Difference between revisions of "AD DS"
From AlphaBook
(Created page with "== Active Directory Domain Service Design == * Single forest single domain is preferred * PDC acts as the time root in forest (w32tm /config /computer:BJDC01.alphabook.com.cn...") |
(→Active Directory Domain Service Design) |
||
Line 1: | Line 1: | ||
== Active Directory Domain Service Design == | == Active Directory Domain Service Design == | ||
− | * Single forest single domain is preferred | + | * Single forest single domain is preferred, 2,150,000,000 objects per domain, FQDN less than 64 characters |
− | + | * Implement multiple/backup domain controllers (all GCs), implement multiple sites as needed (site, subnet,site link, bridge all site links) | |
− | * Implement multiple/backup domain controllers (all GCs) | + | * User |
− | * | + | * Grant permission per group, not a single user |
− | * | + | * Enable Active Directory Recycle Bin |
+ | * Enable Protect object from accidental deletion (User, OU, etc) | ||
+ | * Delegate IT helpdesk group unlock permission | ||
+ | * Delegate IT helpdesk group join computer into domain permission | ||
== FSMO (Flexible single master operation) == | == FSMO (Flexible single master operation) == |
Revision as of 13:22, 18 February 2017
Contents
Active Directory Domain Service Design
- Single forest single domain is preferred, 2,150,000,000 objects per domain, FQDN less than 64 characters
- Implement multiple/backup domain controllers (all GCs), implement multiple sites as needed (site, subnet,site link, bridge all site links)
- User
- Grant permission per group, not a single user
- Enable Active Directory Recycle Bin
- Enable Protect object from accidental deletion (User, OU, etc)
- Delegate IT helpdesk group unlock permission
- Delegate IT helpdesk group join computer into domain permission
FSMO (Flexible single master operation)
5 FSMO roles
- Schema master / Forest level
- To make change Schema in forest (such as Exchange, Lync, SCCM)
- Domain naming master / Forest level
- To add/remove domain in forest
- PDC / Domain level
- Time root in forest
- Group policy central management
- Handle password change specially (the change will sync to PDC immediately)
- Handle user account lock specially
- RID pool master / Domain level
- Assign RIDs to DCs (500/time)
- Infrastucture master / Domain level
- Objects reference in different domains
To check the FSMO servers
- netdom query fsmo
To transfer / seize to FSMO roles
- Ntdsutil
- Roles
- Connections
- ?
- Connect to server BJDC01
- Quit
- Transfer schema master
- Transfer domain naming master
- Transfer PDC
- Transfer RID master
- Transfer infrastructure master