Студопедия

Главная страница Случайная страница

КАТЕГОРИИ:

АвтомобилиАстрономияБиологияГеографияДом и садДругие языкиДругоеИнформатикаИсторияКультураЛитератураЛогикаМатематикаМедицинаМеталлургияМеханикаОбразованиеОхрана трудаПедагогикаПолитикаПравоПсихологияРелигияРиторикаСоциологияСпортСтроительствоТехнологияТуризмФизикаФилософияФинансыХимияЧерчениеЭкологияЭкономикаЭлектроника






Prepare the intranet forest and domain for the RODC




Complete the following procedure to prepare the corporate forest and domain for the RODC. Membership in Enterprise Admins, or equivalent, is the minimum required to prepare the corporate forest for an RODC. Membership in Domain Admins, or equivalent, is the minimum required if you are preparing a domain for a RODC. Review details about using the appropriate accounts and group memberships at https://go.microsoft.com/fwlink/? LinkId=83477.

To prepare the intranet forest and domain for the RODC

1. Ensure that you have completed the prerequisites for deployment of an RODC in domain and forests. For more information about RODC deployment, see Prerequisites for Deploying an RODC (https://go.microsoft.com/fwlink/? LinkId=133514). 2. Create an Active Directory site in the perimeter network, and call it the PerimeterNetwork site. For more information about creating a site in Active Directory Domain Services, see Adding a New Site (https://go.microsoft.com/fwlink/? LinkID=93237). 3. Create another Active Directory site in the internal corporate network. This site will be the closet intranet site to the perimeter network. It will contain the only writable domain controllers that RODCs in the perimeter network can access. Call this site the PerimeterNetwork Support Site. 4. Create a site link between the PerimeterNetwork Site and the PerimeterNetwork Support Site with a 24x7x15 schedule and higher cost than normal. For more information about site linking, see Linking Sites for Replication (https://go.microsoft.com/fwlink/? LinkId=133515) and Changing Site Link Properties (https://go.microsoft.com/fwlink/? LinkId=133517). Note The higher cost of the site link between the site where the perimeter network’s RODCs live and the intranet helps avoid the possibility of client computers in the corporate network site preferring the RODC site to another corporate site if a domain controller fails in the PerimeterNetwork Support Site. 5. Install two or more domain controllers in each domain that must validate users in the PerimeterNetwork Support Site. For information about installing an additional Windows Server 2008 domain controller, see Installing an Additional Windows Server 2008 Domain Controller (https://go.microsoft.com/fwlink/? LinkID=133258). For more information about installing a new Windows Server 2008 child domain, see Installing a New Windows Server 2008 Child Domain (https://go.microsoft.com/fwlink/? LinkId=133519). 6. Create a delegated RODC administrator account on each domain in the perimeter network. This can be a group or user account, but the best practice is for this account to be a group account. For more information about best practices for RODC administration, see “Delegating local administration of an RODC” in RODC Administration (https://go.microsoft.com/fwlink/? LinkId=133521). 7. Add the perimeter network administrator users, which can belong to PerimeterNetwork domain or UsersDomain, to the properly domain-linked, delegated RODC administrator group. 8. Create a PerimeterNetworkAllow group per domain. 9. Create a PerimeterNetworkDeny group per domain. 10. Add the delegated administrator group to the domain PerimeterNetworkAllow group for every domain. 11. If no other RODC will act as the Dynamic Host Configuration Protocol (DHCP) server in the domain, allow the DHCP role to run on the RODC. For more information about DHCP, see article 822048 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/? LinkId=133526). For more information about DHCP on a RODC, see Applications That Are Known to Work with RODCs (https://go.microsoft.com/fwlink/? LinkId=133779). Note If you are not using DHCP in your perimeter network, you can skip this step as DHCP is not required. 12. Create required Group Policy objects (GPOs) for the Perimeter Network domain: a. IPsec RODC-to-writeable domain controller communication policy b. Computer local firewall filter For more information about the IPSEC RODC-to-writeable domain controller communication policy and computer local firewall filter, see the Step-by-Step Guide to Internet Protocol Security (IPSec) (https://go.microsoft.com/fwlink/? LinkId=136018) and Checklist: Implementing a Standalone Server Isolation Policy Design (https://go.microsoft.com/fwlink/? LinkId=133780).

Данная страница нарушает авторские права?


mylektsii.su - Мои Лекции - 2015-2024 год. (0.006 сек.)Все материалы представленные на сайте исключительно с целью ознакомления читателями и не преследуют коммерческих целей или нарушение авторских прав Пожаловаться на материал