لطفا منتظر باشید ...
Publisher| Domain ControllerTasks |
Upgrade Domain Controllers
Upgrading W2K domain
controllers to WS2003 is trivial
since no modification of the namespace is required. Make sure all
your W2K domain controllers have the latest service pack installed,
use adprep to prepare the forest by extending the
schema, and then run Setup on each domain controller to upgrade to
WS2003.If you are upgrading an NT domain, you need to upgrade the PDC first:Synchronize all BDCs with PDC
take one BDC offline in case something goes wrong insert WS2003 product CD into PDC select Upgrade Test your new mixed-mode domain, then upgrade the remaining BDCs,test, and once you're sure everything works, you can
upgrade or decommission the BDC you set aside for an emergency.
Configure a Domain Controller
There's very little to
configure
on a domain controller:Active Directory Users and Computers
Select domain select OU right-click on a domain controller PropertiesThe "Trust computer for delegation"setting on the General tab enables services on the local machine
running under the LocalSystem account to request services from other
servers on behalf of clients. Since this can be a security concern,
enable this only if you know it will be neededfor example, to
allow the Message Queuing Service to run on the machine. None of the
other settings on the properties sheet are really important, though a
fewsuch as displaying the latest service pack installed on the
machineare informative.
Manage a Domain Controller
Active Directory Users and Computers
choose domain choose OU right-click on a domain controller ManageThis opens the ComputerManagement console with the focus on the selected domain controller.
Verify FSMO Roles
Various consoles are used
to determine whether a particular
domain controller in a particular domain has an FSMO role assigned to
it. Specifically, to verify Infrastructure master, PDC emulator, or
RID master roles:Active Directory Users and Computers
right-click on root node Connect to a domain right-click on root node Connect to a domain controller right-click on root node All Tasks Operations MastersIf an Infrastructure, PDC, or RID tab is visible, the selected domaincontroller in the selected domain has that FSMO role.To verify the domain-naming master role:Active Directory Domains and Trusts
right-click on root node Operations MasterTo verify the schema master role:Active Directory Schema right-click on root node Operations MasterTransfer FSMO Roles
To transfer an FSMO role to
a
different domain controller, follow the procedure described in the
previous section, Verify FSMO Roles , and:Change
select a different domain controller in the domain. You can also transfer FSMO roles from the command line using thentdsutil utility.
Seize FSMO Roles
If your domain controller
goes
down before you can transfer its FSMO roles to another domain
controller, you'll have to seize these roles to
assign them to another domain controller. This must be done from the
command line using the ntdsutil utility.
Promote/Demote a Domain Controller
To promote a member server to
the role of domain controller, you can:Manage Your Server
Add or Remove Role Domain ControllerAlternatively, you can use DCPromo forexample, to create a child domain:Start
Run dcpromo Domain controller for a new domain Create a new child domain in an existing tree specify Enterprise Admin credentials and DNS name of forest root domain specify parent domain specify name for child domain specify permissions specify password for Directory Services Restore Mode rebootPromoting and demoting computers to the role of domain controller hascertain drastic effects:
- If you promote a standalone server, any local user accounts on the
machine will be lost. If you demote a domain controller, any domain
user accounts in Active Directory will be lost if this is the last
domain controller in the domain. - Any cryptographic keys stored on the computer will be lost after
promotion or demotion and should be exported if necessary. - Any EFS-encrypted files will be inaccessible after promotion or
demotion and should therefore be unencrypted before the action is
taken.
To demote a domain controller, either remove the role using Manage
Your Server or run DCPromo again. If there are
still other domain controllers in the domain, the domain controller
you are demoting becomes a member server in the domain. If you are
demoting the last domain controller in the domain, the domain
controller becomes a standalone server. Note that you
can't remove the last domain controller from a
domain if your domain is a parent for other domains. To remove the
last domain controller in the domain:Start
Run dcpromo specify the server as the last domain controller in the domain specify an Enterprise Admins account for the forest specify a password for a new local Administrator account rebootIf you try to use DCPromo to demote a domaincontroller and the procedure fails for some reason, use
dcpromo /forcedremoval to force
the computer to return to the member server state.
Install from Media
If you need to deploy domain
controllers at remote
sites where qualified administrators aren't present,
you can use the new Install From Media feature of WS2003. This new
feature lets you prestage new domain controllers for an existing
domain by installing them from the backup media created by backing up
an existing domain controller. The procedure uses the Backup utility
under System Tools in Accessories:Back up the system state of an existing domain controller in the domain
start Backup on the remote server Restore Files and Settings System State Advanced Alternate Location specify a folder Replace Existing Files Finish Start Run dcpromo/adv Additional domain controller for existing domain select restored backup files specify administrator credentials specify domainWS2003 does a better job of demoting domain controllers than W2K andremoves folders and files that were previously left behind.
Assign a Global Catalog Server
To assign the role of global catalog
server to a domain controller:Active Directory Sites and Services
Site container Servers container right-click on domain controller Properties General select Global CatalogTo remove the role of global catalog server from a domain controller:Active Directory Sites and Services Site container Servers container right-click on domain controller Properties General deselect Global CatalogAdd an Attribute to the Global Catalog
This procedure is useful to speed
up
search queries across domains for an attribute that is not included
by default in the global catalog. For example, you might want to add
the Phone Number attribute for user objects to the Global Catalog so
users can search for other users' phone numbers
easily in a multidomain forest:Active Directory Schema
expand Attributes container right-click on attribute Properties Replicate this attribute to the Global Catalog