Windows system >> Windows Server System Tutorial >> Windows Server FAQ

Windows Server 2012 Virtualization: Domain

In Windows Server systems, some services must be built in a domain environment, not only for unified authentication and resource sharing, but also for network security. To build a virtualization test, we need to build a domain environment first. Let's take a look at the domain before.

When working with a workgroup, the computer is relatively independent. The workgroup is only a way of classifying computers in the network. When not in a workgroup, access to network resources has little effect. The working group is like a free parking lot that allows free entry and exit. It is like joining a working group, so you can park in Zone A or stop in Zone B. If you stop in Zone A, you will form a loose combination with other cars in Zone A.

When using a Windows domain (Domain), the domain is strictly organized, the computer joins the domain and uses a domain account to log in to access certain shared resources. At least one Domain Controller (DC) in the domain is responsible for the verification of the computer and the user. The domain is like a paid parking lot, which requires card verification to get in and out (it can have more than one access control, DC), but after passing the verification, you can use the shared facilities inside, even other cars. For example, if your computer successfully logs in using a domain account with administrator privileges, you can use this domain account to log in to Sql Server on other computers in the same domain, then you can no longer use the sa account. Of course, a domain-joined computer does not mean that you can only stay in the domain. If you just log in with a local account instead of a domain account, the computer is no different from the working group. In general, your car can be parked in a paid parking lot or parked in a free car park unless there are special restrictions on the car (using Group Policy can restrict the computer to log in only with a domain account). Your computer only uses a local account to log in. To access Sql Server on other computers, you cannot use Windows Authentication, but you can still use SQL Server Authentication to log in using the sa account.

First, the domain test network

Next we deploy the domain in Window Server 2012, for future needs, we will refer to the network of the connection domain as the management network, and configure the network with the following parameters . In the figure, two domain controllers are configured as backups for each other. Although Windows Server 2003 does not distinguish between primary domain control and backup domain control, the role of domain controllers is somewhat different due to the objective existence of host roles. Tell.

Second, configure the domain controller

Installing the Domain Controller (DC) on Windows Server is a simple matter. But before installation, you need to confirm a few things: whether the login account has local administrator rights, whether the operating system supports it, whether TCP/IP is configured correctly, whether the disk has NTFS partition and sufficient space to store Active Directory (AD) database, DNS server. Whether to support and so on. In addition, it is best to modify the computer name in advance and restart it to avoid the trouble of modifying the domain controller name after the installation.

Windows Server 2008 and later can install Active Directory Domain Services (AD DS) as a role and promote it to a domain controller. In Windows Server 2008, you can also use the dcpromo command to run and upgrade AD domain services to domain controllers. However, the dcpromo command in Server 2012 is not supported. Therefore, after installing the AD domain service in the role mode, you can find the link to promote the domain controller in the event prompt on the server management interface.

The steps for installing a domain controller are not described here. There are many web pages on the network that have been described in detail, but the domain configuration needs to know more about the following:

1. Forest, Tree, Domain, and Child Domain

These nouns have very vividly explained the relationship between them, but it should be noted that: The first domain we established is the Root Domain, which also establishes the first domain tree and the first forest. Therefore, this root domain is both the forest root domain and the root domain, so it is established in the network. When a brand new domain is created, it is actually a new forest. Don't choose the wrong one when configuring domain control. The root domain is also a domain, but the status is special. There is only one forest root domain in a forest, but there can be multiple tree root domains. The root and subdomains with a common namespace form the domain tree, and the domain trees with different namespaces form the forest. The name of the domain tree is the same as the first domain, and the name of the forest is the same as the first domain tree, and the same as the first domain. Therefore, the choice of the domain name is very important. It is feasible to modify the domain name after setting up the domain, but there is a big risk after all.

As shown below, we created two forests according to the rules in the Assigning the Forest Root Domain Name article. If your organization has two generic domain names, one for the external Internet, such as the home page for the organization's website, the other can be used to organize the internal network as the name of the forest (the name of the first domain), so The forest will be similar to the forest x.com on the left side of the picture below. If you only have one common domain name, for the sake of internal and external, you can create a second-level domain name for the internal network as the name of the forest. The forest thus created will be similar to the forest cloud.z.com on the right side of the figure below. The generic domain name is used to facilitate the establishment of trust between the forest and the forest, but if any name that conforms to the domain name rule can be used in the test, our experimental environment will use cloud.z.com as the forest name.

2, DNS server, global catalog server (GC) and read-only domain controller (RODC)

During the configuration domain control process, you will encounter these choices. Options: DNS Service, Global Catalog Server (GC), and Read-Only Domain Controller (RODC)

The DNS server is the domain name server. The resolution of names such as computers and clusters in the domain requires the support of DNS services. The establishment domain must provide DNS services in the domain. If the DNS server is selected during the domain configuration process, the machine will be configured as a DNS server (the configuration program will detect the current DNS infrastructure to determine whether the DNS service is checked by default).

The Global Catalog (GC) can be understood as a read-only global cache in the forest. The cache stores all the attributes of all objects in the domain in the forest and some attributes of all objects in other domains. “Global cataloging enables users to search for directory information on all domains in the forest, regardless of where the data is stored. The search will be performed in the forest with maximum speed and minimum network traffic. ” If you check the global catalog server in the configuration, this domain controller will become a global catalog server at the same time.

Read Only Domain Controller (RODC). "Read-Only Domain Controller (RODC) is a new type of domain controller in the Windows Server 2008 operating system. With RODC, organizations can easily deploy domain controllers in locations where physical security is not guaranteed. The RODC hosts a read-only partition of the Active Directory Domain Services (AD DS) database. ”“ Insufficient physical security is the most common reason to consider deploying RODCs. RODC provides a way to deploy domain controllers more securely in locations that require fast, reliable authentication services but do not ensure the physical security of writable domain controllers. ”

3, AD database, log files and SYSVOL folder

Active Directory uses a file-based database, the database engine is based on JET developed Extensible Storage Engine (ESE), also Called JET Blue. JET Blue is planned to upgrade Access's database engine JET Red, but it is used in other Microsoft products such as AD, WINS, Exchange Server, etc. ESE has the ability to scale to 16TB capacity and accommodate 1 billion objects. All related files in the database are in the %systemroot%\ tds\\ folder by default, including:

ntds.dit database file. Interested to check out Active Directory database file NTDS.DIT for details.

edb.chk checkpoint file. Additions and deletions to the database, the checkpoint file records the completion of the transaction before committing the update to the database, and submits the update from the log file to the database if the transaction is completed.

edb.log and edbxxxxx.log are log files. Each log file is 10MB. After the edb.log file is filled, it will be renamed to edbxxxxx.log, and the file name number will increase. Additions, deletions, and changes to the database are written to the log file for transaction processing.

edbresxxxxx.jrs keeps files for the log. Take up disk space for log files, only if the disk file is out of disk space.

edbtmp.log Temporary log file. When the current edb.log is filled, edbtmp.log is created to continue logging, while the current edb.log is renamed to edbxxxxx.log, and edbtmp.log is renamed to edb.log.