免费注册 查看新帖 |

Chinaunix

  平台 论坛 博客 文库
12下一页
最近访问板块 发新帖
查看: 6177 | 回复: 10

[Server 2008] windows2008 培训笔记 [复制链接]

论坛徽章:
0
发表于 2012-01-10 15:45 |显示全部楼层
Install AD role
Run dcpromo
Create a new domain in a new forest
FQDN:globomantics.com
DNS:yes
Install password: Xmas102411
Domain controller replication informatin by manual
repadmin /syncall
Delete a OU
View->Advanced featehr->Right click OU->properties->Objects->Unselect (Protect object....)
initial password
P@ssword
DSADD
dsadd user \"cn=username, ou=ouname, dc=YourDomain, dc=YourSuffix\"
for example
dsadd user \"cn=hrichardson, ou=NYUsers, ou=NewYorkOU, dc=globomantics, dc=com\"
Globomantics.com
    NewYorkOU
        NYUsers
            hrichardson
            
        A1 blank 30000 color 35000
dsadd user \"cn=hrichardson, ou=NYUsers, ou=NewYorkOU, dc=globomantics, dc=com\" -fn Hank -ln Richardson -desc \"\" -pwd P@ssword -mustchpwd yes
dsadd user help (dsadd user /?)
User add batch
dsadd user \"cn=%1, ou=NYUsers, ou=NewYorkOU, dc=globomantics, dc=com\" -fn %2 -ln %3 -desc \"%3 %2\" -pwd P@ssword -mustchpwd yes
Save as add username.bat
run addouname.bat tmiller(replaces %1) Tonia(Replace %2) Miller(Replace %3)
Computer can\'t access the network without a AD account
Computer Accounts live ins OU\'a, which will allow you to install software to all machines in an OU at ounce
Share and storage management
Share is used for root folder which you want to share
NTFS is used for contents of share folder which you want to control the ACL in the share folde.
for example
A (shared folder we use share permission to control who can access the share folder)
  B C D (Use ntfs to control who can access these contents (the id belongs the group who can access the share folder))
Allow and deny permission
If user Tomy belongs group A and Group B.
A folder/file allow Group A access and no assign for Group B . Tommy can access the folder/file
A folder/file allow Group A access and deny for Group B . Tommy can not access the folder/file
Enforce-A settings on a group policy link that breaks throug block inheritance and oversides any conflicting policie
You can use block option (Click right button when you select the enforce /un-select link) to block inherbit, but not recommand.

****************************************************************************************
Group Policy

假设 A用户登录到B计算机的时候,针对这两个对象都有组策略(组策略又分别对用户部分和计算机部设置了策略)生效。这时,对于用户和计算机实际上分别执行了两条组策略,这里就出现了回环的情况。
你可以在域策略上设置一下对这种冲突时的处理方式:
1.打开组策略对象编辑器--打开计算机配置--管理模板--系统--组策略,
2.在组策略的选项中,双击“用户组策略环回处理模式”,
3.选择“已启用”,在下面的“模式”中,选择“替换”或“合并”,最后点确定。
替换模式的意思是:A用户GPO的user setting部分将替换掉B计算机GPO的user setting,最终针对A用户将应用A用户所在OU的gpo的user setting。
即用户策略以A用户的gpo为准。
合并模式的意思是:A用户GPO的user setting部分将结合B计算机GPO的user setting,共同对登录用户实施策略,当这两者有冲突产生的时候,最终针对B计算机gpo的user setting部分将替换与之冲突的A用户所在OU的gpo的user setting。
即用户策略以两都结合为准,冲突时以B计算机的用户策略为谁。
B.
“一条策略又可以分为计算机策略和用户策略,计算机策略作用在计算机上,用户策略作用在用户对象上,当同一条策略的计算机策略和用户策略产生冲突的时候,以计算机策略为准”,那么有可能又会有这样的问题,一个用户a属于sales ou,而一个计算机账号b属于marketing ou,并且在这两个ou上分别设定有ou的策略,那么这个时候,如果用户a到b上进行登陆会出现什么样的情况呢。默认情况下,用户a身上作用的是sales ou user policy而计算机b上作用的则是marketing ou computer policy,这显然是管理员不希望看到的情况,因为这样存在安全的隐患,在这种情况下用户策略有可能盖过计算机策略。所以此时引入了个概念,loopback模式,loopback模式又划分为两类,第一替换,即强制用户a采用marketing ou users policy,忽略a所在ou的sales ou users policy,另一种是采用合并模式,即将marketing ou computer policy 里的用户策略 和 sales ou users policy和并执行,当产生冲突的时候以marketing ou computer policy 里的用户策略为准,通过这种方式,保证了用户策略不会盖过计算机策略,从而避免了安全隐患此外,策略还有继承和阻挡等设置..
You can assign the members who will be applied the Group policy in \"Security Filtering\"
You can set up the authorization for current group policy int Delegation tab.

Group policy two level
1) User level
2) Computer level
Discuss with huber about change the policy from computer level to user level

How to push sotfware to lot of laptops

1)Hold the msi file in a share folder.
Always create new folders for each software package to make the process nice and easy.

When Group policy take place?
User login/ run gpupdate/gorce
Software installation GPO\'s will take place on next restart.
The interval of refresh Group policy.

Creat second password policy
1) Open \"adsi edit\"
2) Dc->system->CN=password settings Contains->new->Password policy->Value:1->fales->5->Fales->4->day:hours:minites:second->day:hours:minites:second
3) More Attributes->Edit Attributes: Display in group policy
  3.1) select view - msds-psoAppliesto, input information which get from 5)
4) View->advance feather in Server manager
5) click ou select the group and right click->Properties->Attribute editor->duble click \"distinguishedName\" ->OU information
***********************************************************************
C13 Backup

NTDSUTIL is for AD. (Backup Ad information)
Add feather->windows server backup anf Command-line Tools
wbadmin /?
Ntdsutil: enter
Ntdsutil: IFM
Ntdsutil: Activate Instance NRDS
Ntdsutil: IMF
IFM:Create sysvol full F:\\IFM (we can use it for installing a new sever for reducing copy data)
*********************************************************************
C14 How to use IMF and change role of Domain controller
PDC: Handle password; Group policy; time updates...
Relative identifier (RID):If the server with this role goes down, you may not be able to add any users or computers to the Domain.
Ifrastructure Master:
Change PDC
Add Active Directory Schema
regsvr32 schmmgmt.dll
(MMC add the snap-ins)
Right client Active Directory schema->Operations Masters->Change
We can use IFM data to bulid ifrastructure when we promote a server to Domain controller (Transfer role step)
*******************************************************************
C15
Audit polciy:Group policy->Computer configuration->windows settings->security settings->local policies_>audit policy
First select view->Advance feather
Right click the OU (which you want to audit)->Security->Auditing->Add (Authenticated Users)->Select the function which you want to audit; You can select the objects in
The Apply to tab.
Tune-up AD database
cmd
ntdsutil
ntdsutil:Active Instance NTDS
ntdsutil:Files
(Stop Acitve Directory Domain Services)
Files maintenance: (/?)
Files maintenance: compact to c:\\
Quit
Quit
Renew the ntds.dit
ntdsutil
ntdsutil:Active Instance NTDS
ntdsutil:Files
Files maintenance:integrity
Files maintenance:quit
ntdsutil:semantic database analysis
semantic checker:verbose on
semantic checker:go fixup
quit
quit
Start Active Directory Domain Services
**************************************************************************
C16 Add a children domain
Open Server manager->Active Directory Domain services->Active Directory Sites and services->site->right click ->New site->Create Chicago
Track a machine basic IP
Subnet->New subnet->prefix:192.168.5.0/26->site select Chicago
Open properites of subnet->Change location
Create a sub-domain
Run dcpromo->select Exisiting forest->Create a new domain in an existing forest
FQDN:globomantics.com->Single-label DNS->na->default->DNS and GLobal catalog->Export settings
Domain Link
Acticve Directory Sites and services->site->Chicago->servers->NA-DC1-2k8->NTDS settings->Properties
Change Domain
Right click the Domain and select change Domian->Select Domian
**********************************************************************
C17
Security Group:Allow you to grant permissions to resources
Distribution Group:Basically email lists,and aren\'t used very often
Global Group:Usable in any trusted Domain in your forest; Users can only come from the home domain.
Universal Group:Usable in any trusted Domain in your forest; Users can only come from ANY Domain.
Domain Local Group:Usable in the Domain it lives in Only; Users can only come from the home Domain.
AGUDLP:Global group is a member of Universal Group, Universal Group is a member of Domain local group
*****************************************************************************
C18
Core configuration;
Commmand online help:http://technet.microsoft.com/en-us/library/cc753802.aspx
         document help: http://www.microsoft.com/downloa ... &displaylang=en
Tools: http://http://coreconfig.codeplex.com/releases/view/36678   (Core Configurator)
Client can use MMC to control core server.
Control which user can login proper Domain server:
View->advance feather
Roles->AD users and computers->Domain Controllers->Select server->Open Properties->password Replication Policy
->remove default allow->add users/group who want to login the Domain controller
Open user properties who will logon the domain cotroller->select password replication->Check which DC the user can login
******************************************************************************
C19 recovery AD data
Restart server ->login DomainRecovery Mode->login ./Administrator (Password is the password which you had created when you run dcpromo)
Open cmd
wbadmin get vesions (For finding backup info)
wbadmin startsystemstatrecovery -version:08/14/2008-04:01 (Backup time)
ntdsutil
ntdsutil:activate instance NTDS
ntdsutil:authoritative restore
authoritative restore:restore subtree \"ou=Ops,ou=NYUsers,ou=NewYorkOU,dc=globomantics,dc=com\'
quit
**********************************************************************************
C20 Change role from a dead DC to a live DC
I will change the Infrastructure role
GUI: login the alive DC.
Role->AD Domain Services->AD Users and Computers->Select Domain->Right Click Domain->Operation Masters->Select Infrastructure>Change->Yes-Yes
NTDSUTIL: cmd
ntdsutil
ntdsutil:active instance NTDS
ntdsutil:roles
fsmo maintenance:help
fsmo maintenance:connections
server connections:connect domainglobantics.com
server connections:quit
fsmo maintenance:seize infrastructure master
Yes
**********************************************************************************
C21 Update server2003 to 2008
In windows2003 AD server
Copy adprep to your local disk
cmd
c:\\adprep>adprep /forestprep
C  Enter
Raise the Domain to 2003
open AD users and Computers->right click the Domain select Raise Domain Functional level->Select Windows 2003->Raise
c:\\adprep>adprep /domainprep
Setup OS and select update
open AD users and Computers->right click the Domain select Raise Domain Functional level->Select Windows 2008->Raise
**********************************************************************************
C22 Domain trust
AD federation Service:A server Role tha allows partner networks to share information accross Domains using single sign-On. Most often used to share intranet
Web sites and applications like SharePoint.
DNS
Stub Zone:A DNS zZone that simply provides information about another Domain\'s DNS servers.
Conditional Forwarser:An entry in a DNS server that forwards on a DNS request if the request meets a specific requirement,i.e. the request is for information
about a computer in another Domain.
in NY-DC2-2K8 (PDC)
Open DNS->Forward Lookup Zones->new->Stub Zone (Select Store the Zone....)->To all dns servers in this forest:globomantics.com->Verdepetra.com(The Domain need
to trust)->DNS ip (select use the above...)
In VERDEPETRADC
Open DNS->Forward Lookup Zones->new->Stub Zone (Select Store the Zone....)->To all dns servers in this forest:globomantics.com->globomantics.com(The Domain need
to trust)->DNS ip (select use the above...)
Trust
External Trust:Allows separate Domains in separate Forests to trust each other\'s users without trusting every Domain in a forest.
Forest Trust:Trusts between two Forest Root Domains that can allow Users from any Domain inside of either Forest to share Resources.
Shortcut Trusts:Simply allows users to access resources in a different Domain faster.
Realm Trusts:Allows aWindows Active Directory Network that uses Kerberos to trust a UNIX-based network that also uses Kerberos to share resources.
Transitive Trust:A trust property that allow for trusting of other domains if the domain that is being trusted trusts other domains
Active Directory Migration Toll:A free download from Microsoft that allows you to move Active Direstory Objects (I.e. User Accounts, etc.) between domains for
consolidation.
    Raise forest
    AD Domains and trusts->right click AD Domains and trusts->Raise Forest Functional Level->Windows 2008
    Do the same work in NY-DC2-2K8
    Open globlmantics.com->open prrperties->Trusts->New trust->verdepetra.com->Domain administrator (verdeptra domain)->Forest trust->Two-way->Both this domain
    and specified domain->Domain administrator (verdeptra domain)->Forest-wide authentication->Forest-wide authentication
Users
verdeptra domain create a universial group (TKsales).
globlmantics Domain creeate a Domain local group (Sales)
Add TKsales to sales. The user (TKsales) can get same authorization as sales in globomantics.com.
***********************************************************************************************
C23 MCSE MCSA relationship (we ignore it)
***********************************************************************************************
C24 DNS Stuff
DNS role
Active Directory integrated Zone:DNS Database is stored as an Active directory Object. No need for Secondary Zones if all your DNS Servers are also DC\'s
    Primary:Used in standalone DNS Server, it acts a Master DNS server that records and reads info.
    Secondary: A read only copy of a primary Zone, Must copy Zone Files from a DNS server that has a Primary Zone.
    Stub:Only contains information about other DNS servers.
Zone trnasfer during AD Replication
A (host):Name and IP Address of a Host (Computer,Network printer,PDA, etc)
PTR(Pointer):A Record in a resvers Zone
SOA(Start of authority):The beginng records of a zone
SRV(Services Locator):For Servers and service providing Hosts
NS(Name server):A record that points to a DNS Server
MX(Mail Exchanger):For Email Servers
CNAME(Alias):A \"nickname\" record that allows for multiple names for the same machine.
Login NY-DC2-2K8
    Open DNS
        Forward Lookup zomes
            _msdcs.globlmantics.com ( All DNS informatin about donmain controller (SOA NS CNAME))
                Pdc
                    _tcp
                        SRV
                gc
                    _sites
                        Chicago
                            _tcp
                                ldap (the DC will be checked in the domain when user login)
            globomantics.com (All domain device information)
                na( children Domain\'s DNS)
            Verdepetra.com (trust Domain)
        Resverse Lookup Zones
        Conditional Forwarders
            New conditional Forwarder..->verdepetra.com->ip of Verdepetra.com DNS (select Store...)
    Open NY-DC2-2K8 properties->Forwards (check aother DNS server) click edit you can add your internet DNS  server
        
Create Global Name (by command)
Cmd->dnscmd/config /enableglobalnamessupport 1
Create fowared zone (primary zone->to all in the forest->GlobalNames->default->next->finish
You can create a CNAME redcord for remember easilly
**********************************************************************************

论坛徽章:
0
发表于 2012-03-15 11:27 |显示全部楼层
不错,再详细点就更好了

论坛徽章:
0
发表于 2012-01-14 17:41 |显示全部楼层
{:6_665:}

论坛徽章:
0
发表于 2012-02-23 11:25 |显示全部楼层
{:4_378:}嗯就是要做做笔记

论坛徽章:
0
发表于 2012-02-24 11:16 |显示全部楼层
不错,再详细点就更好了

论坛徽章:
0
发表于 2012-02-26 21:20 |显示全部楼层
要顶的啊,楼主辛苦了,谢谢














淘宝网购物 时尚女装  男人装  女人装

论坛徽章:
0
发表于 2012-07-25 11:18 |显示全部楼层
太多,做的不细致,

论坛徽章:
0
发表于 2012-06-18 11:36 |显示全部楼层
楼主辛苦了

论坛徽章:
0
发表于 2012-06-26 23:54 |显示全部楼层
天啊我还是先学好英文再来吧。

论坛徽章:
0
发表于 2012-08-03 11:00 |显示全部楼层
顶你,支持楼主!有意思
您需要登录后才可以回帖 登录 | 注册

本版积分规则 发表回复

  

北京盛拓优讯信息技术有限公司. 版权所有 京ICP备16024965号-6 北京市公安局海淀分局网监中心备案编号:11010802020122 niuxiaotong@pcpop.com 17352615567
未成年举报专区
中国互联网协会会员  联系我们:huangweiwei@itpub.net
感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

清除 Cookies - ChinaUnix - Archiver - WAP - TOP