4 ADMT.
,
, .
, Windows Server 2003.
III.
Active Directory
Windows Server 2003
I II Active Directory
Microsoft Windows Server 2003, , ,
, Active Directory. Active Directory
. III
, .
, ,
8 , Active Directory
Windows Server 2003. 9 ,
. 10
Active Directory. Active
Directory - Group Policy ( ),
, Active Directory. 11, 12 13
, , ,
.

8. Active Directory
Active Directory
.
.
,
. Microsoft Exchange 2000
Server, .
Active Directory Microsoft Windows Server 2003 .
Active Directory. Active
Directory Windows
Server 2003. ,
, Active Directory
, ,
(), ,
(). Windows Server 2003, Microsoft
Windows 2000, Kerberos ,
Kerberos .

Active Directory
,
Active Directory Windows Server 2003. Active Directory
. - ,
, , ,
. - , ,
. ,
Active Directory ,
.

Active Directory Active Directory
. - Active
Directory, , , .
(SID).
SID . - ,
.
SID - (RID),
Active Directory.
SID ,
Windows Server 2003.
, Windows Server 2003
SID .
, ,
SID , . ,
, , , .
, ,
, SID .


, Active Directory, - ,
. Active Directory, ,
(OU), .
Windows Server 2003 Microsoft Exchange
2000 Server.
, ,
(ACL - Access Control List), (security
descriptor). Active Directory NTFS
. SID ,
, SID . ,
ACL: (DACL
Discretionary Access Control List) (SACL - System Access
Control List). DACL ,
, ,
. DACL (
Access Control Entries). SID
, SID.
. , Read
() , - Full Control ( ).
DACL , , , -
Read, - Full Control.
SACL ,
. SACL , ,
.
. DACL ,
, , . , ,
ACL, .
, , ..
, , ,
SID.

SID ACL .
Active Directory,
. SID ,
SID , , .
,
.
, , ,
. ,
, Exchange 2000 Server,
. Exchange 2000 Server SID
, ACL.
, ,
SID.

, SID ACL,
, - ,
. , ,
, ,
. .
.
Windows 2000 Microsoft Windows XP Professional
Ctrl+Alt+Del, Winlogon
Graphic Identification and Authentication (GINA) (
) (DLL).
Msgina.dll. GINA
(, Netware Nwgina.dll).
, , GINA
Winlogon. Winlogon LSA
(Local Security Authority). LSA
,
. (SSP Security Support
Provider) (SSPI - Security Support Provider Interface).
Windows Server 2003 SSP-
KerbeVos SSP NT LAN Manager (NTLM) SSP. Windows 2000,
, Windows 2000 Windows Server 2003, SSP
Kerberos, SSP. SSP
.
Kerberos .
, , ,
. ,
, ,
. , ,
, .

(authorization) ,
. -
,
. .
.
. SID
SID ACL,
, .
Kerberos
Active Directory
, .
Active Directory Kerberos. Kerberos
(MIT) 80- . Kerberos
- 5 (Kerberos v5), RFC 1510. Kerberos
Windows Server 2003 RFC-1510
(public) .
Kerberos Active
Directory Windows 2000 Windows Server 2003. ,
Windows 2000, , Active Directory,
Kerberos. ,
Active Directory, - NTLM,
, .
Kerberos NTLM.
. NTLM
, .. .
Kerberos
, , , ,
.
.
, NTLM (, Microsoft Windows NT 4),
, ,
. , Kerberos,
,
. ,
.
.
NTLM , , .
Kerberos ,
. ,
Kerberos
Kerberos Windows Server 2003 Kerberos.
. ,
NTLM,
, . Kerberos
,
.
. Windows Server 2003 SSL/TLS
(Secure Sockets Layer/Transport Layer Security /
), Digest Passport.
- Microsoft
(IIS - Internet Information Services) 6.0,
.

Kerberos
, Kerberos, . -, ,
. -, ,
,
.
(KDC - Key Distribution Center),
, .
Kerberos , .
. , Kerberos ,
,
. ,
, ,
, .
, Kerberos
. ,
- . .
, Kerberos,
. Kerberos ,
, , .
, ,
, .
. , .
. Kerberos
, , .
, ,
, - .
,
, .
, ()
.
.
. Kerberos ,
(KDC - Key Distribution Center). KDC
. KDC

( ).
, KDC ,
, .
. Kerberos ,
, KDC. Kerberos Windows Server 2003
. Active Directory
KDC. Kerberos , ,
KDC, (realm). Windows Server 2003
.
KDC : (AS -
Authentication Service) (TGS Ticket-Granting Service).
AS TGT (TGT - Ticket-Granting
Ticket) . TGS ,
Windows Server 2003.
KDC ,
Kerberos. Kerberos Windows Server 2003
(DSA - Directory System Agent),
LSA .
- DSA,
Active Directory.
(, ) ACL. DSA
,
.
. Active Directory ,
, krbtgt.
, (enable).
, .
, TGT,
.
Kerberos
Microsoft Windows 2000 Professional Windows XP Professional,
Windows 2000 Server Windows Server 2003 Kerberos
, LSA Kerberos.
, ,
,
. ,
- (hash).

.
1. Kerberos SSP
KDC (. . 8-1). : ;
(realm) ( );
TGT-;
, .
,
.

. 8-1. Kerberos TGT

2. , ,
,
.
.
,
5 , .
, , ,
. 5
, .
,

.
, 5 ,
.
3. ,
TGT (. . 8-1). - ,
KDC .
TGT ,
. TGT TGT
, .
. , TGT
.
4. ,
.
, , KDC
, .
,
.
KDC, ..
, .
TGT .
. Kerberos Authentication Service (AS) Exchange
( ), ,
.
AS Exchange. ,
KDC, KRB_AS_REQ.
KRB_AS_REP. *
5. , .
TGT - , KDC,
- ,
KDC (. . 8-2.)
KDC. , TGT,
, ,
, ,
, AS Exchange.

. 8-2. Kerberos

6. KDC TGT, .
TGT ,
, , ,
. , KDC
.
7. ,
. ,
, .

. ,
, , KDC
, , ,
KDC.
8. .
. , 5- 8-, Ticket-Granting
Service Exchange ( ). ,
, KRB_TGS_REQ; -
KRB_TGS_REP.
9. (. .
8-3.)

. 8-3.

10. , ,
, KDC.
, ,
KDC. ,
, .
,
.
. , 9 10, - Client/Server (CS)
Exchange. KRB_AP_REQ.
, ,
.
, ,
, . ,
KDC .
. ,
, - Microsoft.
KList.exe
Kerberos. Kerberos Tray (Kerbtray.exe)
(GUI). 8-4 ,
Kerberos Tray. Kerberos Tray
http://www.microsoft.com/ windows2000/techinjo/reskit/tools/existing/kerbtray-o.asp ,
KList
http://www.microsoft.co7n/windows2000/techinfo/reskit/tools/ existing /klist-o. asp.
. 8-4. Kerberos Kerberos Tray

, KDC
,
, .
, TGT, KDC
. ,
KDC .
. ,
, ,
.

,
,
. ,
, 8-5.

. 8-5. ,

, Fabrikam.com,
NAmerica.Contoso.com ,
Fabrikam.com.
NAmerica.Contoso.com.
, Fabrikam.com,
.
(shortcut trusts),

Fabrikam.com. ,
NAmerica.Contoso.com Fabrikam.com.
NAmerica
Contoso.com. ,
Contoso.com. , NAmerica
Contoso.com .
, .
Contoso.com.
Fabrikam.com.
, .
TGT Fabrikam.com.
, ,
.
, ,
, .
,
, , .
, , ,
. ,
.
,
.


,
. ,
,
, .
,

( ). Windows 2000
Kerberos : - (proxy tickets)
(forwarded tickets). - ,
KDC, . KDC
PROXIABLE.
, ,
. -- ,
.
. , -
AS Exchange KDC, TGT,
. KDC TGT
,
TGT ,
.
,
Windows 2000. ,
,
Kerberos. Windows NT, Microsoft Windows 95 Windows 98
. Windows Server 2003
. Windows 2000
. Windows 2000
KDC
. Windows Server 2003 ,
, .. ,
( ).
,
Windows Server 2003.
,
, ( ) ,
. Properties ()
Active Directory Users And Computers (
Active Directory), Account ( ), Account
Options ( ). , o Account Is Sensitive And Cannot Be
Delegated ( ) . (
.) ,
, , ,
, LocalSystem.
, Account
, Account Is Sensitive And Cannot Be Delegated
. ( .)
LocalSystem, Properties
(. . 8-6). Windows 2000,
Trust This Computer For Delegation To Any Service (Kerberos Only) (
-
( Kerberos)).
Windows Server 2003, Trust This Computer For Delegation
To Specified Services Only (
). ,
Kerberos, ,
( , Active Directory),
.

. 8-6.
Kerberos Windows Server
2003
, Kerberos
Windows 2000, , Active
Directory. Kerberos
. Kerberos, Domain
Security Policy ( )
Account Policies ( ) (. . 8-7).
.

. 8-7. Kerberos Domain


Security Policy ( )

Enforce User Logon Restrictions (


). KDC,

. , , ,
Allow Log On Locally ( ),
, Access This Computer From The Network
( ) .
Local Policies\User Rights Assignment ( \
) Domain Security Policy ( ).
.
Maximum Lifetime For Service Ticket ( ).
( ),
.
, .
, , 10 ,
, Maximum Lifetime For User Ticket
( ).
600 (10 ).
Maximum Lifetime For User Ticket (
). ( ),
TGT- .
TGT--, ,
KDC. 10 .
Maximum Lifetime For User Ticket Renewal ( ,
). (
), TGT- (
TGT--). 7 .
Maximum Tolerance For Computer Clock Synchronization (
).
( )
,
Kerberos, Kerberos .
, ,
Kerberos . 5 .
,
.
Kerberos, ,
.
.
KDC, .


Kerberos .
,
Windows Server 2003. , ,
, KDC.
, .
, , ,
, .
, ,
, .
,
. ,
, . ,
, ,
.
(PKI - Public Key Infrastructure)
,
. PKI
, . PKI
, .
PKI : (public) (private) ,
( - certificate authorities). PKI
, ,
, : .
. ,
(roaming) , -.
, . ,
. .
.
.
, , ,
. , ,
, .
, . - ,
, .
,
.
.
, .
, (digest),
.
. , ,
.
. ,
.
PKI . ,
.
() , -
, .
, ,
.
, -.
-.509 v3. ,
, , (
) -, .
, PKI, ,
, . -
PKI -,
Verisign Thawte. -,
Microsoft Internet Explorer, ,
. --,
Windows Server 2003. , Windows Server 2003,
- ,
, ,
.
. PKI
. Windows Server 2003 PKI
- , Active Directory.
- ,
,
. - Microsoft Help And Support Center (
) Windows Server 2003 ,
PKI.
,
, Active Directory,
Windows Server 2003. , -,
,
. Windows Server 2003
. ,
, .
,
Active
Directory,
.
Windows Server 2003
.
.
Windows Server 2003.
.
,
-.
, ,
.
.
Active Directory. ,
, -
, .
, . ,
, ,

. , ,
.
.
Active Directory Users And Computers (IIS)
Microsoft. Active Directory Users And Computers Name Mappings
( ^,
.

-
- PKI
Kerberos. Kerberos PKI,
KDC
. ,
. -
PKI, ,
, .
- .509 v3.
- Active
Directory. , -
- (PIN
personal identification number). LSA
Ctrl+Alt+Del, .
PIN
-. TGT- KDC.
( ),
, , KDC
. TGT
, .
KDC, ,
, -, , .
KDC ,
.
, KDC
(UPN), , Active
Directory. , KDC
TGT, .
,
.
KDC.
. -
. , -
. -,
-, -
.
, . -
,
.


Kerberos
Kerberos ,
, Kerberos.
, Kerberos Windows Server
2003, , Windows.
:
Kerberos;
Kerberos;
, Kerberos .
.
Windows 2000 Windows XP Professional
Windows Server 2003 , Windows Server 2003
, Kerberos.
Windows 2000 Windows XP Professional KDC-,
Windows-, ,
Windows Server 2003 ,
Kerberos.
Kerberos, Windows-, KDC-
Windows Server 2003 , Windows Server 2003
, Kerberos.
Kerberos, Windows-,
Kerberos, Windows-,
, Windows Server 2003 ,
Kerberos.
Windows Server 2003 .
, Kerberos
Windows Server 2003, Kerberos, Windows-.
Kerberos Windows Server 2003
Kerberos.
Windows Server 2003 Kerberos, Windows-.

, .
, Active Directory Domains And
Trusts ( Active Directory) -
Properties () ,
. Trusts ( ) New Trust,
New Trust Wizard.
Windows Server 2003 Kerberos. 8-8 Properties
.

. 8-8.

. Microsoft
Kerberos . ,
Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability
- Microsoft http:// www.microsoft.com/technet/prodtechnol/windows2000serv/
howto/kerbstep.asp.
NTLM
Windows Server 2003
NTLM-.
, Windows NT 4, Windows 95 Windows 98.
.
, Windows 95, Windows 98 Windows NT,
Windows Server 2003.
Windows 95 Windows 98 Directory Services Client,

LAN Manager.
, Windows XP Professional Windows Server
2003, Windows NT 4 Server.
Windows Server 2003.
, Windows XP Professional Windows 2000,
Windows Server 2003,
, Kerberos. NTLM
.
NTLM , Kerberos. Windows NT 4 Service Pack 4
Microsoft NTLM NTLMv2.
,
,
.

Active Directory Windows


Server 2003, , ,
.
Active Directory Kerberos. Kerberos
Active Directory
. Kerberos PKI,
- Kerberos.
9.
Active Directory
, Active Directory Microsoft Windows
Server 2003 ,
Microsoft Windows NT.
, (DNS) ,
(OU) .
: .
Windows NT . , ,
. . Active Directory Windows Server 2003
.
Active Directory, 8.
Active Directory (ACL)
Active Directory. .
ACL .
Active Directory Windows Server 2003 . Delegation Of Control Wizard (
).

Active Directory
8, Windows Server 2003,
. (SID) ,
SID , . ,
, -
Active Directory. Active Directory
ACL, NT Security Descriptor,
(), ,
SID. ,
(DACL)
(SACL). DACL ,
. SACL .
. Active Directory ACL, ..
. ,
Active Directory Users And Computers ( Active Directory), Active
Directory Sites And Services ( Active Directory), ADSI Edit Ldp.exe.
, Active Directory Users And
Computers,
. , ,
Active Directory. ,
, ACL,
Active Directory Sites And Services.
Delegation Of Control Wizard,
.
,
Active Directory. Active
Directory Users And Computers.
ACL. , Active Directory
: (standard) (special).
Active Directory Users And Computers ,
.


Active Directory
, Security () Properties ()
Active Directory Users And Computers. ( Security
, Advanced Features ( ) View (),
Properties). Security()
, (. . 9-1).

. 9-1.

Active Directory . ,
(OU) - ,
, , ,
. , , ,
Full Control ( ), Read (), Write (), Create All Child Objects (
) Delete All Child Objects ( ),
.
Active Directory ,
. ,
Public Information ( ), Personal Information (
) Web Information (-).
,
. , Personal Information
homePhone, homePostalAddress, streetAddress .
.
. ,
, "property sets" (
) Help And Support Center ( ). Active Directory
, ,
rightsGuid ( )
attributesSecurityGUID . , rightsGuid cn=Personal-
Information, cn=Extended-Rights, cn=conf iguration, dc=forestname attributes
ecurityGUID cn=Telephone-Number, cn=Schema, cn=Configuration, dc=forestname. ,
Personal Information.
Security
, Receive As, Send As, Send To ( , Microsoft
Exchange 2000 Server), Change Password Reset Password.
Validated Write ( ). ,
Group Validated Write , / .
Validated Write Write , Validated Write
, . ,
/ ,
.

Security () - Special
Permissions ( ). Active Directory
, . ,
. , Advanced ()
Security (. 9-2). 9-1 .
. Default ( ) Advanced ,
, .

. 9-2. Advanced Security


Settings

. 9-1.

()
Allow () Deny ().
,
Deny
().
.


Deny ().
Name () ,
.
Permission () ,
.

, Full Control,
, , Create/Delete User
Objects (/
), Special ().

.
Inherited From ,
( ) .
Apply To ( )
.
, This Object
Only ( ), This Object And All
Child ( )
Only Child Objects (
).

- .
. , Authenticated
Users ( ) Read Permissions ( ),
Read General Information ( ), Read Personal Information
( ), Read Web Information ( -) Read Public
Information ( ) .
,
, Advanced Security Settings
( ).
, ,
. 9-3 .

. 9-3. Active Directory

Object () ,
, . ,
OU , (OU),
,
( , ).
, .

(. . 9-4).
. 9-4. ,

Properties ()
, Name () Advanced Security Settings
( ). ,
, Read Write
, .
. , , ,
. , , -,
, . - ,
.
. ,
, ,
.

Ldp.exe
(GUI) ,
-. -
GUI, Ldp.exe.
ACL Ldp.exe, Run ()
ldp. ( Ldp.exe ,
\SUPPORT\TOOLS - Windows Server 2003
Suptools.msi, Active Directory.)
Connection (), Connect ().
, .
. , Connection
() Bind (). ,
, . ,
, .
View (), Tree ().
, . OU
(. . 9-5).
ACL ,
. Advanced (),
- Security Descriptor ( ). ACL NT Security
Descriptor Active Directory. Ldp.exe
:
(A;; CCDCLCSWRPWPDTLOCRSDRCWDWO;;; DA)

- .
, , .
, DA, ..
Domain Admins. ,
-
SID, SID .
( ,
, DsAcls,
Active Directory. DsAcls
Active Directory).

. 9-5. Ldp.exe

Ldp.exe
. , , , :
[]
: 0x0 - ACCESS_ALLOWED_ACE_TYPE
Size: 36 bytes
Flags: 0x0
Mask: OxOOOfOiff
DELETE
READ CONTROL
WRITE DAC
WRITE_OWNER
ACTRL DS CREATE_CHILD
ACTRL DS DELETE CHILD
ACTRL DS LIST
ACTRL DS SELF
ACTRL DS READ_PROP ACTRL DS WRITE_PROP ACTRL_DS_DELETE_TREE ACTRL_DS_UST_OBJECT
ACTRL_DS_CONTROL_ACCESS
Ace Sid: Contoso\Domain Admins S-1 -5-21 -602162358-688789844-1957994488-512


Active Directory Windows Server 2003
. Active Directory,
,
.
, ACL
. ,
, .
Active Directory . ,
,
, . ,
OU,
OU OU. , ,
. OU
, OU--,
,
Active Directory.
,
.

OU. , OU

OU. , ,
, OU.
OU Executives () OU-,
Executives OU.
Active Directory,
Advanced Security Settings
(. . 9-2). Allow Inheritable Permissions From The Parent To
Propagate To This Object And All Child Objects (
).
,
(. . 9-6).

. 9-6. ,

.
.
.
,
.
,
, .
, .
, .
, .
, ,
.
.
, , .
, OU
.
Domain Admins ACL OU, Domain Admins
-
, OU . Domain
Admins .

,
Active Directory .
.
, ,
.
, ,
,
.
, ..
. ,
Read () , Modify
() Full Control ( ) ,
Full Control. ,
, .
, .
, , Active Directory
. .
, ,
.
, ,
,
.
(Deny) (Allow). ,
, Modify Active
Directory, Modify ,
. , ,
, , .
,
.
, , ,
Deny , Allow . ,

. Modify ,
Modify .

:
,
Active Directory . ,
. ,
Deny () .
, Modify ,
Read-Only ( ) .
Write .
, Deny,
, . ,
, ,
. Read ,
Domain Users ( ).
, . - ,
Deny, .
,
. ,
, .

Active Directory.
, Deny, ,
,
. , Account
Admins, .
,
,
. Account Admins

, OU
Account Admins.
- OU .
, Active Directory
.
,
Active Directory. Active Directory
. .

. ,
, . ,
Active Directory, .
Active Directory ,
, .
, , . , Windows
Server 2003 ,
, Active Directory.
Active
Directory. Security (), Advanced (),
Effective Permissions ( ). 9-7
Active Directory Users And Computers.
, Select (
. , . Effective
Permissions ( ) ,
Active Directory.
. ,
. ,

.
, . , Windows Server 2003
Interactive ( ,
c ) Network Login (,
). Active Directory ,
. ,
, ,
. , , ,
, ,
.
. 9-7. Active Directory

Active Directory
Active Directory .
, , .
, ,
,
.
,
. - Domain Admins.
Domain Admins.
Administrators, a Domain Admins,
Administrators.
Active Directory, ,
Active Directory. Security (),
Advanced (), Owner ().
9-8 Active Directory Users And Computers.

. 9-8. Active Directory


Modify Owner ( ) ,
.
, .
Active Directory Windows Server 2003. Active Directory
Microsoft Windows 2000
.


Active Directory
, . ,
, ACL,
Active Directory. ,
. ,
, , Active Directory.
, ( )
. , ( ) Create
Computer Objects ( ) OU Computers
().
.
,
. Default Domain Controllers Policy (
). , ,
.
Domain Users ( ).

Active Directory
.
, .
.
. -, ,
. ,
, . ,
.
, .
, ,
, .
, Active Directory, .
OU Domain Controllers (
). Domain Controller Security
Policy ( ). Microsoft Management Console
() File>Add/ Remove (>/),
Add (), Group Policy Object Editor (
). Group Policy Wizard ( ), Browse
(), Domain Controllers.domainname.com ( domainname
, ). 9-9
Active Directory Windows Server 2003.
. 9-9. Default Domain Controllers

Active Directory,
, Audit Account Management (
). , Active Directory,
. Active Directory,
Active Directory.
Active Directory Windows Server 2003
.
OU
. ,
. Active Directory,
Properties () Active Directory.
Security (), Advanced ()
Auditing (). 9-10 Active Directory Users And
Computers OU Active Directory.

. 9-10. Active Directory


, Add ()
, .
Everyone, , ,
. , .
, ,
.
, .
, ,
. ,
.
, Security,
Event Viewer ( ).
. .
OU ,
Security . ,
, .
, .
,
.
.
,
. Microsoft Operations
Manager ( ) ( )
.
. Microsoft
Operations Manager (MOM), - http://www.microsoft.com/mom. MOM
,
.


Active Directory.
,
. Active Directory
ACL-,
. , Active
Directory ,
.
,

.
Active Directory .
OU. ,
,
.
, Windows NT OU
Active Directory.
, OU.
,
, .
OU.
. ,
OU
. ,
, . ,
- (OU), , , ,
OU
OU, .
.

,
.
,
.
.

.
.

. , ,
.
,
, .
Active Directory Windows Server 2003.

ACL .
- .
, Active Directory Windows Server 2003 Delegation
Of Control Wizard ( ).
Delegation Of Control Wizard, .
1. Active Directory Users And Computers
, .
OU, , ,
Computers () Users ().
Delegate Control (
). Next ().
2. Users Or Groups ( )
, . Add
(), Active Directory
.
3. , . (. 9-11)

.

. 9-11. Delegation Of Control Wizard ( )



4. , ,
(. 9-12).

. 9-12. ,

5. , :
(. 9-13).

. 9-13.

Delegation Of Control Wizard


ACL-.
, .. ACL-
.

Active Directory Windows Server 2003


,
.
Active Directory ,
. ,
OU, ,
. Windows Server 2003
.
(taskpad),
.

Microsoft

Microsoft ( - Microsoft Management Console)
.
. --
.

. ,
, -,
OU,
OU.
Active Directory Users And Computers
-, .
- Run ()
. -. File ()
Active Directory. ,
Active Directory Users And Computers,
, .
New Window From Here (
).
,
. , ,
. ,
, --.
. ,

.
, -,
-, Options File. -
, User Mode ( ),
, -.
9-14 . -
Help And Support Center ( ).

. 9-14. -


- ,
OU.

, .
. ,
, .
, -, ,
. ,
, New Taskpad View (
). New Taskpad View Wizard.
, , , .
.
, .
, . ,
OU, ,
, .
, ,
.
9-15 ,
OU. ,
, Reset Password (
).

. 9-15.

Active Directory Windows Server 2003 ,


.
.
,
Active Directory , .
, , .
, ,
, . ,
.

. ,
, .
Windows NT,
Domain Admins. ,
, ,
.
, ,
, .
, ,
, .
- ,
.
.
,
, , .
Effective Permissions ( ) Advanced Security
Settings ( )
, . Effective Permissions
Active Directory Windows Server 2003,
.
,
, ,
, .
, . ,
, , ,
, .
.
,
,
, .

Active Directory Windows Server


2003 .
Active Directory, ACL,
.

, . ,
Active Directory.
, Active Directory
, .
, Active Directory
, .
10. Active
Directory
, Microsoft Active
Directory Windows Server 2003, Active
Directory . Active
Directory . Active Directory
. user () group ()
.
, .
Active Directory , printer (), computer ()
shared folder ( ), .
,
Active Directory. , Active
Directory , . ,
, Active Directory Users And Computers
( Active Directory) ,
Windows Server 2003.


Active Directory Windows Server 2003 ,
. , user
() inetOrgPerson, ,
. contact ()
.

User
Active Directory user.
user,
Active Directory, . ,
250- . Active Directory Windows Server 2003
Microsoft Windows NT, user .
Active Directory ,
, .
Active Directory
. :
, .
Active Directory,
.
user , .
10-1, ,
sAMAccountName ,
. , (SID),
.
. 10-1. ,
Adsiedit.msc


user. (UI),
, Assistant (). ,
Adsiedit.msc, .
Csvde
Ldifde. Help And Support
Center ( ). UI ,
.
Find (). , Active Directory Users And
Computers ( Active Directory) ,
Assistant, Advanced ()
Find, , Assistant (. . 10-2).
Field (), User (),
, . .

. 10-2. ,

.
user, Adsiedit.msc Ldp.exe.
. ,
Active Directory ,
.
Active Directory TechNet Script Center
http://www.microsoft.com/technet/scriptcenter/default.asp. TechNet Script Center
,
,
Active Directory. - Microsoft Press Online http://
www.microsoft.com/mspress/, - Introduction
to ADSI Scripting Using VBScript ( ADSI VBScript),
(Mike Mulcare).
, ,
Active Directory Users And Computers.
user, , ,
New>User (>). Full
Name ( ) User Logon Name ( ). Full
Name , User Logon Name
sAMAccountName.
,
. ,
Account ( ) (. . 10-3).
, Account, 10-1.

. 10-3. Account user

. 10-1. User
UserLogonName
( (UPN)
) .
User Logon Name ,
( , Microsoft
) Windows 2000, ,
( Windows domain\username.
2000)
Logon Hours ( ,
) .
Log On To ( ) (
NetBIOS ),
.
Account Is Locked Out ,
( ) -

.
Account Options (
) ,
.
Account Expires (
) .

user Active Directory


Active Directory , user
, user
. 10-2 ,
username, , .

. 10-2.
Username ( )
First name, initials, last name (, .
, )
Display name ( ) .
Full name ( ) -

. (OU).
First
Name, Initials Last Name
New Object-User ( -
). ,
Adsiedit.msc
Username ( )
User principal name (
). UPN .
DNS-
UPN,

UPN-.
User Logon Name (Pre-Windows 2000)
( , .
Windows 2000)

UPN .
, UPN-,
. UPN- DNS- .
UPN-, , DNS-
. SMTP-
DNS. , ,
, SMTP. ,
UPN- .
UPN-, Active Directory Domains And Trusts
( Active Directory),
Active Directory Domains And Trusts, ,
Properties () (. . 10-4). UPN-,
.
. 10-4. UPN-

inetOrgPerson
Active Directory Windows Server 2003 inetOrgPerson.
,
(Lightweight Directory Access Protocol
LDAP) .500, Request for Comments (RFC) 2798.
inetOrgPerson, Microsoft Active Directory
Active Directory.
. Windows 2000 Windows Server 2003
inetOrgPerson, Adprep.exe /forestprep. Adprep.exe
\I386 - Windows Server 2003.
inetOrgPerson Active Directory Users And
Computers. , ,
New>InetOrgPerson. inetOrgPerson
. inetOrgPerson
user, .. ,
, . inetOrgPerson
, user.

Contact
, Active
Directory, contact (). contact user
inetOrgPerson , (security principal).
contact . contact
Active Directory Users And Computers, ,
, New>Contact.
contact ,
, .
. , ,
,
. ,
, ,
. .
, , Active
Directory. ,
, (GC)
. ,
.
Microsoft Metadirectory Services (MMS), contact

.
. MMS Microsoft Consulting
Services ( ) MMS.
- http://
www.microsoft.com/windows2000 /technologies/directory / mms/'default, asp.
contact Microsoft Exchange 2000
Server, , , .
Exchange 2000 Server Active Directory,
Active Directory. Exchange Server 5.5
. ,
, Exchange-.
Exchange 2000 Server, contact
. contact,
, .
contact, .


Active Directory .
,
. .
. ,
, (ACL)
.
,
group .


Windows Server 2003 ,
(distribution group) (security group).
group, (. . 10-5).

. 10-5. Active Directory Users And Computers

Active Directory .

. ,
. , Exchange 2000 Server
, .
, ,
, , ,
.
. Exchange Server 5.5,
Exchange 2000 Server. Exchange Server 5.5
, ,
Exchange-. Exchange 2000 Server
,
.
,
Windows 2000 native (). (
. . 2-1, 2-2 . 2.)
, user contact ,
.
. Active
Directory, .


Active Directory Windows Server 2003
: , . 10-3
.
. ,
Windows 2000 native. (nested groups} ,
. , ,
. ,
| ,
,
Windows 2000 native, .
,
Windows 2000 native. (mixed)
Windows 2000, ,
Windows NT 4.
, , .
Windows 2000,
,
Windows 2000 Windows Server 2003.
. 10-3. Active Directory


Domain Local
(
)
.

Windows 2000
Windows Server 2003.









Global
() ,
,

,
.

- ,

Windows.
Universal
()
,

,
.

Windows 2000
Windows Server 2003.



. -, ,
. Windows 2000 Windows
Server 2003, ,
.
- . ,
Windows NT.
. Windows 2000
Windows Server 2003,
.
Active Directory Windows Server 2003 Active
Directory Windows 2000 .
Windows 2000 native,
.
Windows 2000 mixed native, ,
. ,
.
. ,
, .
Managers ,
.
Active Directory,
.
, .
(GC)
. Windows 2000 native,

.
.
Windows Server 2003, ,
Windows Server 2003, .
.
,
, GC- ,
, . Active
Directory Windows Server 2003. Windows
Server 2003, ,
, . GC-
,
.
,
, .
. ,
, ,
,
GC-.
Active Directory Windows Server 2003
Users () Builtin ().
.
- Administrators
() Domain Admins ( ).
Administrator, , ,
Domain Admins Administrators. ,
Administrator Enterprise Admins
( ) Schema Admins ( ).


Active Directory
. ,
.
.
.
, .
Active Directory . ,
,
-
, .
, .

.
.
.
, .
,
, , .
, ,
, - .
. ,
,
. .
.
, .
, ,
.

. .
,
, - .
.
, Read
Only ( ),
. ,
, :
.
.
, Human Resource (),
. ,
, .
.
Read Only ( ), - Full Control ( ) Modify
(). Human Resources
, Full Control,
, Read Only, - Read
Only.
,
.
,
.
(owner) , authorizer ().
.
. ,
, . .
*.
, ,
,
, .
,
.
,
.
10-6, ,
,
.
. Windows NT ,
. - Windows NT,
.
Windows 2000 Windows Server 2003,
Windows 2000 native,
, .
,
.
. 10-6.

,
, - .
. , Exchange 2000 Server , ,
, Exchange Server 5.5
. ,
Exchange 2000 Server, -
. Exchange Server 5.5 Exchange 2000 Server
Exchange Server 5.5 ,
. ,
, .

Active Directory Windows 2000 ,
, .
GC-. ,
Windows 2000. Windows Server 2003
Windows Server 2003 Windows Server 2003 interim (),
, , . , ,
GC-, GC- .
, ,
Active Directory Windows Server 2003.
.

Active Directory - computer (). Active Directory
. - domain controller ( ),
. domain
controller OU Domain Controllers.
OU, .
OU Domain Controllers,
.
computer - , ,
. Active Directory
Computers. computer
OU, .
, ,
(OU).
.
, ,
. OU OU,
.
,
.
. , Windows NT, Windows 2000,
Microsoft Windows XP Professional Windows Server 2003,
. , Microsoft Windows 95
Microsoft Windows 98, .
Active Directory .
Active Directory, ,
. -
. ,
, .
Active Directory
Computer Management ( ).
Active Directory Users And Computers,
Manage (). -
Computer Management, .
. ,
Active Directory, , Active
Directory . 11, 12 13 ,
.

printer
Active Directory printer.
printer Active Directory,
, , ( ,
). printer Active Directory
.

Active Directory
, Windows 2000 Windows Server
2003, , Active Directory.
, List In The Directory ( )
Properties () .
Windows NT ,
Active Directory. , container,
printer, New
()>Printer (). UNC- .
. Windows NT
Windows 2000 Windows Server 2003,
Windows NT Active Directory. Microsoft Pubprn.vbs,
.
%systemroot %\system32.
Active Directory printer
Active Directory.
Properties () , Active Directory Users And
Computers. , ,
, , , , .
Active Directory, A Printer On The
Network ( ) Search (), Start (),
, . 10-7
Windows Professional. ,
Connect
(), .
printer Active Directory,
Group Policy Object Editor (. . 10-8).
, , ,
. printer Active
Directory, printer . , ,
,
printer. Active Directory
-
8 , .
, printer Active Directory.
Windows 2000, ,
Active Directory.
, Group Policy Object Editor.

. 10-7. Active Directory


. 10-8. Group
Policy Object Editor

Active Directory,
printer ,
, . ,
, , .
, . ,
,
. , ,
, .
, Active Directory,
,
. .
, .
1. Active Directory Sites And Services subnet (),
.
subnet Properties (). Location
() location ( ) .
: location/sublocation (
/ ) (, / ).
2. Group Policy Object Editor Pre-Popula-te
Printer Search Location Text ( ,
) .
.
3. Properties .
General () .
, Browse (),
.
, (,
/ / 5).
4. ,
. Add Printer
Wizard ( ) , Location (
) .
10-9 Windows Professional.
Browse .
. 10-9. printer Active Directory Location


, Active Directory - shared folder (
). Active Directory, .
New (HoBbm)>Shared Folder (
). Active Directory, UNC- .
Active Directory shared folder,
Active Directory. shared folder,
.
Active Directory ,
, .
shared folder, (. . 10-10).
Properties () ,
. ,
Active Directory, , ,
.

. 10-10. Active Directory

, Active Directory, , ,
, , ,
, , . ,
Active Directory UNC-
. , Saleslnfo,
\\Server1\SalesInfo. Active Directory
, \\Serverl\SalesInfo.
, ,
Active Directory , .

Active Directory Windows Server 2003
Windows 2000 Active Directory,
, Windows 2000,
. Windows Server 2003
.
Drag and drop. Active
Directory Windows Server 2003
Active Directory.
OU .

.
.
. Active Directory
Windows 2000 .
Active Directory Users And Computers Windows Server 2003
. ,
Marketing () ,
. ,
, Department
Marketing. ,
Properties ().
.
Windows Server 2003,
.
.
Active Directory ,
. ,
, . ,
, ,
30 .
Saved Query ( ) New
()><Quer (), ,
, .
Active Directory Windows Server 2003
, Active Directory:
Dsadd Dsmod ( Active Directory
), Dsrm ( Active Directory), Dsmove (
), Dsquery ( ) Dsget
( ). Help And Support Center (
) ,
.

Active Directory Windows Server 2003


, .
. ,

. ,
, - ,
: user, inetOrgPerson contact. ,
, .
computer, printer shared folder.
11.
,
(IT-Inf ormation Technology), -
. ,
.
, .
,
.
.

. ,
.
.
Microsoft Active Directory Windows Server 2003
. ,
Active Directory,
( )
, Active Directory Windows Server 2003. 12
13 ,
.
.
Microsoft Windows 2000 : Windows 2000 Server, Windows Server 2003, Windows 2000
Windows XP Professional. -,
Microsoft Windows NT, Windows 95 Windows 98.
Active Directory Windows 2000, ,

Active Directory , Active Directory Windows Server 2003
. Windows XP
Professional Windows 2000.


Active Directory Windows Server 2003
,
. 11-1 ,
.
. 11-1.



.
.

, .

,
.
MS-DOS .bat
Windows Script Host.

,
My Documents ( ), Start
() Desktop ( ),
,
.
.

.
,
,
,
- .


, ,

.

.
Windows 2000, Windows XP Windows Server 2003.
, ,
, . ,
. ,
, - , ,
Active Directory .
. (GPO -Group Policy Object)
%systemroot%\System32\GroupPolicy.
- | Active Directory.
Active Directory, .
Active Directory Windows Server 2003,
Active Directory: Default Domain Policy ( ) Default
Domain Controllers Policy ( ). Default
Domain Policy
. Default Domain Controllers
Policy (OU)
.
, ,
Active Directory.
, OU .
Active Directory .
, - .
. Active Directory
,
.
GPO, Active Directory, .
(GPC),
Active Directory Users And Computers System
()\Policies (). , Advanced
Features ( ) View () (. . 11-1). GPC
.
. GPC,
(GPT - Group Policy Template)
.
. ,
(, )
GPO.
. , GPO
, .
, GPC, ADSI
Edit, Group Policy Editor.

. 11-1. GPC Active Directory

. 11-1 , (GUID),
GPC Active Directory, .
GPC-
ADSIedit.msc. GPC Active Directory, ADSI Edit,
display Name.
, , GPT,

Sysvol -
. (. . 11-2).

. 11-2.

Adm .adm,
.

Scripts ,
.
User
,
.
Registry.pol.
User\Applications
,
.
Machine
, .

Registry.pol.
Machine\ Applications
, .

{GUID} Gpt.ini,
GPO.
GPO- . (GPC)
Active Directory. Sysvol (GPT)
(File Replication service - FRS).
. GPO ,
. Replication
Monitor . (Replication Monitor Active Directory,
, Suptools.msi,
\Support\Tools - Windows Server 2003.) Replication Monitor
Monitored Servers (- ).
Show Group Policy Object Status (
). 11-2 ,
.

. 11 -2.
Replication Monitor


GPO ,
(PDC).
,
.
PDC , ,
, (. . 11-3). (
, ,
View ()> Options ( DC) .)
, Operations Master (
) PDC, PDC.
, ,
.

. 11 -3. , GPO
GPO
GPO.
Active Directory ,
GPO.
Properties (). Group Policy ( ) (. . 11-
4). GPO, , New
().

. 11 -4. GPO, OU

(Microsoft Management Console)


Group Policy Object Editor ( ).
GPO, .
Local Computer Policy ( ).
Browse (), GPO
. GPO
, (. . 11-5).

. 11 -5. GPO- Group


Policy Object Editor -

GPO Welcome To The Group Policy Wizard (


), Create New
Group Policy Object ( ).
, GPO,
, GPO. 11-6
GPO. GPO
.


GPO , .
Group Policy Properties ()
, GPO (. . 11-4). 11-3
, .

. 11-6. GPO-

. 11 -3. GPO

Add ()
GPO
. Add,
,
11*5. GPO

.
Edit ()
GPO,
GPO.
Edit,
(. . 11-6).
Options ()
No Override (He )
GPO.


.

Delete () GP

GPO Active Directory, .

.
Properties () ]
GPO
. :
, :
GPO.


.


GPO , OU Active
Directory.
Users Computers.

. , ,
,
. .
1. Local group policy ( ).
.
2. Site-level group policies ( ).
Active Directory.
3. Domain-level group policies ( ).
Active Directory.
4. OU-level group policies ( OU).
OU,
OU, OU .
Active Directory
. , GPO
. 11-7
, OU. Scripts Policy ( ),
- Desktop Policy ( ), - Office Installation Policy (
).
. 11-7. , ,
,

,
. , GPO Run ,
GPO Run,
Run OU. ,
. GPO
Run, GPO
.
, .
GPO : Enabled
(), Disabled () Not Configured (He ).
Enabled, , ,
. Disabled, ,
, . GPO,
, Disabled. ,
Run GPO, OU .
Run OU ,
Run OU . Not
Configured, , ,
.




///
(Local/Site/Domain/Organizational Unit -LSDOU).
.
,
.

OU
. 5, OU
, OU .

.
,
.
,
. , OU,
,

. ,
.
,
.
, Active Directory Windows Server 2003
.


.
.
, ,
Properties (). Group Policy ( )
Block Policy Inheritance ( ) (. . 11-8).
, ,
, . ,

OU, .
, ,
( Run )
,
.
, ,
OU
.

. 11 -8. 0U

.
, .
.

No Override (He ).
, -
. ,
, ,
, Properties () . Group
Policy, , Options No Override
(. . 11-9).

. 11-9. No Override

No Override ,
, . ,

- .
, , .
No Override,
.
No Override , GPO ,
GPO. GPO
No Override,
. No Override
GPO, .. GPO, OU,
No Override GPO, OU.
. No Override
, .

. .



Active
Directory.
. Security ()
. 11-10, Security
GPO , Authenticated Users (
) Read () Apply Group Policy (
). , , ,
.
,
Apply Group Policy .
Authenticated Users Security Apply Group Policy.
(ACL)
Read Apply Group Policy. , -
, ,
Active Directory .
. 11-10. Security() Properties ()
GPO GPO

. ,
. ,
, ,
, ,
.
, .
, ,
. ,
, OU
. , , GPO
, ,
GPO- , .
, GPO,
OU, , OU.
, -, , ,
, Apply Group
Policy . -, ,
, ,
Deny () Apply Group Policy ( )
, .
. Apply Group Policy ,
Read Access ( ). ,
,
, .

. Active Directory Windows Server 2003


, Windows Management Instrumentation (
Windows) (WMI). WMI, WMI-,
, .
, ,
, 200
, , 64 .
(Help And Support Center) WMI Software
Development Kit - Microsoft http: // msdn.microsoft.com/
library/default.asp?url=/library/en-us/wmidsk/wmi/ wmi_start_page.asp.

,
, . ,
Properties () GPO (. . 11-11),
, .

. 11-11. GPO

. ,
, ,
, . ,
,
. ,
, .


,
, . ,
Properties () GPO Options () (. . 11-9).

. , ,
, , .
, ,
. .


, , GPO
Active Directory Windows Server 2003, ,
.
, .
1. ,
. DNS-,
IP- , .
2. DNS-,
. , ,
GPO-, .
3. GPO- ,
. GPO
. ,
, LSDOU-.
4. ,
GPO, .
.
. Windows XP
, Windows 2000 - , ..
, ,
- , -
. ,
Windows XP .

. UserConfiguration\Administrative
Templates\System\ Group Policy Computer Configuration\Administrative Templates\ System\Group
Policy. 11-12 , Computer Configuration
.

. 11-12.

.
, 90 , 30-
,
.
5 .

.
,
, .
,
(
).
, ,
ping .
, , .
, -
ping - .
. Ecjfti
500 /,
. ,
500 /,
.
.
Computer Conf iguration\Administrative
Templates\System\Group Policy. Group Policy Slow Link
Detection ( ) Properties
() (. . 11-13).
Enabled (), , .

. 11-13.

,
,
.
, .
Computer Conf iguration\Administrative Templates\System\Group Policy .
, Internet Explorer
.
Group Policy ( ) Properties. Enabled
() , (. . 11-14).

. 11-14. Internet
Explorer
, Allow
Processing Across A Slow Network Connection (
). ,
, ,
, .
GPO
loojpback. ,
, ,
, .
loopback,
,
. loopback User group Policy
Loopback Processing Mode ( Loopback )
Computer Configuration\Administrative Templates\System\ Group Policy (. . 11-15).

. 11-15. loopback

loopback,
. Merge () ,
, ,
.
.
. Replace () ,
.
loopback . , ,
, .
, , ,
, . ,
OU
OU. loopback OU. ,
,
, loopback .

GPO
9, Active Directory
.
-
.
, .
,
GPO. Domain Admins (
) Group Policy Creator Owners (- ). Group
Policy Creator Owners , ,
,
.
, ,
.
, GPO
, .
Active Directory GPO
%systemroot%\Sysvol\domainname\ Policies, GPT.
GPO,
Read () Write () GPO.
.
- GPO,
GPO .
Delegation Of Control Wizard ( ). Active Directory
Users And Computers ( Active Directory)
, ,
Delegate Control ( ), .
OU
(. . 11-16).

Resultant Set of Policy (RSoP) (-
). Delegation Of Control Wizard
RSoP (. . 11-16).
, ACL ,
Write gPLink.

.

. 11-16.

,

Windows Server 2003
, .
,
.
GPO Active Directory Windows Server 2003
, OU. , GPO
, GPO.
GPO , ,
. ,
OU -
, GPO,
. ,
-, .
, GPO , ,
WAN-,
.
, , ,
, , , -
, Read GPC Active Directory GPT
Sysvol. GPO
GPO .
,
. Active Directory Windows Server 2003 ,
. ,
,
. , ,
. ,
, .
, ,
.

.

.

, GPO .




.
- Group Policy Object Editor.
.

RSoP
. ,
, .
GPO ,
, ,
GPO .
RSoP, ,
, .
RSoP : .

, .

.
( )
.
RSoP, -
Resultant Set of Policy ( ).
Resultant Set Of Policy Generate RSoP Data ( RsoP). Resultant
Set Of Policy Wizard .
.
, .
, GPO
.
, , ;
, (. . 11-17).

. , ,
, ,
loopback. ,
Active Directory
.
.

. 11-17.
RSoP

GPResult
GPResult - ,
RSoP. Gpresult -
, ,
, , .
, , ,
. , ..
, ,
.
.
GPResult , Windows XP
Professional Windows Server 2003. GPResult
(Help And Support Center).

GPUpdate
GPUpdate Secedit/ refreshpolicy,
Active Directory Windows 2000. -

. gpupdate , ,
.
.
Gpupdate ,
,
,
. ,

. /logoff /,
.



, OU,
.
, ,
, .
Microsoft
(GPMC - Group Policy Management Console) (. . 11-18).

. 11-18. GPMC ,

. Microsoft ,
GPMC Windows Server 2003.
- 2 GPMC.
, .
GPMC ,
. 11-4
GPMC.

. 11 -4. GPMC

GPO Settings
( GPO.
GPO)
GPO Links (
GPO) , GPO
.
GPO Delegation
( GPO) ,
GPO
RSoP.
Security Filtering
( ) ,
.
RSoP Planning (RSoP Group Policy Modeling
) ( ),

RSoP.
RSoP Logging (RSoP Group Policy Results (
) ) ,
RSoP.
Modify Inheritance
( No Override (He ) Block
) Inheritance ( ).
Search () ,
. ,
GPO,
Folder Redirection
( ).
Backup And Restore
GPOs ( GPO
GPO .

GPO) GPO

.
Scripting Interface GPMC
( -,
)
.
- Microsoft
http://
www.microsoft.com/windowsserver2003/gpmc/
default.mspx.

, GPMC
.


,
.
, ,
.
, .
. 12 13

.
,
, , .
GPO,
GPO
GPO , .
GPO ,
.
, -
GPO .
.
, ,
.
,
OU. GPO
. , GPO
, - , -
.
, .
OU
, rpytm
,
. ,
.
.
, , .
.

Active Directory Windows Server


2003, .
,
Windows Server 2003,
.
, OU, GPO
.
, . 12 13
, . 12 ,

-, 13
.
12.

11
Adive Directory Microsoft Windows Server 2003.

, 13 .
- ,
. ,
,
.
, Microsoft Office, , .

.

,
. ,
, .
,
, .

, .
, Active Directory
, .
,
.
, ( )
, , , ,
. Active Directory .

Windows

Windows Microsoft. Windows
, Windows.
.
(.msi-). .msi
, ,
.
Windows (Msiexec. exe).
.
(DLL) Msi.dll .msi.

, , ,
msi.
Windows .
, . .
, ,
, . , -
, ,
. Windows, .msi,
,
. .msi
.
. Windows Windows
Server 2003, Microsoft Windows XP Professional Microsoft Windows 2000,
Windows .
Windows,
. Windows
Microsoft Windows NT, Windows 95 Windows 98.

Windows Server 2003, Windows XP Professional Windows 2000.
.msi
.
(native) Windows.

.msi
Windows -, ,
. Windows
, .msi
.
.msi, .
,
.
.
, ,
. Windows 2000
Windows XP, .msi.
,
, .
(, Wise).
.
.
, . ,
,
. ,
.
,
.
.msi.
.msi , Group Policy Software Installation
( )
.



Windows ,
Active Directory Windows Server 2003.
,
.

, .
,
, .msi-, .
, .
,
Read (). ,
Read. (
.)


GPO,
. GPO .
GPO ,
. Computer Configuration\Software
Settings Group Policy Object Editor ( ),
, .
, User Conf iguration\Sof tware
Settings ,
.
. 11 Microsoft
Group Policy Management Console (GPMC),
.
, ,
,
Active Directory. GPMC-
, , 11, 12 13,
,
- Windows Server 2003.
,
.
, , .
, ,
.
,
, ,
, .
, ,
. , ,
Start ().
Add Or Remove Programs (
).
, Start Add Or Remove Programs.
, ,
, .
, Microsoft Word .
.doc, Word .
(extension activation).
Active Directory Windows Server 2003, Active Directory
Windows 2000,
.
, ,
, .
, .
, Add Or
Remove Programs . ,
,
.
,
. Add Or
Remove Programs. , .

.
,
. ,
Microsoft Visio, .
Visio.
,
, , .

.
1. .
, ,
Read () .
2. : , (OU),
, .
Group Policy ( ). GPO
Edit () GPO.
3. ,
User Conf iguration\Sof tware Settings ( \
) ,
Software Installation ( ), New (),
Package ().
, Computer Configuration\Software Settings
( \ ) GPO,
Software Installation ( ),
New (), Package ().
4.
. ,
, .
.msi.
.
, . ,
.
5. .msi ,
. 12-1
. , ,
.

. 12-1.

6. , .
Advanced (),
Properties,
.
GPO ,
.
(
) (
). GPUpdate,
Windows XP Professional Windows Server 2003,
,
. ,
gpupdate /logoff gpupdate /reboot.


.
,
, -
. ,
.
.
, GPUpdate.
,
.
. ,
. ,
, , ,
.
, ,
.
,
(Distributed File System - DFS). DFS
, ,
. , DFS \\serverl\softinst,
.
D*FS
. DFS,

. DFS , , ..
, DFS
, ,
WAN , .
, .
,
, . ,
GPO, ,
OU, OU,
GPO- OU.
,
. ,
GPO OU,
, GPO-.
, ,

,
.


,
Windows
.msi ,
. ,
,
.
(.zap) .
. zap , ,
. .zap-
:
[Application]
FriendlyName = "applicationname"
SetupCommand = "\\servername\sharename\installapplication.exe""
FriendlyName , Add Or Remove
Programs . SetupCommand ~
. UNC-
SetupCommand.
,
SetupCommand, , ,
. :
SetupCommand = "\\servername\sharename\se\up.exe" /parameter
, ,
,
.
.zap
.
Add Or Remove Programs,
. , .zap,
, ,
.
.zap
Windows. -, .zap
, ..
, . ,
.zap ,
, ..
. , .zap,
. -
,
. , ,
.zap, . -

, ,
.


.
Properties. 12-2 Deployment
(). 12-1 Properties.

. 12-1.

Deployment Type ( ,
)
Auto-Install This Application By .
File Extension Activation
( ,
,
) .
, .
Uninstall This Application When ,
It Falls Out Of The Scope Of
Manage ment . ,
(
, - OU,
) ,
,

.
Do Not Display This Package In
The Add/ Remove Programs Add/ Remove
Control Panel (He Programs (/ ).

Add/Remove Programs )

Install This Application At Logon


(
) ,
.
, .
Installation User Interface ,
Options (
.
) Basic () ,

.
Maximum ()
.
Advanced (
)
.
32- 64-
,
, ,

, -
,
Active Directory (. . 12-3).
. 12-2.

. 12-3. Advanced Deployment Options (


) ,

, ,
, ,
-
GPO. ,
Software Installation ( ) Properties () (. .
12-4).
. 12-4. ,

,
GPO.

.


,
Windows. ,
, ,
.
Microsoft Office, Microsoft Word
Microsoft Excel, .
,
.
, (.mst).
.msi .
-
.mst ,
. , Microsoft Custom
Installation Wizard ( ) Microsoft Office 2000
Resource Kit Microsoft Office XP Resource Kit. .msi,
.mst. ,
.
, Microsoft Office,
.
,
,
.
(, ),
, Microsoft Office
.

. Advanced
() ,
. Properties () Modifications
(), . 12-5
Modifications.

. 12-5.

, ,
GPO, .
. ,
, .. ,
, .


,
, .
: ()
(service pack) .
Microsoft Office 2000, Service Release I for Office 2000
, Office XP
.
.
(patch file) ,
.msi patch- (.msp) . (
,
.) .msi
, .msi,
. . ,
, All Tasks
( ), Redeploy Application ( ).
,
.
.
.
Upgrades ().
, ,
. Add ()
Upgrades, , .
, ,
. 12-6
Office 2000.
. 12-6.

, Upgrades (. . 12-
7). Upgrades .
, GPO,
.
,
, Start () Add Or
Remove Programs ( ).
GPO,
, .
. , , ,
, , .
,
.
, .
, . , ,
,
, , , ,
. ,
.

. 12-7. Upgrades Properties ()



,
.
, GPO ,
, Add Or
Remove Programs, . ,
,
, .

. , 12-8 ,
. Administration
(), Administration
.
Active Directory Windows Server 2003 -
, . ,
GPO, Software Installation
( ) Computer Configuration User
Configuration, Properties, Categories () (. . 12-9).
-
GPO-, GPO- .

.

. 12-8. Add Or Remove Programs


. 12-9. GPO-


, ,
.
.
. , Word 2000 Word XP
.
, ,
.
Group Policy Object Editor Software Installation Properties (
) Computer Configuration User Configuration.
File Extensions ( ) (. . 12-10).
, .

. 12-10.

,
.
.
1.
.
2. ,
.
3. .
.
. GPO,
,
GPO. , Software
Installation ( ), All Tasks ( ), Remove
(). 12-11 ,
. Immediately Uninstall The Software From
Users And Computers (
),
.
Allow Users To Continue To Use The Software, But Prevent New Installations (
,
), ,
, GPO-.

. 12-11.


Windows
,
, Windows, , ,
, Windows Installer. Active Directory Windows
Server 2003 , .
, GPO
Computer Configuration ( ).
Administrative Templates ( ), Windows Components
( Windows), - Windows Installer ( Windows) (. . 12-12).
: User Configuration\ Administrative
Templates\Windows Components\Windows Installer. 12-2
.
. 12-12. Windows

. 12-2. Windows

Disable Windows Installer (
Windows) (
)
Windows. ,

Windows,
,
,
.

Always Install With Elevated Privileges


( ) ,
(
) ,
.
,
Windows

.
Prohibit Rollback ( ) ,
(
) Windows
,

.
Remove Browse Dialog Box For New
Source ( Browse (),
) ( ,
) Windows.
Browse, ..

,
.
Prohibit Patching (
) ( ,
) Windows.

,

,
.
Disable IE Security Prompt For Windows
Installer Scripts ( IE , ,

Windows) ( Microsoft
) Internet Explorer.
,

-.
Enable User Control Over Installs
( .
) ( ,
) ,

.
Enable User To Browse For Source While
Elevated ( ,
,
) ( .
)

Enable User To Use Media Source While


Elevated (
,
,
) ( .
)

Enable-User To Patch Elevated Products


( ,
,
) ( .
)
Allow Admin To Install From Terminal
Services Session (

) ( ,
) .

Cache Transforms In Secure Location On


Workstation (- ,

) ( .
)

.
Logging () (
) Windows


.
Prohibit User Installs ( ,
) ( ,
) . ,

,
, .
,

.
,
Windows v2.0 (
).
Turn Off Creation Of System Restore
Checkpoints (
Windows XP Professional,
) (
) System Restore
( ).

Search Order ( ) (
) ,
Windows
.
Windows
,
, - URL .

Prevent Removable Media Source For Any ^-


Install ( Windows
)
( ) .




,
.

.
.
, .
, , -
.

, .

.
.
, ,
( ),
.
- ,

. ,
OU.
Active Directory
GPO .
,
, GPO . ,
GPO
, ,
GPO-.
GPO-, .
,
GPO.
. , GPO
, , .
GPO , (
), ,
.
,
.
, Active Directory,
. ,
, ,
500 /.
(LAN)
, .
, ,
.

, , ,
LAN. ,
LAN. LAN,
Active Directory. ,
-,
.
,
.
(RIS Remote Installation Services)
.
, .
,
, ,
.
, .
RIS ,
RIS- .


.
, ,
, .
OU Active Directory
.
.

-
.
, ,
. -

.
,
.
Windows Update ( Windows)
. , ,
.
, . Microsoft .msi
, -
. Microsoft
(Software Update Service SUS)
, .
SUS .
SUS, Windows 2000
Windows Server 2003.
Windows Update.
. ,
. SUS
Windows 2000 Professional Server ( Service Pack 2
), Windows XP Professional Windows Server 2003. Windows 2000
Service Pack 3 Windows XP Professional Service Pack 1 SUS-.
SUS
SUS, .
SUS .
, Computer Configuration,
Administrative Templates, Windows Components, Windows
Update
(. . 12-13). , SUS-
.

. 12-13.
SUS ,
- Microsoft ,
http://www.microsoft.com/windows2000/ windowsupdate/sus/susoverview.asp.


, .

Microsoft Systems Management Server (SMS) LANDesk Intel.
,

Windows 2000 Windows XP Professional.
, Windows NT
Workstation, Windows 95 Windows 98 .


, .

.
,
. ,
, SMS, . ,
SMS LANDesk ,
wake-on-LAN,
.
, ,
, .
, , ,
- .
, ,
.
, .
,
.
. , ,
, ,
.
,
.
,
. Active Directory ,
,
.

, ,
GPO , .
(,
SMS LANDesk) .
, ,
, -
, . ,
. ,
Office ,
.
, ,
. ,
VPN-
.
.
-,
. ,
. ,
, ,
.

, .
,
.
, Windows 2000
Windows XP Professional, ,
.
,
.

Active Directory Windows Server 2003



. Windows,
,
.
,
.
13.

12 Active
Directory Microsoft Windows Server 2003
,
.
.
,
, ,
,
. ,
.
-
.
,
. , ,
.
, ,
.
, - ,
. ,
. , ,

.
,
. ,
, -
.

.
.



,
. ,
,
,
. ,
,
- ,
. , ,

.
,
.


.
Microsoft Windows NT 4 Active Directory Microsoft Windows
2000,
.
.
,
.

.
, ,
.
,
, .
, ,
.

. -
,
. ,

,
, , ,
.



Active Directory Windows Server 2003 ,
.
Group Policy.

. 13-1
GPO. 13-1
.

. 13-1. Default Domain Policy (


)
. 13-1.


Computer Software Settings (
Configuration and ,
User Configuration )
( .

)
Computer Windows Settings\ Scripts
Configuration and (
User Configuration Windows\)
( .

)
Computer Windows Settings\ Security ,
Configuration and Settings (
User Configuration Windows\
( ) .

) ,

.


User Configuration Windows Settings\ Folder ,


( Redirection (
) Windows \- ,
) My Documents (
), .

User Configuration Windows Settings\ Remote


( Installation Services (
) Windows \ (RIS).
)

User Configuration Windows Settings\ Internet


( Explorer Maintenance
) ( Microsoft Internet
Windows\ Internet Explorer
Explorer) .

Computer Administrative Templates


Configuration and ( )
User Configuration ,
(

.
)

.


, ,
. ,
, ,
.
.
.
. ,
, ,

, ,
. ,
.
, ,
, .
Active Directory
.
- , -
.
,
. ,
, ,
.
,
Active Directory, , ,
.
Active Directory
,
.



. HKEY_CURRENT_USER
( Ntuser.dat),
. , My
Documents ( ), Start Menu ( ), Desktop ( ) Application Data
( ). 13-2
Windows Server 2003.

. 13-2.

,
.
, %systemdrive%\Documents And Settings.
, ,
, , ,
Documents And Settings ( ).
, ,
, .
- .
, ,
. , ,
,
. ,
.
.
, , ,
, . Windows 2000
Windows XP Professional
, . ,
, , ,
. ,
Profile () Properties ()
Active Directory Users And Computers ( Active Directory).
.

. ,
,
. Account Operators (
), Domain Admins ( ) Enterprise Admins
( ),
,
. ,
.

Ntuser.dat Ntuser.man. ,
. ,
, ,
, .
Windows Server 2003.
,
.
.
Computer Configuration\ Administrative Templates\ System\User Profiles.

User Configuration. 13-2 .
. 13-2.


Do Not Check For User
Ownership Of Roaming ,
Profile Folders (He
Microsoft Windows 2000 Service
Pack 4 Microsoft Windows XP Professional Service
Pack.
- )
. ,
.
Delete Cached Copies Of
Roaming Profiles (
- , .
- ) ,

Windows 2000 Windows XP Professional,

.

Do Not Detect Slow


Network Connections (He

) .
,
,
.
Slow Network Connection
Timeout For User Profiles . ,
(
- 500 /, (
, IP-)
120 .
)
Wait For Remote User ,
Profile ( .
,
) ,
.

Prompt User When Slow


Link Is Detected ,
(
, ,
. ,
) .
Timeout For Dialog Boxes
( ,
)
. ,

, .
Log Users Off When
Roaming Profile Fails , .
( , ,
, , .
(
) .)

Maximum Retries To
Unload And Update User Ntuser.dat,
Profile (
.

- 60 .
Add The Administrators
Security Group To Roaming
User Profiles ( . Windows 2000
Windows XP Professional
,

)
Prevent Roaming Profile
Changes From Propagating .
To The Server ,
( ,
.

)
Only Allow Local User ,
Profiles (
. ,
)

Connect Home Directory To


Root Of The Share ,
( Windows NT. ,
) ' ,
( User
Configuration) . (
), ^
,
.
Limit Profile Size
( ,
) ( User ,
Configuration) ,
.
Exclude Directories In
Roaming Profile
( .
)
( User
Configuration)

13-2, Active Directory Windows Server 2003


.
. ,
, ,
,
, .
, ,
, ,
. ,
,
. (OU),
,
.
,
.
, , ,
.
. ,
. , My
Documents ( ) . -
, .
. ,
, , ,
, , , ,
. ,
. .


Active Directory Windows Server 2003
.
, ,
,
. , ,
, My Documents.
, ,
. ,
,
.
, , , -
My Documents.
,

. , Start Menu Desktop ,
, .
Read () , Write (),
.
Active Directory Windows Server 2003: Application Data,
Desktop, My Documents Start Menu
User Configuration ( ), - Windows Settings
( Windows), - Folder Redirection ( ).
, .
My Documents , My Documents
Folder Redirection ( ), ,
Properties (). Properties - Target () (. . 13-3).
. Setting (
) Not Configured (He ), ..
. , , .
Basic - Redirect Everyone's Folder To The Same Location ( -
). , ,
. , ,
, \ \servernam \sharenam .
Advanced - Specify Locations For Various User Groups ( -
).
, Active
Directory . ,
.

. 13-3.

. Advanced
. ,
,
, .
Advanced, ,
,
. ,
.
,
. ,
.
Redirect To The User's Home Directory (
). My Documents
() ,
. , .
, .
My Documents.
Create a Folder For Each User Under The Root Path (
). ,
. ,
.
%username %.
Redirect To The Following Location ( ).

. UNC- .
%username % .
.
, Start Menu
, .
Redirect To The Local Userprofile Location (
).
, .
.
.
, Settings Properties (. . 13-4).

. 13-4.

Settings ( ) .
Grant The User Exclusive Rights To foldername (
).
. Administrator ()
. ,
.
Move The Contents Of foldername To The New Location (
).
. ,
.
Policy Removal ( ).
. Leave The Folder In
The New Location When Policy Is Removed ( ,
),
, . Redirect The Folder Back
To The Local Userprof ile Location When Policy Is Removed (
, )
, .
My Pictures Preferences (, My Pictures).
, My Pictures
My Documents.
, My Documents,
,
. ,
. , ,
. Desktop ( ).
,
, . ,
,
, ,
.

My Documents ,
, ..
, ,
My Documents, .
, , , .
, .
Windows 2000,
,
.
, Windows XP
Professional. Windows 2000,
My Documents, , Make Available Offline
( ). ,
, ,
, , .




.
.
.
, ,
, - .


Account Policies ( ), Computer Conf
iguration\ Windows Settings\Security Settings, ,
. Account Policies
: Password Policy ( ), Account Lockout Policy (
) Kerberos Policy ( Kerberos) (. . 13-5). ,
Kerberos Policy, , ,
. Kerberos Policy
, -
Windows 2000, Windows XP Professional Windows Server 2003.

. 13-5.

,
. 13-3 .
. 13-3.

Enforce Password History 24


( ,
) , -
; 0
.
. :
0 24
Maximum Password Age , 42 .
(
) ,

.


,
0.
: 0 999

Minimum Password Age , 1


( -
) , ; 0 -
.
.
,
0.
: 0
998

Minimum Password Length 7


( ,
) . -
, ; 0 -
0. .
: 0
14
Passwords Must Meet
Complexity Requirements :
( , -
- .
- .
) ,
6
, ,


:
,
,
0 10,
( !, $,#)
Store Password Using .
Reversible Encryption ,
( ,
.
)
,

.



, .
13-4 .
. 13-4.

Account Lockout , .
Duration
( 30 ,
.
) 1,
.
.

,
0. ,

, ,
Reset
Account Lockout Counter After.
: 0
99999
Account Lockout 0
Threshold ( .
,
) ,

. 0
,
.
: 0 999
Reset Account Lockout , .
Counter After (
30 ,
) ,
1
0. .
, ,
,
,
Account Lockout Duration.
: 1
99999
Kerberos
Kerberos Kerberos Ticket-
Granting Ticket (TGT), .
13-5 .

. 13-5. Kerberos

Enforce User Logon , .


Restrictions ( (Key Distribu tion Center - KDC)

User
Rights ( )
)

Maximum Lifetime For , 600 (10 ).


Service Ticket
( .
: 10, ,
)
Maximum Lifetime For User Ticket,
99999. 0
,
, Maximum
Lifetime For User Ticket
^ 1, a Maximum
Lifetime For User Ticket Renewal
23
Maximum Lifetime For , 10 .
User Ticket
( TGT. ,

TGT. : 0
) 99999. 0 ,
,
Maximum Lifetime For User Ticket Renewal
Not Defined
Maximum Lifetime For , 7 .
User Ticket Renewal TGT
( ,
. 0 ,


)

Maximum Tolerance For 5 .


Computer Clock
Synchronization ,
( Kerberos. ,

)

Domain Security Policy (
) .
.
OU, , .
OU, ,
OU. OU,
, .
, .



.
Account Policies,
Computer Conf iguration\Windows Settings\Security Settings.
User Configuration\Windows
Settings\Security Settings. 13-6 ,
Security Settings ( ), 13-6
.

. 13-6. , Security Settings


.
, ,
. , , -
, GPO Active
Directory. , GPO,
.
.
, , .
,
.
,
, .
. 13-6.

Local Policies\Audit
Policy ( .
\ ,
) , ,
,
.
Local Policies\User
Rights Assignment ,
( - .
\ ,
) ,
, ,
..

Local Policies\Security

Options (
,
\ .
)
, ,
, ,
Microsoft .NET
..
Event Log (
) ,
.
,
, .

Restricted Groups
( ) ,
.


Windows 2000 .

, ,
,
,
,
.
System Services
( ) :
.

Registry (
) .
,
.

File System(
) .
,
.
Wireless Network (IEEE
802.11) Policies ,
(
) ,
.
Public Key Policies ,
(
). .
,
Computer Configuration, ,
User
Configuration. (Encrypting File System - EFS).
User Configuration

Enterprise Trust
(

).
IP Security Policies On IP-
Active Directory (IP Security - IPSec).
(domainname) ( , ,
IP Active
Directory) IPSec,
.

. Software Restriction ( )
Security Settings User Configuration, Computer
Configuration. .


Active Directory Windows Server 2003 ,
Active Directory Windows 2000 -
. ,
% .
.
,
, .

.

, , , -.
, ,
. ,
, .
, , ,
, .
,
.
, .

, , .
Hash rules (-). - ,

. Security Levels ( )
Unrestricted (He ),
, -,
. ,
- .
, -
.
Certificate rules ( ). ,
.
, , ,
,
, .
Path rules ( ). , ,
, .
, ,
. ( %systemroot %),
( *.vbs).
Registry path rules ( ). ,
,
.
,
, ,
, .
, ,
, New Path Rule ( )
.

.
,
.
Internet zone rules ( ).
-, . ,
, ,
Trusted Sites ( ), ,
, Restricted Sites (
).
, ,
, ,
. , ,
, .

Computer Configuration\Windows Settings\Security Settings, -
User Configuration\Windows Settings\Security Settings. Active Directory
. ,
Software Restrictions Policies (
) New Software Restrictions Policy ( ).
(. . 13-7).
. 13-7.

Security Levels ( )
. : Disallowed ()
Unrestricted (). ,
,
Unrestricted Set As Default ( ).
, Disallowed
.
Additional Rules ( )
. ,
Additional Rules , .
, - New Hash Rule. -,
Browse () , -
. - . -
,
(. . 13-8).

. 13-8. -

Enforcement () ,
. ,
, , DLL.
, , .
Designated File Types ( ) ,

. .
Trusted Publishers ( ) ,
, . ,
.
,
.


, ,

Windows Server 2003. ,
. ,
. , Microsoft ,
.
,
. ,
, , ,
, . ,
, ,
. , ,
. .
, ,
, .
, ,
. (
IPSec .)
. ,
, GPO.
.inf .


, Microsoft
.
, default ( ), secure () high
security ( ). %systemroot %\security\templates.
Windows Server 2003 Windows XP Professional,
Setup Security.inf.
, ,
.
. ,
,
.
. ,
- . , -
.
,
, .
Windows Server 2003 Windows XP
Professional ,
. ,
.
,
, .
,
. Microsoft Windows Server 2003.
Compatwsinf. .
Windows Server 2003 , ,
Windows. , ,
, Windows Server
2003 Windows XP Professional. -
, .
,
Power Users ( ),
, . ,
,
Users () . Compatws.inf
.
,
Users .
Securewsinf Securedcinf.
, .
NTLM-,
(Server Message Block - SMB). Securews.inf
, Securedcinf -
.
Hisecwsinf Hisecdc.inf. ,
. ,
. ,
Windows Server 2003, Windows 2000 Windows XP,
, ,
. Hisecws.inf
, Hisecdc.inf - .
DC security.inf. , -
Windows Server 2003 .
,
.
Notssid.inf. SID
Terminal Users ( )
DACL .
, ,
,
Terminal Users. Windows Server 2003,
.
Rootsec.inf.

, .
, .
, ,
. ,
Security Settings Import Policy (
). %systemroot %\Security\Templates,
. ,
.
.
, .
, .

Windows Server 2003 ,


. - Security
Configuration And Analysis (-
),
. Security Configuration And Analysis
. ,
, ,
. 13-9 .
.
Security Configuration And Analysis Configure
Computer Now ( ).
.

. 13-9. Security
Configuration And Analysis

Security Configuration And Analysis


. ,
,
.
.
Secedit .
, ,
.
Secedit , -
.
, .


,
,
.
Windows 2000 Server, Windows 2000
Professional, Windows XP Professional Windows Server 2003.

, 700. , , ,
. 13-7
, .
Active Directory Windows 2000, Windows Server 2003 150
. 13-7 ,
Active Directory Windows Server 2003 Windows XP Professional.
. 13-7.


Computer Conf iguration\
Administrative Templates\ ,
System\Net Logon
DNS
.
Computer Configuration\
Administrative Templates\ Remote Assistance (
System\Remote Assistance ), Windows
Professional.
Computer Conf iguration\ ,
Administrative Templates\ Windows
Components\ Terminal Services Terminal Services
.
User Conf iguration\ Administrative
Templates\ Network\Network ,
Connections ,
.

User Conf iguration\ Admin istrative


Templates\Control Panel
User Conf iguration\ Administrative
Templates\ Windows Components\ .
Internet Explorer
,
Internet Explorer.
Internet Explorer 5.01
.

.
http:// www.microsoft.com/windowsxp/prdytechinfo/administration/
policy /winxpgpset.xls.
Active Directory Windows Server 2003
. Active Directory
, .
,
Administrative Templates
Help (). .
13-10 , System ().
Windows NT ,
Active Directory Windows Server 2003.

.
.
, ,
. , ,
, ,
. ,
, , .
Active Directory , ,
. ,
User Configuration, HKEY_CURRENT_USER
\Software\Policies \Software\Microsoft\Windows\CurrentVersion\Policies. ,
Computer Configuration,
Y_LOCAL_MACHINE.
,
.
, ,
, . ,
() , ,
Policies . ,
, .

. 13-10.

.adm.
%systemroot %\Inf . 13-8
, Windows
Server 2003.

. 13-8. , Windows Server 2003


System.adm .
Inetres.adm Internet
Explorer.
Wmplayer.adm Microsoft
Windows Media Player.
Conf.adm Microsoft
NetMeeting.
Wuau.adm Windows Update.

, ,
. .adm 13-11.
13-9 , .
. 13-11. System.adm

Sysvol,
,
. Registry.pol, %systemroot%\ SYSVOL\
sysvol\ domainname\ Policies\ GroupPolicyGUID\ Machine
%systemroot%\ SYSVOL\ sysvol\ domainname\ Policies\ GroupPolicyGUID\ User
.

. 13-9.

Policy () .
Keyname () ,
.

Supported
() ,
.
Windows XP Professional, Windows
2000 Windows 2000 ,
Microsoft Windows Media Player, 9.
Explain () ,
.
.adm.
Part () ,
.
Valuename (^) ,

.

.
, ,
.
.
, , ,

. ,
, ,
, . ,
. ,
,
,
. ,
, ,
.


,
- .
.
. .
Windows NT.
Active Directory Windows Server 2003
Windows NT 4, .
.
Active Directory
. Windows NT .
LocalSystem.

. Windows NT . Active
Directory .
.
Active Directory
. Windows NT
.
Active Directory,
, .
Windows Script Host. Windows
NT MS-DOS
. Windows Server 2003, Windows XP Windows 2000
Windows Script Host (WSH).
WSH
. WSH
, . Active Directory
Windows Server 2003 ,
.
Windows NT Workstation, .
Windows 2000 Windows XP Professional
.
, ,

, .
Active Directory, ,
. , .
- %systemroot %\SYSVOL\sysvol\ domainname\scripts.
NETLOGON,
, .
%systemroot %\SYSVOL\
sysvol\domainname\GlobalPolicy GUID\Machine\Scripts %systemroot
%\SYSVOL\sysvol\domainname\GlobalPolicy GUID\User\ Scripts.
GPO Scripts (Startup/Shutdown) (
(/ ), Computer Conf iguration\ Windows Settings,
Scripts (Logon/Logoff) ( ( / )),
User Conf iguration\Windows Settings. , ,
Scripts (Startup/Shutdown) Startup.
GPO. Active Directory Windows Server 2003
,
.
Computer Configuration\ Administrative Templates\System\Scripts, - nanKeUser
Conf iguration\ Administrative Templates\System\Scripts. ,
, ..
. , ..
, .
.
, , , ,
, .

Active Directory Windows Server 2003 ,


.
,
, .
, ,
,
.
,
. ,
.
IV. Active
Directory Windows Server 2003
I, II III ,
Active Directory Microsoft Windows
Server 2003, .
Active Directory
. 14 , Active
Directory, Active Directory
. Active Directory. 15
Active Directory. Active Directory
,
, .

14. Active
Directory
, Active Directory
.
Active Directory ,
(
, ).
, Active
Directory, .
Active Directory:
Active Directory.

Active Directory
Active Directory
.
,
, , .

Active Directory.
, Active
Directory, . Active Directory
, -
( , ,
..) (
). -
. ( ,

, , ,
.) ,
, ,
Microsoft Windows Server 2003. ,
Active Directory .
Active Directory, ,
, .
, ,
. ,
,
, . ,
, , Active
Directory, , .

Active Directory?
Active Directory ,
,
.
(service-level agreement - SLA) ( ).
Active Directory,
, , .
. SLA - ()
,
,
. Active Directory SLA
(IT )
, ,
.

,
, , 10000 Active Directory.
Active Directory ,
. Active
Directory ? (GC)
? , ,
, ?
, ,
, .

Active Directory
, Active Directory,
.
SLA- , .
Active Directory
, .

.

Active Directory,
.
IT-
.

Active Directory
Active Directory .
, .
,
-.
, ,
, .

Active Directory .
- ,
, .
, ,
Microsoft Operations Manager (MOM).
MOM ,
Windows Server 2003,
, .
.
, ,
.
.

, Windows Server 2003.
. MOM ,
, .
, , (,
), , ,
.

, .
MOM ,
, . Base
Management Pack Windows Server 12003,
Active Directory, (DNS) - Microsoft
Internet Information Services (IIS). Application Management Pack
Microsoft .NET Enterprise Servers, Microsoft Exchange
2000 Server Microsoft SQL Server 2000. MOM
http://www.microsoft.com/mom.

Active Directory
Active Directory,
,
.
, , (
) .
,
..
Active Directory .
1. , .
( SLA- .)
2. ,
.
3. . ( ,
, ,
.)
4. ,
. :
;
, ;
, .
5. ,
Active Directory.
6. ,
,
Active Directory.
.
.


, ,
.
, .
, ,
. ,
,
. ,
, ,
,
.

. ,
, -
. ,
, ,
.
. Active Directory (,
),
.
Active Directory, .
- .
, ,
. , Microsoft,
. ,
, ,
.
. ( , Microsoft,
.)
. ,
.
, , , Active Directory.


,
Active Directory,
Microsoft. ,
, .
,
.
Active Directory
(. . 14-1)
Active Directory. ,
. , Start () >Administrative
Tools ( )>fmance(), Add
() . , , .
. 14-1. Active Directory

NTDS DS Search sub- 15
operations/sec
(DS .
/
)
. ,

.

% Processor
Time(Instance=ls ,
ass) (% Active Directory.
)
NTDS LDAP Searches/ 15
sec (LDAP
/ ) .

.
,

,

.
NTDS LDAP Client 5
Sessions (LDAP ,
.
) ,
,
.
,

,
,
.

Private Bytes 15 ,
(Instance=lsass) .
( )


(
)
,

.

,
,
, ,
.
Handle Count 15
(Instance=lsass) ,

) .


.
Virtual Bytes 15 ,
(Instance=lsass) Active Directory
(
) ,
. ,

(service pack),

,
.
,
2-
.

,
(. . 14-2) .
, , .
. 14-2. ,



NTDS DRA Inbound -
Bytes Compressed 15 , .
(DRA
) ,
(
/ Active Directory.
)

NTDS DRA Outbound -


Bytes Compressed 15 , .
(DRA
)
( ,
/ Active Directory.
)

NTDS DRA Outbound -


Bytes Not 15 ,
Compressed , .
(
DRA
)
NTDS DRA Outbound -
Bytes Total/sec 15 ,
( .

DRA ,
/ )
Active Directory. ,
.


(. . 14-3) , .
, .
. 14-3. ,



NTDS NTLM 15 ,
Authentications -
(NTLM , NTLM
) Kerberos (,
, Windows 2000,
).

NTDS KDC AS Requests 15 ,


( KDC
AS) (KDC).

.

NTDS Kerberos 15 ,
Authentications ,
( KDC.
Kerberos) .

NTDS KDC TGS 15 TGT ,


Requests ( KDC.
KDC TGS)
.


(. . 14-4) ,
, Active Directory.
. 14-4.

Memory Page Faults/ sec 5 700/


() ( /
)
.

Physical Current DiskQueue


Disk length ( Ntds.dit .log. ,
()
) / .


.

Processor % DPC Time 15 10 ,


( (Instance=_Total) (% -
) DPC) .

.

System Processor Queue ,


() Length (
- .
) ,


,
.

Memory Available MBytes 15 4 ,


() ( .
)
.
Processor % Processor Time 85 %
( (Instance=_Total) (% .
) ) ,

Active Directory,
Process, % Processor Time,
Isass instance.

System Context Switches/sec 15 70000


() ( . ,
/ )
,

.

.

System System Up Time 15 ,


() ( .
)

. ,
Microsoft ,
.
Directory Services Guide Microsoft Windows Server 2003 Resource Kit.
http://
www.microsoft.com/windowsserver2003/techinfo/reskit/reso urcekit.mspx.


, ,
.
Performance, Windows Server 2003,
.
. Active Directory Installation Wizard Active Directory,
NTDS Performance,
.
, GC.
Active Directory ESENT (Ntds.dit)
Active Directory. .
,
Active Directory, Install Active Directory Database Performance Counters
( Active Directory)
Microsoft http://www.microsoft.com/technet/treeview/defa ult.asp? url /technet/scriptcenter
/monitor/ScrMonO8.asp. ,
.vbs,
ESENT.
-
Kerberos ( 20- ) , .
1. Performance () Administrative Tools (
).
2. Performance Logs And Alerts ( ),
Alerts ().
3. Action () New Alert Settings (
).
4. Name () ,
. Performance Logs And Alerts,
, .
5. General () ,
ADD (), Performance
(. . 14-1).

. 14-1.

6. , .
(. . 14-2).

. 14-2.

7. Action () , ,
. ,
, Schedule
(). Action ,
, (. . 14-3):
;
.
IP- ;
;
.

. 14-3. ,

, Actions,
.
, ,
, ,
. (,
) .
, ,
.
Active Directory, -
Active Directory. -
Active Directory.



System Monitor ( )
Performance. ,

. ,
Performance Logs And Alerts.
.
,
.
Memory\Pages/sec (\/).
PhysicalDisk (_Total)\Avg. Disk Queue Length ( (__ot1)\
).
Processor (_Total)\%Processor Time ( (_Tot1)\ ).
. ,
( ).
.
/ .
(
). 14-4 .
.
, ,
, Highlight ()
. , ,
, .
, ,
, .
HTML-.
,
Save As ( ). HTML,
.
HTML- , . ,
Freeze Display, Performance .

. 14-4. ,

, HTML
System Monitor.
.
Windows Server 2003 , ,
:
Performance Log Users (, ) Performance Monitor Users (,
).
, .
1. , Add
Counters ( ).
2. Add Counters Use Local Computer Counters (
), ,
.
, , Select Counters From Computer
( ) IP-.
3. Performance, ,
. ,
, .
4. Add (), Close ().
5.
Active Directory Event Viewer
Performance Active Directory
,
Event Viewer ( ).
.
Application log ( ). ,
.
System log ( ).
, , , ,
.
Security log ( ). ,
Windows.
, ,
Windows Server 2003, .
Directory Service log ( ). ,
Active Directory.
File Replication Service log ( )
, .
Windows Server 2003 DNS,
.
DNS Server log ( DNS). ,
DNS.
Event Viewer
Administrative Tools. -
, , .
14-5
Windows Server 2003, DNS.

. 14-5. Event Viewer

Errors () Warnings
(). ,
. 14-6 Warnings (ID- 13562)
File Replication Service ( ).


Active Directory ,
, , , .
, Active Directory ,
, .
.

. 14-6. Event Properties ( )

Active Directory.
.
Active Directory.
NTDS Performance.
Active Directory. ,
Active Directory Ntds.dit .log,
, .
DNS . Active Directory
DNS , DNS
, Active Directory
.
(File Replication Service - FRS). FRS
, , (Sysvol)
.
.
, , ,
.
. ,
.
. FSMO,
. , GC-
,
.


Active Directory, , -
. ,
Performance Monitor,
Windows Server 2003 Support Tools (
Windows Server 2003): Repadmin.exe, Dcdiag.exe
(. ). Repadmin ,
.

DC1, Contoso.com:
repadmin/showreps dd .contoso.com
Dcdiag - , DNS-
. (SID)
(naming context) ,
.
Dcdiag dcdiag/?.
:
dcdiag/test: replications
, , ,
.
, Error () Warning
(). ,
.
ID 1311. ,
Active Directory Sites And Services ( Active Directory),
. ,
- (bridgehead) ,
- (NC).
ID 1265 (Access denied ).
,

, ,
,
,
.

Active Directory
Active Directory
Active Directory.
Active Directory ,
.
Active Directory,
, . ,
Active Directory, Windows Server 2003
Ntdsutil.


,
Active Directory, . - ,
12 .
Active Directory.
- (tombstone) .
- , Active Directory.
.
isDeleted true, -,
. ,
: - (GUID),
SID, (USN) . -
.
- , .
- 60 . ,
-,
.
-
. , -
Active Directory, ,
. ,
- .

. , garbageCollPeriod
DS (NTDS).
, Adsiedit.msc. ADSI Edit (
ADSI) Run () CN=Directory
Service,CN=Windows NT, CN=Services, CN=Configuration, DC=f orestname.
garbageCollPeriod , .
1 . 14-7
ADSI Edit.

. 14-7. garbageCollPeriod ADSI Edit



Active Directory.
Active Directory ,
. Active Directory
, .
Active Directory , ,
, . Active
Directory
.
.
, , . Active Directory,
,
, .

. - , ,
, .
, ,
.
, Active Directory.
Active Directory,
, .
.
12
. ,
, , . 14-8
.

. 14-8. ,

Active Directory
,
Active Directory. ,
, ,
Active Directory. ,
, -
. , GC- ,
, , -
GC.
, , GC
.
, .
1. Active Directory (. .
15).
2. . F8,
Windows. Directory
Services Restore ( ) (
Windows).
3. , Administrator ().
,
, .
4. ntdsutil.
5. Ntdsutil files.
6. File Maintenance ( ) info.
Active
Directory .
7. compact to drive:\directory. ,
.
, .
8. Ntds.dit
.
.
9. , quit,
.
10. Ntds.dit Ntds.dit
Active Directory.
11. .
. ,
Active Directory, .

Active Directory
Ntdsutil
Ntdsutil
Active Directory , Active Directory.
Ntdsutil ,
Active Directory.
, .. ,
Active Directory, .



. ,
.
, Ntdsutil.
. 15 , Active
Directory.
, .
1. .
Ntdsutil.
2. ntdsutil.
3. Ntdsutil files.
4. File Maintenance recover.

, , .
, , .


, ()
.
. -
, .
, integrity File Maintenance Ntdsutil.


,
.
Active Directory.
, GUID, SID
.
, .
1. ntdsutil.
2. Ntdsutil semantic database analysis.
3. Semantic Checker ( ) verbose on.
Ntdsutil
.
4. Semantic Checker go.
. Active Directory Windows 2000, , ,
, Windows 2000 Repair (). ,
Active Directory,
Windows Server 2003.

Ntdsutil Active Directory
. ,
, .
, , , .
,
, .
1. ntdsutil.
2. Ntdsutil files.
3. , , Ntdsutil
info.
.
4. , File Maintenance
move db to director, dirctor .
,
.
5. , File Maintenance
move logs to directory.

,
Active Directory , .
,

, . Active Directory
,
.
,
, Active Directory
.
,
.
, , Active
Directory -.
15.

Active Directory ,
. Active Directory ,
, .
Microsoft Windows Server 2003
Active Directory, - .
,
.
Active Directory Windows Server 2003 Active Directory
.
Active
Directory. Active Directory

.
Active Directory.
. Active Directory.
, Windows Server 2003.
Active Directory, .


,
. ,

, .
,
, -
Active Directory .
.

.

.
.
Active Directory.
Active Directory ,
. .

, -
. ,
Active Directory , .
, Active
Directory .
Active Directory .

. ,
,
.

, , - .
,

Ethernet
, , , ,
. Active Directory (circular)
,
. ,
Active Directory
, .
. ,
,
DNS, .

.

Active Directory
. 2, Active Directory Ntds.dit,
%systemroot %\NTDS.
.
Edb.chk - , ,
Active Directory.
Edb.log - . - 10 .
Edbxxxxx.log. Active Directory ,
, ,
, .
; ,
, ,
Edb.log. ,
, , Active Directory.
10 .
Edbtemp.log - , ,
(Edb.log). Edbtemp.log,
, Edb.log
. Edbtemp.log Edb.log.
Resl.log Res2.log , ,
. ,
,
, Active Directory,
, ,
Active Directory. 10 .
. - Microsoft Exchange Server,
Active Directory
. Active Directory - ,
Exchange Server 4 .
Active Directory .
. ,
(OU) , OU- ,
OU- . ,
, , ,
. ,
. , Windows Server 2003 ,
.
, Active Directory - (,
), .
,
, ,
. .
,
, , (
). Active Directory
. ,
Active Directory.
,
, . ,
, ,
.
,
,
. , , Active Directory,
, ,
. ,
. ,
, .
.
. ,
, .
, ,
, ,
.
.
.
,
.
Active Directory Windows Server 2003 (circular)
, .
, ,
.
.
,
. , Active Directory
, 17:00,
.
,
Active Directory. ,
, , ,
.
,
, , .
,
, , ,
.

Active Directory
Active Directory
Active Directory. , Active Directory
.
:
Active Directory ;
, Windows;
;
DNS, Active Directory;
Sysvol;
+;
(
);
;
- Microsoft (IIS) ( IIS
).
-
. , ,
Active Directory, (
) Active Directory ( ,
) .
, .
(backup) ,
, , ..
, ,
System State ( ) .
. Administrators ()
Backup Operators ( )
.
? ,
.
, ,
.
,
, .
, ,
, .
.
,
- . Active Directory ,
-,
. -
60 . , Active Directory
-. , ,
-. -
, . -
-
. - , ,
.
, -,
, . ,
,
- 60 .
, 60 ,
-,
, - ,
. ,
.
,
, -.
-
, , ,
, 60 . ,
, , .
Active Directory ,
.
, , ,
, .
- , ,
.
,
. .

Active Directory
, Active Directory.
, ,
,
, . ,
- OU,
. ,
.
Active Directory,
, .
, Active Directory ,
, , Windows
Server 2003, .
, Active Directory
.
Active Directory .
(nonauthoritative).
Active Directory , ,
Active Directory ,
.
Active Directory, -
, . Active
Directory , ,
.
(authoritative), ,
, .

Active Directory

Active Directory
, .
, , Windows Server
2003 Active Directory 2003,
. Active Directory
Active Directory .
.

- . ,
,
Active Directory .

,
.
Active Directory,
, .
Active Directory ( 100 ),
,
,
.

(WAN),
.
.
Windows Server 2003 Active Directory ,
, ,
. ,
,
.
. , , ,

. Windows Server 2003
, Last Known Good Configuration
( ) Safe Mode ( ).
,
, .
, ,
Windows Server 2003 ( )
.
.
(GC)
, , .
GC- .
, Windows Server 2003
Active Directory
.
,
, , ,
WAN.
,
.
Active Directory
,
DNS.
,
. ,
.
,
Windows 2000, Windows XP Professional Windows
Server 2003 / .
ntdsutil.
Ntdsutil metadata cleanup.
Metadata Cleanup ( -) connections.

.
Server Connections ( ) connect to server servername
( servername), servername -
.
Active Directory, .
, set creds domain username password,
, .
help Server Connections, ,
connect to server %s ( %s). %s
, .
DNS- , IP- .
Server Connections quit, Metadata Cleanup.
select operation target ( ).
, , .
Select Operation Target list domains ( ).
.
select domain number ( ), number ,
. help ,
select domain number, , -select domain %d
( %d). %d .
list sites ( ). .
select site number ( ), ,
, .
list servers in site ( ). ,
, . select server
number, , . Ntdsutil
* , (. . 15-1.)

. 15-1. , Ntdsutil

quit. Metadata Cleanup.


remove selected server ( ). ,
. Yes ().
Ntdsutil, quit ,
.

Ntdsutil
14 Ntdsutil
Active Directory. Ntdsutil - ,
Active Directory . Ntdsutil
, .
Ntdsutil, ntdsutil.
Ntdsutil.
,
. help , ,
. 15-2 ,
Ntdsutil.

. 15-2. , Ntdsutil
Ntdsuti
Active Directory. Ntdsutil
Help And Support Center.
Ntdsutil DNS-
. DNS- DNS, ,
, GC-
(PDC). ( ,
.) DNS,
DNS .
.
Active Directory Users And Computers ( Active
Directory) , , OU Domain Controllers
( ). Active Directory Sites And Services ( Active
Directory) , , Servers ()
, .


Active Directory
.
.

.
. ,
, Active Directory.
.
.
,
.
,
.
, -
.
.
, :
Active Directory
. ,
, Windows Server 2003,
, ,
Active Directory , 100 . ,

, ,
.
. ,
,
, .
Active Directory,
. , Active
Directory, Active Directory
. ,
, .
,
, ,
. Windows Server 2003 ,
, ,
. Windows Server 2003
, ,
. , (hardware
abstraction layer - HAL), . ,
, .
, Windows Server 2003
, .
.
Windows Server 2003,
, .


Windows Server 2003 -
(Automated System Recovery - ASR).
.
ASR, ASR-, .. Backup
ASR.
, ,
. , ASR-
.
- Active Directory ,
.
.
,
, . .
, .

Windows Server 2003. -
1. F8, Windows Advanced Options
Menu ( Windows).
2.
Directory Services Restore Mode (Windows Domain Controllers Only) (
Windows)).
, Active Directory.
3. , .
4. , Administrator Directory Services
Restore ( ),
Active Directory.
5. ,
System State ( ) .
6. .
7.
,
, .
. Active Directory
. Active Directory
. .
Ntdsutil.


,
. , - OU,
, ,
, .
, OU
, , Active Directory Users And Computers,
OU .
,
OU .
, Active Directory,
, ,
.
(USN)
. , , USN
100000,
.


.
.
,
. ,
, (, OU),
. OU
. ,
-,
. -
, , , ,
, .
- ,
.
, . ,
.
,
,
. ,
, .

. ,
.
, , ,

.
, ,
. USN
, USN,
.
, , ,
,
.
.
.
.
, Microsoft Windows NT, Windows
2000, Windows XP Professional Windows Server 2003, ,
- .
.
. ,
, .
- ,
- .
NTLM Active Directory Windows NT ,
, .
,
. ,
NetDom ,
.
. ,
, .
.
, , .
,
. ,
.


, ,
. , - OU,
OU, .
, .
1. ;
, .
2. ntdsutil.
3. Ntdsutil authoritative restore ( ).
4. Authoritative Restore restore subtree objectname (
objectname). , OU Managers
NWTraders.com, restore subtree ou=managers ou,dc~nwtraders,dc=com.
,
(, restore subtree enmanagerl,oumanagers ou, dcnwtraders,dc=com)
.
5. , restore database
( ) Authoritative Restore.
6. Ntdsutil .
.
Active Directory, .
- , ,
- .
USN
100000.
.

Sysvol
Active Directory,
. Sysvol
, ,
,
. Sysvol
, Active Directory.
Sysvol ,
, .. , Sysvol

. , ,
, ,
Sysvol .
(File Replication Service - FRS),
Active Directory.
,
Sysvol. , -
, Sysvol, ,
. , ,
, ,
.
, .
, (primary)
Sysvol. Windows Server
2003 ,
,
. Advanced Restore Options
( ) When Restoring
Replicated Data Sets, Mark The Restored Data As The Primary Data For All Replicas (
-
) (. . 15-3). Sysvol
, Sysvol.

. 15-3. Sysvol

-
.
,
.
,
. , ,
, .
, .
, ,
.
,
.
, ,
.
.
,
, , .
, ,
. ,
,
, , .
,
, .
. - , - ,
.
.
, , , ,
, .
, , ,
PDC. PDC
, , 15 .
,
.
,
. , ,
. ,
, ,
, .
,
, repadmin/
showvector namingcontext, ,
.
, Ntdsutil
Active Directory Users And Computers ( PDC
). RID,
Ntdsutil.
Ntdsutil,
.
1. ntdsutil.
2. Ntdsui^l roles ().
3. Fsmo Maintenance ( Fsmo) connections
().
4. Server Connections ( ) connect to server
servername.domainname ( servername.domainname), servername -
, .
quit ().
5. Fsmo Maintenance seize operations_master_role (
). operations_master_role , :
schema master ( ), domain naming master ( ),
infrastructure master ( ), RID-master ( RID) PDC.
6. .
. ,
, . 15-4
RID.

. 15-4. Ntdsutil RID

7. quit () , Ntdsutil.
PDC
Active Directory Users And Computers. Active Directory
Users And Computers Connect To Domain Controller (
), , ,
.
Operations Masters ( ). ,
(. . 15-5). ,
. PDC
, ..
, Ntdsutil, .

. 15-5. ,
Active Directory Users And Computers

PDC
PDC ,
. ,
Windows 2000 mixed () Windows Server 2003 interim (), PDC
(primary)
Windows NT (BDC). PDC BDC-
. , Windows
NT, Windows 95 Windows 98 ( )
PDC, . ,
Windows 2000 native ()
, PDC .
PDC -
. PDC ,
, . PDC
, PDC
.
PDC ,
, PDC , .
, PDC Windows NT. PDC -
Windows NT,
, PDC-KOH-.
Windows Server 2003. PDC ,
.
, .
PDC ,
PDC .


Windows Server 2003,
. ,
. ,
,
.
,
. ,
. ,
,
, , .
,
, Ntdsutil.
,
.
. , PDC ,
. ,
, ,
. ,
, ,
. , .
,
, .


, .
.
,
. ,
, .
, ,
,
,
, .
.
, ,
, .
,
. ,
, , . ,
, -
, , ,
, , (
, ).
,
, , ,
.



. -
, .
, ,
.
- , -
.

, , ,
- GC-.
.

RID
RID - , RID-
. RID
,
RID,
. ,
RID, RID RID.
RID , 512 RID.
RID ,
, RID RID. RID
. ,
RID , .
, RID , ,
, .
,
RID, . ,
-
RID, .
RID, RID -
(SID).

GC-
(GC)
, ,
. , ,
, GC-
, .
GC-, ,
GC-.
Active Directory, ,
GC-.
GC-
, Windows 2000 native ( )
(UPN). GC- ,
Microsoft Exchange Server 2000.
GC- , .
, GC-, ,
Exchange Server 2000,
, , GC-,
.

Active Directory Windows


Server 2003 .
, . ,
, -
.
Active Directory,
Active Directory.
Active Directory .

, .

Оценить