Tài liệu Windows 2000 Active Directory Second Edition P1 pptx

Your Complete Guide to the Active Directory Architecture• Step-by-Step Instructions for an NT4 to Active Directory Migration • Hundreds of Configuring & Implementing, Designing & Plannin

Your Complete Guide to the Active Directory Architecture

• Step-by-Step Instructions for an NT4 to Active Directory Migration

• Hundreds of Configuring & Implementing, Designing & Planning Sidebars,

Security Alerts, and FAQs

• Complete Coverage of Network Resources, Services, and Users and Groups

Melissa C Craft Thomas Llewellyn Technical Editor

s o l u t i o n s @ s y n g r e s s c o m

With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Ciscostudy guides in print, we continue to look for ways we can better serve theinformation needs of our readers One way we do that is by listening

Readers like yourself have been telling us they want an Internet-based vice that would extend and enhance the value of our books Based onreader feedback and our own strategic plan, we have created a Web sitethat we hope will exceed your expectations

ser-Solutions@syngress.com is an interactive treasure trove of useful

infor-mation focusing on our book topics and related technologies The siteoffers the following features:

■ One-year warranty against content obsolescence due to vendorproduct upgrades You can access online updates for any affectedchapters

■ “Ask the Author”™ customer query forms that enable you to postquestions to our authors and editors

■ Exclusive monthly mailings in which our experts provide answers toreader queries and clear explanations of complex material

■ Regularly updated links to sites specially selected by our editors forreaders desiring additional reliable information on key topics

Best of all, the book you’re now holding is your key to this amazing site

Just go to www.syngress.com/solutions, and keep this book handy when

you register to verify your purchase

Thank you for giving us the opportunity to serve your needs And be sure

to let us know if there’s anything else we can do to help you get the maximum value from your investment We’re listening

www.syngress.com/solutions

Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or

production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work.

There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state.

In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you.

You should always use reasonable case, including backup and other appropriate precautions, when working with computers, networks, data, and files.

Syngress Media®, Syngress®, and “Career Advancement Through Skill Enhancement®,”are registered trademarks of Syngress Media, Inc “Ask the Author™,”“Ask the Author UPDATE™,”“Mission Critical™,”

“Hack Proofing™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc Brands and product names mentioned in this book are trademarks or service marks

of their respective companies.

KEY SERIAL NUMBER

Windows 2000 Active Directory, Second Edition

Copyright © 2001 by Syngress Publishing, Inc All rights reserved Printed in the United States of America Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication.

Printed in the United States of America

1 2 3 4 5 6 7 8 9 0

ISBN: 1-928994-60-1

Technical Editor:Thomas D Llewellyn Jr Freelance Editorial Manager: Maribeth Corona-Evans Technical Reviewer: Norris L Johnson, Jr Cover Designer: Michael Kavish

Co-Publisher: Richard Kristof Page Layout and Art by: Shannon Tozier

Acquisitions Editor: Catherine B Nolan Copy Editors: Adrienne Rebello and Beth A Roberts Developmental Editor: Jonathan Babcock Indexer: Jennifer Coker

Distributed by Publishers Group West in the United States and Jaguar Book Group in Canada.

Acknowledgments

v

We would like to acknowledge the following people for their kindness and support

in making this book possible

Richard Kristof and Duncan Anderson of Global Knowledge, for their generousaccess to the IT industry’s best courses, instructors, and training facilities

Ralph Troupe, Rhonda St John, and the team at Callisma for their invaluable insightinto the challenges of designing, deploying and supporting world-class enterprisenetworks

Karen Cross, Lance Tilford, Meaghan Cunningham, Kim Wylie, Harry Kirchner,Kevin Votel, Kent Anderson, Eric Green, Dave Dahl, Elise Cannon, Chris Barnard,John Hofstetter, and Frida Yara of Publishers Group West for sharing their incrediblemarketing experience and expertise In addition, a special thanks to Janis Carpenterand Kimberly Vanderheiden for help on recent projects

Mary Ging, Caroline Hird, Simon Beale, Caroline Wheeler,Victoria Fuller, JonathanBunkell, and Klaus Beran of Harcourt International for making certain that ourvision remains worldwide in scope

Anneke Baeten and Annabel Dent of Harcourt Australia for all their help

David Buckland,Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim,Audrey Gan, and Joseph Chan of Transquest Publishers for the enthusiasm withwhich they receive our books

Kwon Sung June at Acorn Publishing for his support

Ethan Atkin at Cranbury International for his help in expanding the Syngress program

Rick Bizzozero and Carolyn Gifford at GIG Communications for their help with packaging

Joe Pisco, Helen Moyer, Paul Zanoli, Alan Steele, and the great folks at Graphic Services/InterCity Press for all their help

About the Author

Melissa Craft (CCNA, MCNE, MCSE, Network+, CNE-3, CNE-4,CNE-GW, CNE-5, CCA) worked with computers during high school,developing computer programs and testing hardware solutions as asummer job After graduating from the University of Michigan, Melissadesigned business solutions for an insurance group using technology toautomate processes and using business process reengineering techniques.This position grew into engineering a wide area network, which subse-quently turned into a career move permanently into engineering

After making the jump to network engineering, Melissa threw herself

at the task of truly understanding network engineering, gaining a myriad

of technology certifications and, at the same time, deploying projects forclients Over the years, she has successfully designed, implemented, andintegrated networks ranging in size from a few nodes to over 100,000nodes Her consulting experience incorporated extensive project manage-ment, operational analysis, LAN and WAN design, deployment, andongoing network management

In 1997, Melissa began writing magazine articles on networking andthe technology industry In 1998, Syngress hired Melissa to contribute to

an MCSE certification guide Since then, Melissa has continued to writeabout various technology and certification subjects

Currently, Melissa is a Principal Consultant for CompuCom Systems,Inc As such, she develops enterprise-wide technology solutions andmethodologies focused on client organizations.These technology solu-tions touch every part of a system’s lifecycle, from assessing the need,determining the return on investment, network design, testing, and imple-mentation to operational management and strategic planning

CompuCom Systems, Inc is a leading digital infrastructure solutionsprovider whose clients include Fortune 1000 enterprises, vertical industryleaders, major technology equipment providers, leading-edge systems inte-grators and wireless technology providers CompuCom’s technology solu-tions help companies master complex technologies CompuCom leveragespeople, process and technology to offer best in class solutions that enable,

optimize and operate the digital technology infrastructure CompuCom isaccessible via the Internet at www.compucom.com

Melissa holds a bachelor’s degree from the University of Michigan and

is a member of the IEEE, the Society of Women Engineers, and AmericanMENSA, Ltd Melissa currently resides in Glendale, AZ with her family,Dan, Justine, and Taylor

Thomas D Llewellyn Jr.(MCSE, MCT, and A+) works as a SeniorSystem Engineer/Project Manager for Integra Business Center headquar-tered in Allentown, PA Integra is a Value Added Reseller that provides ITdesign, project management, and various Information Technology servicesfor small- to medium-sized businesses.Tom has a degree in ComputerScience and Technology with a concentration in Computer Programming;

he brings over 10 years of real-world IT enterprise experience to Integrathat spans the development, networking design, implementation, and on-going management and support of Information Technology business solu-tions He has a vast amount of experience with the Enterprise Deployment

of Microsoft Systems Management Server and other Windows NT/2000based Technologies.Tom has served as Technical Editor on other Syngressbooks and was previously employed as a Senior Consultant by CoreTechConsulting Group Inc He lives in Gilbertsville, PA

Technical Editor

Technical Reviewer

Norris L Johnson, Jr.(MCSE, MCT, CTT, A+, Network +) is aTechnology Trainer and Owner of a consulting company in the Seattle-Tacoma area His consultancies have included deployments and securityplanning for local firms and public agencies, as well as providing services toother local computer firms in need of problem solving and solutions fortheir clients He specializes in Windows NT 4.0 and Windows 2000 issues,providing planning and implementation and integration services In addi-tion to consulting work, Norris trains extensively in the AATP program atHighline Community College’s Federal Way,WA campus, and has taught inthe vocational education arena at Bates Technical College in Tacoma,WA.Norris holds a bachelor’s degree from Washington State University He isdeeply appreciative of the guidance and support offered by his parents andwife Cindy during the years of transition and education to make thecareer change that has been so wonderful to be involved in

ix

Part I: Getting Started 1

Chapter 1 Introduction to Active Directory 3

Introduction 4

History of the Directory Service 6What Is in a Directory Service? 11

Directory Service Domino Effect 15

.NET 16

Namespace 23Forests 24Scope 24

Understand What Is in

a Directory Service

A directory is a place to

store information The

type of information that is

stored in a directory falls

into three basic categories:

■ Resources

■ Services

■ Accounts

x Contents

Viewing Trust Relationships 30

Sites 32Architecture 33

Chapter 2 Assessing Your Environment 41

Introduction 42

Matching Business Objectives to Technology 45Business Objectives That Active Directory

Benefits 51Assessing Your Current Environment 52

Gathering Information for Your Active Directory

Organizational and Network InfrastructuresThat Impact Active Directory Planning

Estimate Project Costs

■ Labor How many

people will be required

to work on the

project?

■ Capital What server

equipment will need to

be purchased?

■ Real estate Will you

require more space for

■ Ongoing costs What

are the costs of a

maintenance contract

for the hardware?

Contents xi

Communications 64Gap Analysis of Business Objectives and

Chapter 3 Active Directory for Windows 2000 JumpStart Tutorial 73

Introduction 74What Active Directory Is, and Why You Need

Multi-Master Domain Controllers 82Intellimirror 82

Advantages and Disadvantages of

Advantages with Active Directory 90

Learn about Domain and Domain Trees

domain.com

eng.domain.com corp.domain.com

sales.corp.domain.com

xii Contents

Summary 93

Part II: Designing the Active Directory 97

Chapter 4 DNS and Naming Strategies 99

Introduction 100

Active Directory’s Integration with DNS 106How Active Directory Uses DNS 108

Summary 131

server, you will not be

able to use it because

Q:Our company uses a

DNS server that does

for the namespaces

that Active Directory

encompasses must

also support the

SRV RRs.

Using OUs for Delegating Administration 154

OU Objects in Active Directory 155

Summary 160

Chapter 6 Designing a Site Structure 165

Introduction 166The Function of Sites in Active Directory 167Default-First-Site-Name 170Replicated Active Directory Components 171

Schema and Configuration Containers 173

Design the Active Directory

When you design an Active Directory, there are four elements that must

be planned:

■ Forest Plan

■ Domain/DNS Strategy

■ Organizational Unit (OU) Structure

■ Site Topology

Understand the Components of the Active Directory Sites and Services Console Found in

Administrative Tools

Where to Place Global Catalog Servers 191Summary 192

Chapter 7 Designing: A Case Study 197

Introduction 198

Determining the Business Objectives 200Kings Vineyard’s Business Objectives 201

Servers 206

Determining Domain and Tree Structure 210

One of the essentials of

site design is to place

servers in the various

locations When placing

servers, there are some

simple goals:

■ Ensure that users can

log on to and query

Active Directory.

■ Ensure that servers can

locate other domain

controllers.

■ Manage traffic

generated by Active

Directory.

Contents xv

Part III: Installing Active Directory 231

Chapter 8 Migrating from NT 3.51

or NT 4 to Active Directory 233

Introduction 234

Changes Required When Upgrading

Installing Active Directory Services 251

Professional 266

Decide Whether to Upgrade Servers or Clients First

This decision is in line with long-standing networking best practices when deploying new networks:

1 Establish the network infrastructure first

2 Establish security and servers next

3 Establish workstations last.

xvi Contents

Summary 269

Chapter 9 Implementing a Domain 275

Integrating DNS into Active Directory 298Active Directory Integrated Zones 299Managing Objects in Active Directory 300

Chapter 10 Building Trees and Forests 317

Introduction 318Understanding the Characteristics of an Active

Learn the Three Basic

Steps for the

command (You have

the option of running

WINNT from a DOS

prompt, booting

directly into the

installation from the

Implementing the Forest Structure 329

Right-Sizing the Active Directory Storage Space 334

Summary 342

Chapter 11 Implementing Sites 347

The Knowledge Consistency Checker 356Implementing a Site Structure in Active

Learn the Five Major Command Line Programs

■ REPLMON is a Windows 2000 Resource Kit utility that you can use to monitor replication traffic.

■ REPADMIN is a command-line utility that you use to diagnose problems with replication.

■ Although DSASTAT is not geared specifically towards replication, it can help diagnose replication problems that are based in naming context issues.