DNS

NTFS volume with 250 MB of free HDD space

On Member Server or stand alone machine specify the servers DNS.
>Start       >run>dcpromo>next>next>next>domain     controller      for      a      new domain>next>
Child Domain in an existing tree>specify the parent domains administrators name & pwd.  >Specify the  child name>next>netbios name>  next> database folder> next>Sysvol>next>restart.
Installing New Domain tree in an existing forest: Requirements:
Forest (initial domain controller or root domain controller) On member server or stand-alone machine.
Specify the servers DNS.
Start>run>dcpromo>next>next>next>Domain Controller for a new domain. Select Domain tree in an existing forest.
Specify the root domains admins name & pwd
Next> specify the new domain name>next>net bios name>next>database > next>sysvol>next>DNS                                              next>permission    compatible    >next>restore     mode pwd>next

Trust Relationship: Trust is a process of enabling resources of one domain to be accessed by another domain.

Functional Levels:
1. Domain Functional Level: A) Windows 2000 mixed
B) Windows 2000 native
C) Interim
D) Windows 2003 server

2. Forest Functional Level:

a) Windows 2000 mixed b) Interim
c) Windows 2003 server. Windows 2000 mixed:
By default when we install 2000 or 2003 o/s it gets installed in win 2000 mixed mode.
This mode supports older versions of win2003. We can add NT, 2000 flavors in
2003 networks. Windows 2000 native:



It supports only 2000 and 2003; Native mode can have 2000&2003 flavors only. Interim:
This mode can have NT and 2003. Useful when we upgrade NT to 2003

Windows 2003 server:
                     
This mode supports only 2003 server family. We can’t join NT/2000 domains






Types of Trusts:

Trust relationships in Windows server2003:
Default two way transitive Kerberos trusts (intra forest)
Shortcut one or two away transitive Kerberos trusts (intraforest) Reduce authentication requests
Forest-one or two way- transitive Kerberos trusts. WS2003 forests WIN 2000 does not support forest trusts
> Only between forest roots
>Creates transitive domain relationships. External – one way non-transitive NTLM trusts.
Used to connect to /from win NT or external 2000 domains.- manually created. Realm one or two way non-transitive Kerberos trusts.
Connect to /from UNIX MT Kerberos realms. Establishing Trusts:
The Domain where we have user accounts is called trusted domain. The domain where we have resource is called trusting domain.
Trust between parent and child is two way transitive trusts. Ex; A trusts B, automatically B trusts A this is a two way trust.
Trust between parent and Grandchild domain is called implicit trust. One-way trust or Non-transitive Trust: A trusts B, but B doesn’t trust A Transitive trust (2 ways):
If A trusts B, B automatically trusts A

One way incoming trust:
It means A is getting the resources from B and B is offering the resources.


One way out going trust:
A is offering resources to B and B is getting resources from A Benefits of Domain Functional Level:
Win 2003 server Level:

The moment we raise the functional level, form mixed mode to win 2003 mode we get the following benefits.

Universal groups
Group nesting
Domain renaming tools.
Benefits of Forest Functional Level: Win 2003 level
We get complete benefits of 2003 when we raise the level from 2000 to win 2003 server.
We can implement forest trusts.
Acceleration of global catalog replication information. Domain renaming

Implimenting Forest Level:

Raising Domain Functional in both the machines:
>Start>program>admin    tools>ADDT>right    click    on    Domain>raise   Domain
Functional Level>select win 2003>click on raise>ok>ok
Raising Forest Functional Level:
>Start>p>ADDT>right    click    on    ADDT>raise    forest    functional   level>select win2003>rise>ok.

Member Server: A server, which is a part of DC, is called Member Server. Server like WINNT, 2000 and 2003 can be configured as Member Server. Server, which is part of the Domain, is called Member Server.
Member Servers are used
Load balancing
Load sharing form DCs
A member server can be configured as any of the following servers. Application service (oracle/SQL)
Mail server File server Print server DNS server DHCP sever Web server RIS server


RAS server
T.S.

Configuring a member server




Requirements: DC
Stand alone server 2003 flavor On Stand-alone server: Configure TCP/IP
Specify DNS servers address

My computer right click Select properties Computer name Change
Domain
Specify name (ex: zoom.com) Ok> it says welcome to domain Restart system.
Configuring win2003 or XP professional as a client: Same as configuring member server;
Server: Ex: NT, 2000, 2003
Client: ex: WKS, Prof., And XP

User Management:
User Account: User A/Cs is useful for assigning to the user to participate in the network.
There are two types of accounts
Ø   Domain User Accounts
Ø   Local User Accounts

1. Domain  User  Accounts:  These  are  created  in  the  AD  and  they  proved centralized management of users besides easy administration
2. Local User Accounts: These can be created on the Local machines where the client works. Ex. 2000 prof. XP prof. < win2003 member server etc.

These accounts do not provide centralized management. Suitable only for smaller organizations where there is no server.

Creating a Domain User Accounts
.
On DC


Start> Programs>Admin tools> ADUC>expand domain name(ex.IBM.com)
>Right click on users>new>user>supply name &pwd. >User must change pwd at next logon>next>finish
Creating a Domain User A/C through command prompt; Start>run>cmd
dsadd user cn=username,cn=users,dc=ibm,dc=com pwd zoom_123

For removing
dsrm user cn=username…….

Creating a local user Account in Member Server

On member server
Log on to local user a/c Right click on my computer Manage
Expand local users Right click on users. New user
Supply the user name&pwd
Click on create
Log off
Log in as user

Creating a Local user a/c from command mode

On member server Login as administrator Go to command prompt Net user username Password
Ex: net user u1 zoom_123 /add
If we want to delete.. /del

User right assignments (Logon locally allowing logon locally right to a normal user.)
On DC
Create a user a/c in ADUC Allowing him to logon
Start  >programs>admin  tools>DCSP>expand  local  policies>user  rights>D/C
allow logon locally>add the user. Start>run>gpupdate.

Verify:

On DC logon as a user



Disabling password complexity policy:

Start       >programs>admin      tools>domain      security       policy>expand      a/c policies>password policy
>Double click on p/w must meet complexity requirements. Select disabled
Apply >ok
Minimum pwd length (do it as 0 characters) Close
For refreshing policy
Start >run>cmd>gpupdate

Password policies: Enforce password history 24 pwds remembered
Maximum p/w age
Minimum pwd age
Pwd must meet complexity requirements Store pwds using reversible encryption. Re-setting User passwords:
On DC
Start >p> ADUC >expand users
Select the user right click
Reset password select



Shortcuts: Start > Run
For ADUC                  dsa.msc For ADSS                                    dssite.msc For ADTT                                    domain.msc For DCSP                                    dcpor.msc For DSP                                    dompol.msc

Devamını oku...

Paylaş |