mô tả việc cài đặt và quản lý child domain trong windowns server 2003
Trang 104/08/2013 BIEAN NHAAN
LAB 10
I Mo hinh: (dia theo mé hinh bai lab 9)
- Có thể xây dựng hệ thống Account Policy dộc lập cho Chi Nhánh
- Cô lập quyên của Admmsstrator chịu trách nhiệm quản lý Chi Nhánh
- Tôi ưu hóa quy trình đông bộ (Replication) gitta cac Domain Controller trong toan Domain
IH Các bước thực hiện:
Xây dựng từ bài Lab-9 với Domain = Nhatnghe.Local, xây dựng thêm hệ thống Chi Nhánh (Child Domain) =
SG.Nhatnghe.Local
Các máy can ding cho Child Domain gồm : 01 máy Windows Server 2003 ding lam Domain Controller cho Child Domain SG.Nhatnghe.Local
Các bước tiễn hành bao gồm :
- Tai Site Saigon, tao Forward Lookup Zone: sg.nhatnghe local
- Tai Site Saigon, nang cap Primary DC cho Domain sg.nhatnghe local
- Cu hinh Global Catalog Server va Secondary DNS Server trén Domain Controller cua domain
sg.nhatnghe local
- C4u hinh Account Policy cho Domain sg.nhatnghe local
- Tao User trén domain con, kiém tra Password Policy
- Kiểm tra quyền Domain Admins của Domain sg.nhatnghe local
IV Triên khai chỉ tiệt:
B1: Tai Site SAI GON, tao FLZ: sg.nhatnghe.local
Trên PC02, mở DNS tạo zone mới với các bước như hình bên dưới:
Trang 2lộ Win2K3-SP1 (PC02] - MicrosofL Virtual PC 2007 lees
Action Edt CD Floppy
ñ tone translates DNS names to related dats, such as IP "g
addresses or heleecek services
To continue, cick Next,
Trang 3Win2K3-SP1 (PCO?) - Microsoft Virtual PC 7007
Action Edt CD Floppy Hele
New fone Wizard
fone Type
The DNS server supports various types of zones and storage
Select the type of zone you want to create:
f= Primary zonel
Creates 4 copy of a zone that can be updated directly on this server
Secondary zone
Creates a copy of 6 zone that esdsts on another server, This option helps balance
the processing load of primary servers ond provides Fault tolerance
C Sub zone
ee na Ee eee
{SOA}, and Besse Se Ufo recone A server containing 4 stub zone is rot
authoritative for that zone
Iv Store the zone in Active Dinectory (avaible only if DNS server is a domain controler)
BIEAN NHAAN
ủi Edt CD floppy Help
few Zone Wizard
Active Directory Zone Replication Scope
You can select how you want ONS data rephcated throughout sour network
Select how you want zone data nephcated:
© To sf ONS servers in the Active Directory forest nhatnghe local
© To all ONS servers in the Active Directory domain nhatnghe local
f2 [To all daman controllers in the Active Drectory domain nhatngheJocal
Choose this option if the zone should be loaded by Windows 2000 DNS servers
funning on the domain controters in the same domain,
© Toast denen DỊ fT Đãpr< oeecd ped |p the scope of ine folowing encicaton chrectory
Trang 404/08/2013 BIEAN NHAAN
EL Win2K3-5P1 (PCO?) - Microsoft Virtual PC 7007 b led
Action Edt CD Floppy Help
The zone name specifies the portion of the DNS namespace for which this server is
suthoritative Tk might be your organization's domain name (for example, microsoft.com)
of 4 portion of the domain name (for example, newrone.micnacoft com), The pone nace
not the name of the DNS server
Zone meee:
| sgenhatnghe local
<Back [ Net> | cone | Heb
1
dctien Edt CD Floppy Help
Dynamic updates enable DNS chant computers to register and cynamically update their
resounce records wth 4 ONS server whenever changes occur
Select the type of dynamic updates you want bo alls:
© Allow onfy secure dynamic updates (recommended for Active Directory)
This option is available only for Active Directory-integrated zones
ít (Allow both nonsecure and sacure dynamic updates:
Á This option ls a siorếficartt securfty vuixerabäty because updates can be
accepted From untrusted sources,
© Bo not allow dynamic updates
Cyneeric updates of resource record: ane not accepted by this zone You must updaks
these records manualy
Trang 504/08/2013 BIEAN NHAAN
© Win2K3-SP1 (PCO?) - Microsoft Virtual PC 2007 ElJF Bị
Action Edt CD Floppy Help
Completing the New Zone Wizard
Tou have successhulhy completed the New Zone Wizard, You | specified the following settings: ry
Type: Active Danectory: Integrated Primary Lookup type: Forward
Nobe: You should now add nécords to the tone or ensure
that records are updated dynamically You can than verily hase résolution using nelookup
To dose this wizard and creste the new zone, click Finish
coos (ER) cot | ew
EI- R] Pcœ Name | Type | Bata
ag ~ Event Viewer id] (same as parent folder) Start of Authority (308) [1], pcO2.nhatnghe.local., hi
STE Forward Lochup Zones |] (same as parent Folder) Name Server (N5} pcO2 nhatnighe local
B2: Nâng Cấp PC04 lên Domain Controller cua domain con sg.nhatnghe.local
Trang 6
04/08/2013
s.:
nL
aed
Type the name of 3 program, folder, document, or
Tibennet resource, and Windows wall open it for you
ys Ream MeCN Mee ere Tm ea eerste
Acton Edt CD Floppy Help
Trang 704/08/2013 BIEAN NHAAN
Ne Rea MeCN mee tere ma aerate
Action Edt CD Floppy Help
Operating System Compatibility
lmpurverl +erL xi settings in Winders Serve 2002 alfect older versions of
Melowz
Doran conte running Window: Server 2003 implement acuity jetting: that
m require chents and other servers bo commurscate with those domain controllers in a moce
secure Wey
Sonne cider wertond of Windows, incluckng Windows 56 and Windows NT 40 SPS ov
earier, do not mest these requrements Sindarly some non windows sycheme, inching
ì Apple Mac 0S > and SAMBA chents might not mee these requirements,
Por mcs infomabon, se Comoatibeity Help
Win2K3-5P1 (PCO4) - Microsoft Virtual PC 2007
Action Edt CD Floppy Help
Ñrtive Birerctery Installation mm
Domain Controller Type
Spenciy the role you pant the: server to hare
Dio pou want Bho tener to become a domain controler fora new domain ofan
H addihonal donan cosholet tow an eating domar?
© Domain controtes for 2 new domain
Select thi option to create a new chid domain, new domam lee co nee forest
Tht sere: val become the fret domain controler inthe new doman,
Í” Addhional domain cortnofied for an esashng domain
é#\, Proceeding with ther opbon wall delete all local accounts on this server
Al crpptographes hey: wall be deleted and should be expocted before 'CTÄEM.EFHJ
All encrypted data, such ac EFS encrypted files ot e-mail, should be decrypted
beloré cominung of it val be penmanenlly insocesable
Trang 8
04/08/2013
Ne Rea MeCN mee tere ma aerate
BIEAN NHAAN
Action Edt CD Floppy Help
Win2K3-5P1 (PCO4) - Microsoft Virtual PC 2007
Create New Domain
Sedect which tape of donna bo create
Create 4 rein
Domain ina new forest
Select thes ophon if ther is the feel doen in your organmation om f you want the new
[mai bạ he completely independent of pour cisrent forest
Thou vert the Tra côàmei bù be a chu dễ am maitrig domaer, sêlecl Ki phe
For ecample, pou could create a new doman named
headquaiters example mecrogolt com a2 a chad domam of the dome
EðiTipe IrecrsulL cram.,
Doenain tee in an existing forest
lhpou dont want the nev dome to be a chiéd of an existing comer, aelect the:
opbon, The val cresie a new domain ines that ts separate from ang maning ines
Provide a neteak User nanee and passeeond
Type the uted naene, password, and user domain of an account wilh sulhicrent perdeges
to inched Actes Drechory on this computer
Trang 904/08/2013 BIEAN NHAAN
Ne Rea MeCN mee tere maT aerate
Action Edt CD Floppy Help
Child Domain Inctallation
Selec! the panend domain, 4nd spenciy a mane for the mew child domain
Enter the full ONS name of the parent demain [for exznpke
i headquarters example macronolt com
L.//17/%67-1920.⁄01/101,104/ 0/0 tat eS ema ety
Action Edt CD Floppy Help
Ñrtive Birerctery Installation mm
HeIRlũ5 amain Hame
Specty aheBlOS mame for the new domen
Thie i¢- the name that users of eather veraont of Windows wall ute bo iderdily the neve
M domain Chek Next to secept the name chown, of ype 6 new name
Domain NetBIOS name: la
Trang 10
04/08/2013 BIEAN NHAAN
Ne Rea MeCN mee tere maT aerate
Action Edt CD Floppy Help
Databace and Log Folders
Speci) tee fodders bo combemn the Act Directory database and hog Files
Pot best peifomance and recover sidly, store the database and the log on separate
Re eee eC eee tere) a tat eS ema ety
Action Edt CD Floppy Help
Ñrtive Direrctary Installation mm
Shared System Volume
Sperể the fodder to be shared as the sycten vodume
The SaSVOL folder stowes the server's copy of the domain's pubbe files, The conterds
M of the SYSVOL folder are replicated to all domain conirollers in the domain
The SYSVOL folder must be located on an NTFS volume
Enter a location tor the SYSVOL fokder
Trang 11
04/08/2013 BIEAN NHAAN
Ne Rea MeCN mee tere maT aerate
Action Edt CD Floppy Help
NH5 Hegistralian Diagnostics
Veilu DNS: suppor, or instal ONS on the computer
Diagnostic Results
The registration dhagnottic hat been nun 1 time
ee regististion support for this domain cortrofies has been verwed To conhinue, cbck
ext
Details
The pomay DHS server tested was: pol? nhatnghe local (192 168 2 2)
(The zone man: cũ nhang he lọc ai
The test for dynamic DNS update suppcet reharied:
“The operation completed successhully.”
Re eee eC eee tere) a tat eS ema ety
Action Edt CD Floppy Help
Ñrtive Birerctery Installation mm
Penmissiens
Select defauk pennessions for uses and group obpeacts
Some server progam, such as Windows NT Remote Access Senice, read inlormatan
i doted on domain contioders
( Pernissons compatible vith peewindows 2000 seve opersting systems
Select this opton i pou run sence progam on pre-yindows 2000 senret opershing
qyitems oFon Windows 2000 of Windows Sener 2003 operating aysteme thal are
members of prev indows 2000) domsans
‘Ny Anoruimous Users can reed infoamation on this domarn
Penrecton: compatible only wth Windews 2000 of Windows Server 2003]
operating systems |
Select this opbon i pou run cence: prograens onde on Windows 2000 cn Windoves
Sere 2003 operating stems that are menbers of Active Deacton domains Ori
aulhentcated upers can read infomation on te doman
Trang 12
04/08/2013 BIEAN NHAAN
Ne Rea MeCN mee tere maT aerate
Action Edt CD Floppy Help
Decoy Services: Restore Mode Admimictiator Password
Tứ: nazsxmi I3 Lizerl vẩeri ou start the computer in Directoy Senices Rese
Mode
Type and conden the passvrord pou ant to accign bo tne Adnunatialot account uted
M when tit cere ic elated in Directoy Serices edocs Mode,
The redicse mode Adminedrator account ts diferent from the domain Admanisiratos
eocourt The passwords for the accounts might be diferent oo be sune to remember
Re eee eC eee tere) a tat eS ema ety
Action Edt CD Floppy Help
Ñrtive Birerctery Installation mm
5 Lemar ye
Reyer and cordEm the options pou selected
‘fou chore to
Configure this server as the frst domain controler ina new domain
The new dernain ir named 19 nhainghe local
The NetBlOS nace of the doman is SG
; This new domain is 4 chid domain of the domain nhatighe local
Databare folder CAWINDOWSINTDS
Log fie folder CAWINDOWS'NTDS
S7SV0L folder C WINDOWS 457 S¥OL
[The paztword of the new domain administialor dl be the cane as the paceword of vị
To change an opbom click Back, To begin the nperalion, chck Hi
B3: Cấu hình Global Catalog Server và Secondary DNS Server
Trên PC04 đăng nhập với quyên domam admm vào Child Dormam Câu hình Global Catalog Server:
Trang 14a peer _Name | From Server — | Fromste | tre | Description
Pedra _ Sikes aewl Rs BE s —_É =l#| th x]
Frrrrrir | |
Off Active Directory Sites and Services | MMMedeMeaeiala Properties SS Ö#ixi
EI- Š] Defaul-Frrst-Stte-Name | | Ðeet| Seeu | Decree
El-C| trkar-5a Trarepcrtz
DNS Abas: JSDSAB2CO-7FED-4B 73-8478 1FC4C1 33420 medes
F7 bbl Caaog
The amount of iret it wall bake to publech the Global Catalog vane
depending on your repbcation topology
Cài DNS và cấu hình DNS trên PC04:
Trang 1504/08/2013 BIEAN NHAAN
lộ Win2K3-SP1 (PC04J - Microsoft VirLual PC 7007
Acton Eat CD Floppy Help
pla eh lie ar cnet dl ng
er eee To tee whal's included i 4 coenponert, chock Detad:
9 Sences:
MORE TIC) Bb Oymamnic Host Configuration Protocol (DHCP)
ee Pps 7] BB internet Authertication Service eee ñữMB
toe | C] fb Remote Acces: Quarantine Senice 0.1MB |
Efira | JC) SAP over HTTP Prony OMB
Giro} [Cl Sb Sirele TRAP Services 00M8 !
ege | 1C) Bib Windows Internet Name Service [WINS] 03M8 =|
Desciption: Setsup a DNS server that answers quey and update requests for DNS
nic) Total disk space requined: 6.0 MB mails |
Su ‘Space avaiable on disk: 1153.6 MB _DBetats | |
BAU] Ewesnt Viewer =
+ | LD) Add anew Zone
few — Fit one or more contiguous CANS
New Window From Here
are Zone, on the Action menu, click Mew Zone,
Trang 16Acton Eat CÚ Floppy Help
os
Action Edit CD Floppy Help
Creates a copy of a zone that can be updated directly on this server
cố ca ôn an This option heips balance
the processing load of primary servers and provides fauk tolerance
Stub zone
Crates eco of zone containing only Name Server (NS), Start of Authority
(504), ard prasbly gio oi (0) rears A server containing 6 stub zone is rot
authoritative for that zone,
[7 Store the sone in dcthee Directory fayadable erty DAS parver isa demain controler)
Trang 17Acton Edt CD Floppy Help
authoritative Tt might be your organization's domain name (for example, microsoft.com)
ora portion of the domain name (for escampls, neADone.rmorosort coe) The Zoe reer ks
not the name of the DONS server
be divided into zones, Each zone shores information gone nance:
| s9.nhatnghe local
lộ Win2K3-5P1 (PC04) - Micrasoft Virtual PC 2007 a |
Acton Edt CD Floppy Help
Specify the ONS servers from whach you want to copy the zone Servers are
contacted in the order shown
