Active Directory Cookbook for windows server 2003- P4 ppt

2.11.4 See AlsoChapter 14 of Active Directory, Second Edition for upgrading to Windows Server 2003, and Recipe 2.10 for running adprep Recipe 2.12 Checking Whether a Windows 2000 Domai

Trang 1

2.11.4 See Also

Chapter 14 of Active Directory, Second Edition for upgrading to Windows Server 2003, and

Recipe 2.10 for running adprep

Recipe 2.12 Checking Whether a Windows 2000

Domain Controller Can Be Upgraded to Windows

Server 2003

2.12.1 Problem

You want to determine if a domain controller is ready to be upgraded to Windows Server 2003

2.12.2 Solution

Insert a Windows Server 2003 CD into the Windows 2000 domain controller or map a drive to

the files contained on the CD Run the following command from the \i386 directory:

> winnt32 /checkupgradeonly

2.12.3 Discussion

The /checkupgradeonly switch simulates the initial steps for upgrading a server to Windows Server 2003 It verifies, among other things, that adprep has completed and that any installed applications are compatible with the new operating system

Trang 2

2.12.4 See Also

Recipe 2.11 for determining if adprep has completed and MS KB 331161 (List of Fixes to Use

on Windows 2000 Domain Controllers Before You Run the Adprep/Forestprep Command)

Recipe 2.13 Raising the Functional Level of a

Windows Server 2003 Domain

2.13.1 Problem

You want to raise the functional level of a Windows Server 2003 domain You should raise the functional level of a domain as soon as possible after installing a new Windows Server 2003 domain or upgrading from Windows 2000 to take advantage of the new features and

enhancements

2.13.2 Solution

2.13.2.1 Using a graphical user interface

1 Open the Active Directory Domains and Trusts snap-in

2 In the left pane, browse to the domain you want to raise, right-click it, and select Raise Domain Functional Level

3 Select the new functional level and click OK

After a few seconds you should see a message stating whether the operation was successful

2.13.2.2 Using a command-line interface

To retrieve the current functional level, use the following command:

> dsquery * <DomainDN> -scope base -attr msDS-Behavior-Version

Or you can use the enumprop command found in the Windows 2000 Resource Kit

> enumprop /ATTR:msDS-Behavior-Version "LDAP://<DomainDN>"

To change the functional level to Windows Server 2003, create an LDIF file called

raise_domain_func_level.ldf with the following contents:

dn: <DomainDN>

changetype: modify

replace: msDS-Behavior-Version

msDS-Behavior-Version: 2

-

Trang 3

> ldifde -i -f raise_domain_func_level.ldf

2.13.2.3 Using VBScript

' This code changes the functional level of the specified domain to

' the Windows Server 2003 domain functional level

' - SCRIPT CONFIGURATION -

strDomain = "<DomainDNSName>" ' e.g amer.rallencorp.com

' - END CONFIGURATION -

set objDomain = GetObject("LDAP://" & strDomain)

objDomain.GetInfo

if objDomain.Get("msDS-Behavior-Version") <> 2 then

Wscript.Echo "Changing domain to Windows Server 2003 functional level

"

objDomain.Put "msDS-Behavior-Version", 2

objDomain.SetInfo

else

Wscript.Echo "Domain already at Windows Server 2003 functional level "

end if

In Windows Server 2003 Active Directory, functional levels have replaced the domain mode that was used in Windows 2000 to signify what operating systems are allowed to run on the domain controllers in the domain With Windows Server 2003, there are functional levels for both

domains and forests; whereas with Windows 2000, the domain mode only applied to domains The msDS-Behavior-Version attribute of the domainDNS object (e.g.,

dc=amer,dc=rallencorp,dc=com) holds the current domain functional level Table 2-4 shows the three functional levels, their associated msDS-Behavior-Version value, and the operating

systems that can be used on domain controllers in each

Table 2-4 Windows Server 2003 domain functional levels

mode)Windows Server 2003 Windows Server 2003

Windows Server 2003 2 Windows Server 2003

When a domain is at the Windows 2000 functional level, the domain can be in mixed mode or native mode, as described in Recipe 2.9 Various new features of Windows Server 2003 Active

Directory are enabled with each domain functional level See Chapter 1 of Active Directory,

Second Edition (O'Reilly) for more details

Trang 4

The value contained in msDS-Behavior-Version is mirrored in the domainFunctionality attribute of the RootDSE That means you can perform anonymous queries against the RootDSE

of a domain to quickly determine what functional level it is currently at

One of the benefits of the GUI solution is that if a problem is encountered, you can save and view the output log, which will contain information on any errors that were encountered

2.13.4 See Also

Chapter 1 of Active Directory, Second Edition, Recipe 2.9 for changing domain mode, Recipe 2.10 for preparing a forest with adprep, Recipe 2.14 for raising the functional level of a forest, and MS KB 322692 (HOW TO: Raise the Domain Functional Level in Windows Server 2003)

Recipe 2.14 Raising the Functional Level of a

Windows Server 2003 Forest

2.14.1 Problem

You want to raise the functional level of a Windows Server 2003 forest You should raise the functional level of a forest as soon as possible after installing a new Windows Server 2003 forest

or upgrading from a Windows 2000 forest to take advantage of the new features and

enhancements

2.14.2 Solution

2 In the left pane, right-click on Active Directory Domains and Trusts and select Raise Forest Functional Level

3 Select Windows Server 2003 Functional Level and click OK

After a few seconds you should see a message stating whether the operation was successful

To retrieve the current forest functional level, use the following command:

> dsquery * <ForestRootDN> -scope base -attr msDS-Behavior-Version

Or you can use the enumprop command found in the Windows 2000 Resource Kit

> enumprop /ATTR:msDS-Behavior-Version "LDAP://<ForestRootDN>"

Trang 5

To change the functional level to Windows Server 2003, create an LDIF file called

raise_forest_func_level.ldf with the following contents:

dn: cn=partitions,cn=configuration,<ForestRootDN>

changetype: modify

replace: msDS-Behavior-Version

msDS-Behavior-Version: 2

-

Next, run the ldifde command to import the change

> ldifde -i -f raise_forest_func_level.ldf

2.14.2.3 Using VBScript

' This code changes the functional level of the the forest the

' user running the script is logged into to Windows Server 2003

set objRootDSE = GetObject("LDAP://RootDSE")

set objDomain = GetObject("LDAP://cn=partitions," & _

objRootDSE.Get("configurationNamingContext") )

if objDomain.Get("msDS-Behavior-Version") <> 2 then

Wscript.Echo "Attempting to change forest to " & _

"Windows Server 2003 functional level "

objDomain.Put "msDS-Behavior-Version", 2

objDomain.SetInfo

else

Wscript.Echo "Forest already at Windows Server 2003 functional level" end if

Windows Server 2003 forest functional levels are very similar to domain functional levels In fact, Table 2-4 applies to forest functional levels as well, except that the list of available

operating systems applies to all domain controllers in the forest not just a single domain So even

if just one of the domains in the forest is at the Windows 2000 domain functional level, you cannot raise the forest above the Windows 2000 forest functional level If you attempt to do so you will receive an error that the operation cannot be completed After you raise the last

Windows 2000 domain functional level to Windows Server 2003, you can then raise the forest functional level as well

You may be wondering why there is a need to differentiate between forest and domain functional levels The primary reason is new features Some new features of Windows Server 2003 Active Directory require that all domain controllers in the forest are running Windows Server 2003 To ensure all domain controllers are running a certain operating system throughout a forest,

Microsoft had to apply the functional level concept to forests as well as domains For more information on the new features that are available with each functional level, see Chapter 1 of

Active Directory, Second Edition (O'Reilly)

The forest functional level is stored in the msDS-Behavior-Version attribute of the Partitions

container in the Configuration NC For example, in the rallencorp.com forest, it would be stored

Trang 6

in cn=partitions,cn=configuration,dc=rallencorp,dc=com The value contained in

msDS-Behavior-Version is mirrored to the forestFunctionality attribute of the RootDSE, which means you can find the functional level of the forest by querying the RootDSE

One of the benefits of the GUI solution is that if a problem is encountered, you can save and view the output log, which will contain information on any errors that were encountered

2.14.4 See Also

Chapter 1 of Active Directory, Second Edition, Recipe 2.9 for changing domain mode, Recipe 2.10 for preparing a forest with adprep, Recipe 2.13 for raising the functional level of a domain, and MS KB 322692 (HOW TO: Raise the Domain Functional Level in Windows Server 2003)

Recipe 2.15 Creating a Trust Between a Windows NT Domain and an AD Domain

2.15.1 Problem

You want to create a one-way or two-way nontransitive trust from an AD domain to a Windows

NT domain

2.15.2 Solution

2 In the left pane, right-click the domain you want to add a trust for and select Properties

3 Click on the Trusts tab

4 Click the New Trust button

5 After the New Trust Wizard opens, click Next

6 Type the NetBIOS name of the NT domain and click Next

7 Assuming the NT domain was resolvable via its NetBIOS name, the next screen will ask for the Direction of Trust Select Two-way, One-way incoming, or One-way outgoing, and click Next

8 If you selected Two-way or One-way Outgoing, you'll need to select the scope of

authentication, which can be either Domain-wide or Selective, and click Next

9 Enter and re-type the trust password and click Next

10 Click Next twice to finish

> netdom trust <NT4DomainName> /Domain:<ADDomainName> /ADD[RETURN]

[/UserD:<ADDomainName>\ADUser> /PasswordD:*][RETURN]

[/UserO:<NT4DomainName>\NT4User> /PasswordO:*][RETURN]

Trang 7

For example, to create a trust from the NT4 domain RALLENCORP_NT4 to the AD domain RALLENCORP, use the following command:

> netdom trust RALLENCORP_NT4 /Domain:RALLENCORP /ADD[RETURN]

/UserD:RALLENCORP\administrator /PasswordD:*[RETURN]

/UserO:RALLENCORP_NT4\administrator /PasswordO:*

You can make the trust bidirectional, i.e., two-way, by adding a /TwoWay switch to the example

It is common when migrating from a Windows NT environment to Active Directory to set up trusts to down-level master account domains or resource domains This allows AD users to access resources in the NT domains without providing alternate credentials Windows NT does not support transitive trusts and, therefore, your only option is to create a nontransitive trust That means you'll need to set up individual trusts between the NT domain and every Active Directory domain that contains users that need to access the NT resources

2.15.4 See Also

MS KB 306733 (HOW TO: Create a Trust Between a Windows 2000 Domain and a Windows

NT 4.0 Domain), MS KB 308195 (HOW TO: Establish Trusts with a Windows NT-Based

Domain in Windows 2000), MS KB 309682 (HOW TO: Set up a One-Way Non-Transitive Trust

in Windows 2000), MS KB 325874 (HOW TO: Establish Trusts with a Windows NT-Based Domain in Windows Server 2003), and MS KB 816301 (HOW TO: Create an External Trust in Windows Server 2003)

Recipe 2.16 Creating a Transitive Trust Between Two

AD Forests

This recipe requires the Windows Server 2003 forest functional level in both forests

2.16.1 Problem

You want to create a transitive trust between two AD forests This causes the domains in both forests to trust each other without the need for additional trusts

2.16.2 Solution

2 In the left pane, right click the forest root domain and select Properties

Trang 8

6 Type the DNS name of the AD forest and click Next

7 Select Forest trust and click Next

8 Complete the wizard by stepping through the rest of the configuration screens

> netdom trust <Forest1DNSName> /Domain:<Forest2DNSName> /Twoway /Transitive

/ADD[RETURN]

[/UserD:<Forest2AdminUser> /PasswordD:*][RETURN]

[/UserO:<Forest1AdminUser> /PasswordO:*]

For example, to create a two-way forest trust from the AD forest rallencorp.com to the AD forest

othercorp.com, use the following command:

> netdom trust rallencorp.com /Domain:othercorp.com /Twoway /Transitive

/ADD[RETURN]

/UserD:administrator@othercorp.com /PasswordD:*[RETURN]

/UserO:administrator@rallencorp.com /PasswordO:*

A new type of trust called a forest trust was introduced in Windows Server 2003 Under

Windows 2000, if you wanted to create a fully trusted environment between two forests, you would have to set up individual external two-way trusts between every domain in both forests If you have two forests with three domains each and wanted to set up a fully trusted model, you would need nine individual trusts Figure 2-4 illustrates how this would look

Figure 2-4 Trusts necessary for two Windows 2000 forests to trust each other

With a forest trust, you can define a single one-way or two-way transitive trust relationship that extends to all the domains in both forests You may want to implement a forest trust if you merge

or acquire a company and you want all of the new company's Active Directory resources to be accessible for users in your Active Directory environment and vice versa Figure 2-5 shows a forest trust scenario To create a forest trust, you need to use accounts from the Enterprise Admins group in each forest

Trang 9

Figure 2-5 Trust necessary for two Windows Server 2003 forests to trust each

other

Recipe 2.17 Creating a Shortcut Trust Between Two

AD Domains

2.17.1 Problem

You want to create a shortcut trust between two AD domains in the same forest or in different forests Shortcut trusts can make the authentication process more efficient between two domains

in a forest

2.17.2 Solution

2 In the left pane, right-click the domain you want to add a trust for, and select Properties

6 Type the DNS name of the AD domain and click Next

7 Assuming the AD domain was resolvable via DNS, the next screen will ask for the Direction of Trust Select Two-way and click Next

8 For the Outgoing Trust Properties, select all resources to be authenticated and click Next

9 Enter and retype the trust password and click Next

10 Click Next twice

> netdom trust <Domain1DNSName> /Domain:<Domain2DNSName> /Twoway /ADD[RETURN] [/UserD:<Domain2AdminUser> /PasswordD:*][RETURN]

[/UserO:<Domain1AdminUser> /PasswordO:*]

To create a shortcut trust from the emea.rallencorp.com domain to the apac.rallencorp.com

domain, use the following netdom command:

> netdom trust emea.rallencorp.com /Domain:apac.rallencorp.com /Twoway

/ADD[RETURN]

Trang 10

/UserD:administrator@apac.rallencorp.com /PasswordD:*[RETURN]

/UserO:administrator@emea.rallencorp.com /PasswordO:*

Consider the forest in Figure 2-6 It has five domains in a single domain tree In order for

authentication requests for Domain 3 to be processed by Domain 5, the request must traverse the path from Domain 3 to Domain 2 to Domain 1 to Domain 4 to Domain 5 If you create a shortcut trust between Domain 3 and Domain 5, the authentication path is just a single hop from Domain

3 to Domain 5 To create a shortcut trust, you must be a member of the Domain Admins group in both domains, or a member of the Enterprise Admins group

Figure 2-6 Shortcut trust

Recipe 2.18 Creating a Trust to a Kerberos Realm

2.18.1 Problem

You want to create a trust to a Kerberos realm

2.18.2 Solution

2 In the left pane, right-click the domain you want to add a trust for and select Properties

6 Type the name of the Kerberos realm

7 Select the radio button beside Realm Trust and click Next

8 Select either Transitive or Nontransitive and click Next

9 Select Two-way, One-way incoming, or One-way outgoing and click Next

10 Enter and retype the trust password and click Next

Định dạng
Số trang	10
Dung lượng	79,12 KB