1. Understand the environment to be built by AD, understand the capacity and configuration of the host, and also understand the version number of the server to be configured, such as windows server 2012 r2
2. After installation, enter the system, set up the IP address and DNS, (the main purpose is to inquire at that time, and remember when asking back), enter the configuration to add roles.
3. Go directly to the next step as shown in the figure, and then install it.
If you want to configure a lot of architectures, you can set this domain as the parent domain (forest), you can add multiple domains to this side, and other domains are called subdomains.
After the configuration, you can directly add the organization structure, users, etc. in the parent domain, and create a group in the AD management center.
After creating a group, you can add users to the group, as shown in the figure
After the organization is added, members generally cannot log in to the parent domain, but they can log in by escalating their rights.
Privilege escalation can be set in (Administrative Tools (or in Control Panel à System Security à Click Management Tools)) Group Policy
Here is a special reminder ( please do not set it in the local security policy, I just went there to check it without knowing it, there are also this function, but there is no setting.) , set as shown
When you open the domain, there are two Default Domains, you have to be optimistic about which one you want to set, the environment setting is the second, and then right-click to edit, and then click Policy à windows settings à security settings, and then follow the picture above You can escalate rights to a user by following the instructions given by.
The above is to create an organization and user after the AD domain is created. After the creation of the organization or user, you can check whether there is any in the DNS (management tool) ( not to mention that the original policy should not be changed as much as possible, you can add the policy of ※, and the new The strategy can be inherited from user strategy or computer strategy )
Delete group ( personal suggestion, it is best not to delete any group, because it has been deleted, it is equivalent to deleting all the information )
Restore Organizational Unit
Next, to rescue the organizational unit through the recycle bin, double-click deleted objects .
User's authority management (Management Tools à Group Policy) set authority click to view, select custom, you can limit the authority of users or computers, and set the limits of each user or computer, basically in the group policy
Disable the user to log in locally in the local security policy, as shown in the figure, after completion, log in again, it will not be able to log in.
Create multiple domain controllers , the purpose is that the main controller is paralyzed, other domain controllers can continue to work without affecting
The process is to add a domain to the parent domain, first change the name, change the ip, and the process of creating the domain name is the same as above
Knowledge change DNS settings
Change the settings of the domain controller can be in the AD user and calculation settings
You can transfer the operation host to another domain, as shown in the figure
It can also be changed in AD Management Center
The domain controller is also the only one in the group policy, its full English name is Domain Controllers, (referred to as DC)
- AD domain local login (an ordinary user cannot directly log in to the local AD domain, but can be added through the DC domain controller, but this generally does not give a common support right)
- When a user or group is created in the AD domain, you can log in on other computers, but the interface after logging in is a normal user.