Windows 2000 Active Directory Second Edition P1

Chia sẻ: Tuyen Thon | Ngày: | Loại File: PDF | Số trang:30

lượt xem

Windows 2000 Active Directory Second Edition P1

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

Active Directory catalogs network resources, such as servers, applications, users, and groups. Since it stores this information in a single database and distributes this database across the network according to your configuration, you can manage an entire enterprise with Active Directory. In fact, an Active Directory domain can scale to ten million objects, which is enough to satisfy even the most complex enterprise.

Chủ đề:

Nội dung Text: Windows 2000 Active Directory Second Edition P1

  1. 1 YEAR UPGRADE BUYER PROTECTION PLAN Windows 2000 Active Directory Second Edition Your Complete Guide to the Active Directory Architecture • Step-by-Step Instructions for an NT4 to Active Directory Migration • Hundreds of Configuring & Implementing, Designing & Planning Sidebars, Security Alerts, and FAQs • Complete Coverage of Network Resources, Services, and Users and Groups Melissa C. Craft Thomas Llewellyn Technical Editor
  2. With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco study guides in print, we continue to look for ways we can better serve the information needs of our readers. One way we do that is by listening. Readers like yourself have been telling us they want an Internet-based ser- vice that would extend and enhance the value of our books. Based on reader feedback and our own strategic plan, we have created a Web site that we hope will exceed your expectations. is an interactive treasure trove of useful infor- mation focusing on our book topics and related technologies. The site offers the following features: s One-year warranty against content obsolescence due to vendor product upgrades. You can access online updates for any affected chapters. s “Ask the Author”™ customer query forms that enable you to post questions to our authors and editors. s Exclusive monthly mailings in which our experts provide answers to reader queries and clear explanations of complex material. s Regularly updated links to sites specially selected by our editors for readers desiring additional reliable information on key topics. Best of all, the book you’re now holding is your key to this amazing site. Just go to, and keep this book handy when you register to verify your purchase. Thank you for giving us the opportunity to serve your needs. And be sure to let us know if there’s anything else we can do to help you get the maximum value from your investment. We’re listening.
  3. 1 YEAR UPGRADE BUYER PROTECTION PLAN Windows 2000 Active Directory Second Edition Melissa Craft Thomas D. Llewellyn Jr. Technical Editor
  4. Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable case, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media®, Syngress®, and “Career Advancement Through Skill Enhancement®,”are registered trademarks of Syngress Media, Inc. “Ask the Author™,”“Ask the Author UPDATE™,”“Mission Critical™,” “Hack Proofing™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY SERIAL NUMBER 001 UH7F9MKA5F 002 Q3F3KMV9JX 003 BV7KDFL4W9 004 MN9XVE5ALM 005 CF59K5YPFG 006 ALKEQ34TMG 007 28K7Y4NFNA 008 EMRZP46MGH 009 MS6DREHAWR 010 XZEPA4TMBM PUBLISHED BY Syngress Publishing, Inc. 800 Hingham Street Rockland, MA 02370 Windows 2000 Active Directory, Second Edition Copyright © 2001 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN: 1-928994-60-1 Technical Editor:Thomas D. Llewellyn Jr. Freelance Editorial Manager: Maribeth Corona-Evans Technical Reviewer: Norris L. Johnson, Jr. Cover Designer: Michael Kavish Co-Publisher: Richard Kristof Page Layout and Art by: Shannon Tozier Acquisitions Editor: Catherine B. Nolan Copy Editors: Adrienne Rebello and Beth A. Roberts Developmental Editor: Jonathan Babcock Indexer: Jennifer Coker Distributed by Publishers Group West in the United States and Jaguar Book Group in Canada.
  5. Acknowledgments We would like to acknowledge the following people for their kindness and support in making this book possible. Richard Kristof and Duncan Anderson of Global Knowledge, for their generous access to the IT industry’s best courses, instructors, and training facilities. Ralph Troupe, Rhonda St. John, and the team at Callisma for their invaluable insight into the challenges of designing, deploying and supporting world-class enterprise networks. Karen Cross, Lance Tilford, Meaghan Cunningham, Kim Wylie, Harry Kirchner, Kevin Votel, Kent Anderson, Eric Green, Dave Dahl, Elise Cannon, Chris Barnard, John Hofstetter, and Frida Yara of Publishers Group West for sharing their incredible marketing experience and expertise. In addition, a special thanks to Janis Carpenter and Kimberly Vanderheiden for help on recent projects. Mary Ging, Caroline Hird, Simon Beale, Caroline Wheeler,Victoria Fuller, Jonathan Bunkell, and Klaus Beran of Harcourt International for making certain that our vision remains worldwide in scope. Anneke Baeten and Annabel Dent of Harcourt Australia for all their help. David Buckland,Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, and Joseph Chan of Transquest Publishers for the enthusiasm with which they receive our books. Kwon Sung June at Acorn Publishing for his support. Ethan Atkin at Cranbury International for his help in expanding the Syngress program. Rick Bizzozero and Carolyn Gifford at GIG Communications for their help with packaging. Joe Pisco, Helen Moyer, Paul Zanoli, Alan Steele, and the great folks at Graphic Services/InterCity Press for all their help. v
  6. About the Author Melissa Craft (CCNA, MCNE, MCSE, Network+, CNE-3, CNE-4, CNE-GW, CNE-5, CCA) worked with computers during high school, developing computer programs and testing hardware solutions as a summer job. After graduating from the University of Michigan, Melissa designed business solutions for an insurance group using technology to automate processes and using business process reengineering techniques. This position grew into engineering a wide area network, which subse- quently turned into a career move permanently into engineering. After making the jump to network engineering, Melissa threw herself at the task of truly understanding network engineering, gaining a myriad of technology certifications and, at the same time, deploying projects for clients. Over the years, she has successfully designed, implemented, and integrated networks ranging in size from a few nodes to over 100,000 nodes. Her consulting experience incorporated extensive project manage- ment, operational analysis, LAN and WAN design, deployment, and ongoing network management. In 1997, Melissa began writing magazine articles on networking and the technology industry. In 1998, Syngress hired Melissa to contribute to an MCSE certification guide. Since then, Melissa has continued to write about various technology and certification subjects. Currently, Melissa is a Principal Consultant for CompuCom Systems, Inc. As such, she develops enterprise-wide technology solutions and methodologies focused on client organizations.These technology solu- tions touch every part of a system’s lifecycle, from assessing the need, determining the return on investment, network design, testing, and imple- mentation to operational management and strategic planning. CompuCom Systems, Inc. is a leading digital infrastructure solutions provider whose clients include Fortune 1000 enterprises, vertical industry leaders, major technology equipment providers, leading-edge systems inte- grators and wireless technology providers. CompuCom’s technology solu- tions help companies master complex technologies. CompuCom leverages people, process and technology to offer best in class solutions that enable, vi
  7. optimize and operate the digital technology infrastructure. CompuCom is accessible via the Internet at Melissa holds a bachelor’s degree from the University of Michigan and is a member of the IEEE, the Society of Women Engineers, and American MENSA, Ltd. Melissa currently resides in Glendale, AZ with her family, Dan, Justine, and Taylor. Technical Editor Thomas D. Llewellyn Jr. (MCSE, MCT, and A+) works as a Senior System Engineer/Project Manager for Integra Business Center headquar- tered in Allentown, PA. Integra is a Value Added Reseller that provides IT design, project management, and various Information Technology services for small- to medium-sized businesses.Tom has a degree in Computer Science and Technology with a concentration in Computer Programming; he brings over 10 years of real-world IT enterprise experience to Integra that spans the development, networking design, implementation, and on- going management and support of Information Technology business solu- tions. He has a vast amount of experience with the Enterprise Deployment of Microsoft Systems Management Server and other Windows NT/2000 based Technologies.Tom has served as Technical Editor on other Syngress books and was previously employed as a Senior Consultant by CoreTech Consulting Group Inc. He lives in Gilbertsville, PA. vii
  8. Technical Reviewer Norris L. Johnson, Jr. (MCSE, MCT, CTT, A+, Network +) is a Technology Trainer and Owner of a consulting company in the Seattle- Tacoma area. His consultancies have included deployments and security planning for local firms and public agencies, as well as providing services to other local computer firms in need of problem solving and solutions for their clients. He specializes in Windows NT 4.0 and Windows 2000 issues, providing planning and implementation and integration services. In addi- tion to consulting work, Norris trains extensively in the AATP program at Highline Community College’s Federal Way,WA campus, and has taught in the vocational education arena at Bates Technical College in Tacoma,WA. Norris holds a bachelor’s degree from Washington State University. He is deeply appreciative of the guidance and support offered by his parents and wife Cindy during the years of transition and education to make the career change that has been so wonderful to be involved in. viii
  9. Contents Preface xxv Understand What Is in Part I: Getting Started 1 a Directory Service Chapter 1 Introduction to Active Directory 3 Introduction 4 A directory is a place to Introduction to Directory Services 4 store information. The Directory Enabled Networks 5 type of information that is History of the Directory Service 6 stored in a directory falls into three basic categories: What Is in a Directory Service? 11 s Resources The Directory Database 13 s Services Directory Service Domino Effect 15 s Introduction to Active Directory 15 Accounts .NET 16 Protocol Interoperability 17 Single Point of Administration 18 Active Directory Architecture 20 Namespace 23 Forests 24 Scope 24 Distinguished Name 25 User Principle Name 26 Partitions 27 Global Catalog 28 Object 29 Container 29 Domains 30 Domain Trees 30 ix
  10. x Contents Viewing Trust Relationships 30 Viewing the Namespace 31 Sites 32 Architecture 33 Data Model 33 Schema 33 Security Model 34 Administration Model 35 Summary 36 Solutions Fast Track 37 Frequently Asked Questions 39 Chapter 2 Assessing Your Environment 41 Introduction 42 Estimate Project Costs Defining Your Business Objectives 43 Matching Business Objectives to Technology 45 s Labor How many Business Objectives That Active Directory people will be required Will Meet 47 to work on the project? Costs and Benefits 50 s Capital What server Project Costs 50 equipment will need to Benefits 51 be purchased? Assessing Your Current Environment 52 s Real estate Will you Network Infrastructure 55 require more space for Servers 56 servers? s Desktops 57 Training Will your administrators need to Peripherals and Mobile Devices 57 be trained on the new Locations 58 system? Gathering Information for Your Active Directory s Ongoing costs What Planning and Design 59 are the costs of a maintenance contract Objects and OUs 59 for the hardware? Organizational and Network Infrastructures That Impact Active Directory Planning and Design 59 Planning for Your Implementation 61 Project Timeline 61 Setting Milestones 63 Setting a Budget 63
  11. Contents xi Communications 64 Gap Analysis of Business Objectives and Current Environment 65 Risk Analysis 66 Summary 68 Solutions Fast Track 68 Frequently Asked Questions 70 Chapter 3 Active Directory for Windows 2000 JumpStart Tutorial 73 Introduction 74 What Active Directory Is, and Why You Need Learn about Domain to Know About It 74 and Domain Trees Demote a DC 75 Policy-Based Administration 76 Decentralized Administration 76 Improved Security 77 Important Features 77 Scalability of Forests, Domains, Organizational Units, and Sites 78 Extensibility of the Schema 80 Multi-Master Domain Controllers 82 Intellimirror 82 Kerberos Trusts 84 Use of Standard Protocols 85 Accessibility of Resources 86 Industries and Companies Affected by Windows 2000 87 Technology Vendors and Partners 88 Competitors 88 Customers 89 And… Microsoft Itself 90 Advantages and Disadvantages of Active Directory 90 Advantages with Active Directory 90 Problems with Active Directory 91
  12. xii Contents Summary 93 Solutions Fast Track 93 Frequently Asked Questions 95 Part II: Designing the Active Directory 97 Chapter 4 DNS and Naming Strategies 99 Answer Your Introduction 100 Questions about DNS What Is DNS? 101 How DNS Zones Function 104 Q: Can we use a DNS Active Directory’s Integration with DNS 106 server other than How Active Directory Uses DNS 108 Windows 2000 DNS? Dynamic DNS 112 A: Yes, but it must be Planning Active Directory and DNS 113 able to support SRV Forest Plan 114 RRs. Even if you have a Windows NT 4.0 DNS Domain and DNS Strategy 116 server, you will not be DNS Sizing 117 able to use it because Domain Divisions 117 it doesn’t support SRV RRs. However, a BIND Requirements 118 server can be Root Domain 119 used because it does About Domains 120 support SRV RRs. DNS Servers 120 Q: Our company uses a Organizational Units 121 DNS server that does not support SRV Site Topology 122 resource records (RRs). Naming Conventions 123 Can we use it when Defining DNS Names 125 we implement Active Directory? Defining DNS Zones 127 Naming Conventions for Active Directory 127 A: No. Active Directory relies on SRV RRs in Migrating an Existing Exchange Server order to locate Design 129 domain controllers Migrating an Existing Novell (DCs). All DNS servers for the namespaces Directory Services Design 129 that Active Directory Summary 131 encompasses must Solutions Fast Track 132 also support the SRV RRs. Frequently Asked Questions 133
  13. Contents xiii Chapter 5 Designing the Basic Structure 135 Introduction 136 Design the Active Case Studies 136 Directory About 136 About Insurance, Inc. 138 When you design an Designing a Forest 140 Active Directory, there are 141 four elements that must be planned: Insurance, Inc. 142 s Forest Plan Designing a Domain Tree 143 s 145 Domain/DNS Strategy s Insurance, Inc. 146 Organizational Unit (OU) Structure Designing an Organizational Unit Structure 148 s Site Topology 148 Insurance, Inc. 150 Designing a Site Topology 150 152 Insurance, Inc. 152 Using OUs for Delegating Administration 154 OU Objects in Active Directory 155 Group Policy and OUs 155 Delegating Administration 155 Summary 160 Solutions Fast Track 161 Frequently Asked Questions 163 Chapter 6 Designing a Site Structure 165 Introduction 166 Understand the The Function of Sites in Active Directory 167 Components of the Default-First-Site-Name 170 Active Directory Sites and Services Console Replicated Active Directory Components 171 Found in Domain Partitions 171 Administrative Tools Global Catalog 171 Schema and Configuration Containers 173 Site Replication Components 174 Site Objects 174 Knowledge Consistency Checker 174
  14. xiv Contents Connection Objects 175 Site Links 176 Site Link Bridges 177 Replication Protocols 179 Replication in Active Directory 180 Replication Topology 181 Planning a Site Structure 187 Placing Domain Controllers 190 Where to Place Global Catalog Servers 191 Summary 192 Solutions Fast Track 193 Frequently Asked Questions 194 Learn the Goals of Chapter 7 Designing: A Case Study 197 Placing Servers Introduction 198 Case Study Overview 198 One of the essentials of Assessing a Corporate Network 200 site design is to place servers in the various Determining the Business Objectives 200 locations. When placing Kings Vineyard’s Business Objectives 201 servers, there are some Current Environment 203 simple goals: Network Infrastructure 204 s Ensure that users can Servers 206 log on to and query Active Directory. Desktops and End-Users 207 Designing the Forests 208 s Ensure that servers can locate other domain Determining Domain and Tree Structure 210 controllers. Planning the OU Structure 214 s Manage traffic Administrative Structure 214 generated by Active Hidden OUs 215 Directory. Group Policies 217 Inheritance 222 Establishing the Initial Sites 222 Site Links 223 Placing Servers 224 Domain Controllers 224 Global Catalog Servers 226 DNS Servers 226
  15. Contents xv Summary 227 Solutions Fast Track 227 Frequently Asked Questions 229 Part III: Installing Active Directory 231 Chapter 8 Migrating from NT 3.51 or NT 4 to Active Directory 233 Introduction 234 Server Migration Strategies 235 Primary Domain Controllers 243 Changes Required When Upgrading Decide Whether to a Domain Controller 245 Upgrade Servers or Backup Domain Controllers 246 Clients First Member Servers 248 Promoting Member Servers with Dcpromo 248 This decision is in line with Upgrading with the Windows 2000 Setup long-standing networking best practices when Wizard 249 deploying new networks: Installing Active Directory Services 251 1. Establish the network Interim Mixed Domains 255 infrastructure first. Mixed Mode 255 2. Establish security and Native Mode 256 servers next. Migrating Components 257 3. Establish workstations last. Using Organizational Units to Create a Hierarchical Structure 258 User Accounts 260 ClonePrincipal 261 Active Directory Migration Tool 261 Machine Accounts 262 Nested Groups 263 Global Groups 264 Delegating Administrative Authority 264 Insert into the Replication Topology 265 Upgrading Clients to Windows 2000 Professional 266
  16. xvi Contents Summary 269 Learn the Three Basic Solutions Fast Track 271 Steps for the Frequently Asked Questions 273 Windows 2000 Active Directory Domain Chapter 9 Implementing a Domain 275 Installation Introduction 276 Installing DNS 277 1. Run the Windows 2000 Server installation Verifying Compatibility 277 command. (You have Windows 2000 DNS Installation 279 the option of running Delegating a Subdomain 279 WINNT from a DOS prompt, booting Configuring DNS 281 directly into the About Zones 282 installation from the Service Resource Record Registration 284 CD-ROM, or running WINNT32 from a 32-bit Installing Domains in Active Directory 284 Windows operating Active Directory Sizer Tool 285 system.) The First Domain Controller 285 2. Configure DNS Active Directory Wizard 289 (Domain Name System) Integrating DNS into Active Directory 298 as a client to another DNS server or as a Active Directory Integrated Zones 299 service on the Managing Objects in Active Directory 300 Windows 2000 Server. Creating Organizational Units 300 3. Run the Active Managing User Accounts 301 Directory Installation Wizard. Managing Groups 303 Nesting Groups 305 Managing Computers 306 Common Object Management 308 Role-Based Administration 308 Microsoft Management Console 308 Administrative Roles 309 Summary 311 Solutions Fast Track 312 Frequently Asked Questions 314 Chapter 10 Building Trees and Forests 317 Introduction 318 Understanding the Characteristics of an Active Directory Forest 319
  17. Contents xvii Learn the Five Major Common Schema 320 Command Line Common Configuration 320 Programs Global Catalog 320 Contiguous Namespace 322 s NETDOM BDC Trust Relationships 323 s NETDOM MASTER Transitive Bidirectional Trust 323 s NETDOM MEMBER Trusts That Cross Forests 324 s NETDOM QUERY Trust Utilities 325 s NETDOM RESOURCE Implementing the Forest Structure 329 The Domain Tree Structure 331 Adding a Child Domain 333 Right-Sizing the Active Directory Storage Space 334 Managing the Forest 338 Summary 342 Solutions Fast Track 343 Frequently Asked Questions 345 Chapter 11 Implementing Sites 347 Find Complete Coverage of Introduction 348 Replication Utilities Creating Site Components 348 Creating Sites 348 s REPLMON is a Creating Connection Objects 350 Windows 2000 Creating IP Subnets 351 Resource Kit utility that you can use to monitor Creating Site Links 352 replication traffic. Creating Site Link Bridges 355 s REPADMIN is a The Knowledge Consistency Checker 356 command-line utility Implementing a Site Structure in Active that you use to Directory 356 diagnose problems with replication. Replication Utilities 361 Replication Monitor 361 s Although DSASTAT is not geared specifically Replication Administrator 362 towards replication, it DSASTAT 362 can help diagnose Understanding Time Synchronization 362 replication problems that are based in Summary 364 naming context issues. Solutions Fast Track 365 Frequently Asked Questions 367
  18. xviii Contents Chapter 12 Implementing Active Case Study Directory: A Case Study 369 Introduction 370 In this chapter, you will be provided with an Case Study Overview 370 exemplary organization’s Forest Plan 370 Active Directory design, DNS and Domain Plan 370 and then will walk through its Organizational Units 373 implementation. Site Topology Plan 373 Implementing DNS 375 Implementing the First Domain Controller 377 Migrating 377 Upgrading 378 Adding New Domains 379 Creating an Explicit Trust 381 Establishing the OUs 382 Moving Upgraded Users 382 Creating New Users 383 Adding Computer Objects 383 Setting Up Sites 384 Summary 386 Solutions Fast Track 386 Frequently Asked Questions 388 Part IV: Migrating Active Directory 391 Chapter 13 Intellimirror 393 Introduction 394 What Are Group Policies? 394 How Group Policies Are Applied 397 Refresh Interval 397 Blocking and Enforcing 398 Group Policy Information Storage and Settings 400 Administrative Templates 400 Registry.pol 402 Group Policy Settings 402 Computer Configuration 403 User Configuration 403 Designing a Group Policy Strategy 405
  19. Contents xix Group Policy in WAN Environments 406 Implementing a Group Policy Strategy 408 Configuring Group Policy Objects 409 Link a Group Policy Object to a Container 412 Adding Scripts 413 Deploying Applications with Group Policies 416 Folder Redirection 420 Keeping Groups from Growing Over Time 423 Troubleshooting Group Policies 424 Policy that Does Not Execute 424 A Policy that Executes in the Wrong Learn about the Four Way 425 Containers to which Logging On Takes a Long Time 426 Group Policies Might Be Applied Understanding Security 426 Groups 427 s Local Group Policy Domain Security Console 429 s Site Group Policy Account Policies 430 s Domain Group Policy Local Policies 434 s Organizational Unit Event Log 434 (OU) Group Policy Restricted Groups 434 System Services 435 Registry 435 File System 435 Public Key Policies 436 IP Security Policies on Active Directory 436 Security Templates 436 Object Protection 436 Access Control Lists 436 Access Control Entries 437 Security Descriptor 438 Security Identifier 439 Security Model 439 Kerberos 440 Public Key Infrastructure 440 Smart Cards 441 IP Security 441 Secondary Logons 441
Đồng bộ tài khoản