Author: Trn Anh Qun MCSA, MCSE, MCTS I. Thit k m hnh OU trong AD: 1. L do c thi!t "! #$: OU c dung qun tr v mt chinh sach nh chung ta mun tt c cac nhn vin thuc phong KinhDoanh trong mi trong tht c cai t tu ng MS OIIiceXP hay update nhung bn va nao khi ng nhp h thng thi chung ta phi tong tac qua OU. Nhng r rang chung ta khng th qun ly v quyn han truy cp cua cac user nay bng OU, chinh vi vy chung ta cn phi tao ra cac group va gan quyn thng qua nhung group nay %. C&c '()c to #$, *rou+ v, $-er tron. AD Tao 4 OU: - BanGiamDoc - KyThuat INFORMATICS SERVICE PROVIDER INC Quy hoch Active Directory - KinhDoanh - HanhchinhKetoan Tao 4 Group tong ung voi mi OU Tao cac User tong ung va Add vao tung Group thich hp Cac boc tao OU: Su dung cng cu Active Directory Users and Computers ( goi bng lnh tt dsa.msc ) Du tin ta tao OU bng cach phi chut vao tn Domain, chon New, chon Organization Unit. INFORMATICS SERVICE PROVIDER INC Quy hoch Active Directory G tn Ou cn tao INFORMATICS SERVICE PROVIDER INC Quy hoch Active Directory Tao tip Group tong ung cung bng cach bng chut vao tn OU tong ung, chon New, chon Group. INFORMATICS SERVICE PROVIDER INC Quy hoch Active Directory INFORMATICS SERVICE PROVIDER INC Quy hoch Active Directory Tao tip User cung bng cach bng cach phi chut vao tn Domain, chon New, chon User. INFORMATICS SERVICE PROVIDER INC Quy hoch Active Directory Tin hanh add cac User tong ung vao tung Group Phi chut vao Group BanGiamDoc chon Properties INFORMATICS SERVICE PROVIDER INC Quy hoch Active Directory Trong cua s BanGiamDoc Properties chon Add INFORMATICS SERVICE PROVIDER INC Quy hoch Active Directory Trong cua s Select Users, Contacts, Computers, or Groups chung ta g tn User la Giamdoc1 INFORMATICS SERVICE PROVIDER INC Quy hoch Active Directory Bm Ok hoan thanh qua trinh Add User vao Group INFORMATICS SERVICE PROVIDER INC Quy hoch Active Directory Theo cac boc tong tu nh trn chung ta tao ra cac OU, Group va User tong ung con lai INFORMATICS SERVICE PROVIDER INC Quy hoch Active Directory INFORMATICS SERVICE PROVIDER INC Quy hoch Active Directory II. Thit l m!i "u#n h$ Tru%t gi&# ' (ore%t: Forest thu nht co tn la ISPHN1.COM Forest thu hai co tn la ISPHCM1.COM Chung ta s tao mi quan h Trust giua hai Iorest sao cho user cua Iorest nay co th ngi trn may tinh thuc Iorest kia ma vn truy cp c vao Domain cua minh. )*u + c,n h-i .#i%e /om#in v0 1ore%t l2n '334 5 /%#.m%c v0 /om#in.m%c 6 D thuc hin c Trust giua 2 Forest chung ta cn phi thit lp o 3 boc: 1. D/S:
DNS giu mt vai tro rt quan trong khi thit lp mi quan h Trust Forest. Nu DNS c cu hinh khng ung chung ta s khng th nao thit lp c mi quan h Trust Forest. Troc tin chung ta tin hanh kim tra DNS trn local Domain bng cng cu NSLOOKUP: INFORMATICS SERVICE PROVIDER INC Quy hoch Active Directory Nh hinh trn chung ta thy DNS khng th phn gii c tn cua chinh no. Nguyn nhn la do trong DNS database thiu mt PTR Record ( Loai bn ghi phn gii ngc tu a chi IP ra tn host ). Chung ta s khc phuc bng cach thm 1 PTR Record vao Reverse Lookup Zone cua DNS. Bm phi chut vao subnet cua Domain ISPHN1.COM, chon New Pointer INFORMATICS SERVICE PROVIDER INC Quy hoch Active Directory Tai hp New Record chung ta in a chi IP cua may server tai ISPHN1.COM. Tai phn Host name chung ta g chinh xac tn FQDN cua server vao. O vi du nay la ad.isphn1.com. Sau y chung ta bm OK tao mt bn ghi PTR moi. INFORMATICS SERVICE PROVIDER INC Quy hoch Active Directory Sau khi tao bn ghi moi, chung ta vao CMD g cu lnh IPCONFIG /FLUSHDNS va IPCONFIG /REGISTERDNS cp nht thay i trong DNS INFORMATICS SERVICE PROVIDER INC Quy hoch Active Directory Sau y chung ta chay lai cu lnh NSLOOKUP ta s thy DNS phn gii thanh cng tn cua Server ra a chi IP INFORMATICS SERVICE PROVIDER INC Quy hoch Active Directory By gio tao Trust voi may chu trong Forest ISPHCM1.COM chung ta cn phn gii c tn may chu DNS trong HCM. INFORMATICS SERVICE PROVIDER INC Quy hoch Active Directory Nh trn hinh trn chung ta thy server tai HN cha th phn gii c tn server cua HCM la ISPSERVER.ISPHCM1.COM Chung ta khc phuc bng cach nh sau. Chung ta vao DNS tai server HN, phi chut vao server HN chon Properties INFORMATICS SERVICE PROVIDER INC Quy hoch Active Directory Trong Server Properties chung ta chon Tab Forwarder INFORMATICS SERVICE PROVIDER INC Quy hoch Active Directory Chung ta chon New, g tn Domain trong HCM vao INFORMATICS SERVICE PROVIDER INC Quy hoch Active Directory O Select domain`s Iorwarder IP address list chung ta anh a chi IP cua con DNS server cua ISPHCM1.COM vao. Trong trong hp nay chung ta g 192.168.2.250 INFORMATICS SERVICE PROVIDER INC Quy hoch Active Directory Sau khi add DNS server cua ISPHCM1.COM vao ri, chung ta chay lai 2 cu lnh IPCONFIG /ALL va IPCONFIG /REGISTERDNS cp nht thay i. Sau y chung ta vao lai NSLOOKUP s thy may chu DNS tai HN co th phn gii c tn cua may chu DNS tai HCM. INFORMATICS SERVICE PROVIDER INC Quy hoch Active Directory Dn y chung ta cu hinh xong DNS tai HN, cac boc o HCM tin hanh tong tu %. S0 d1n. c2n. c1 Active Directory Do3in- nd Tru-t 4 .5i t6t c2n. c1 n,y '7n. 89nh do3in.3-c : INFORMATICS SERVICE PROVIDER INC Quy hoch Active Directory Phi chut vao Domain ISPHCM1.COM chon Properties INFORMATICS SERVICE PROVIDER INC Quy hoch Active Directory Trong ISPHCM1.COM chung ta chon tab Trust, sau y chon New Trust INFORMATICS SERVICE PROVIDER INC Quy hoch Active Directory INFORMATICS SERVICE PROVIDER INC Quy hoch Active Directory O hp thoai New Trust Wizard chung ta g tn Forest hay Domain cn Trust vao, trong trong hp nay chung ta g ISPHN1.COM. Bm Next tip tuc INFORMATICS SERVICE PROVIDER INC Quy hoch Active Directory Chung ta chon mi quan h Trust 2 hong co nghia la user c 2 bn u co th chung thuc o Domain khac INFORMATICS SERVICE PROVIDER INC Quy hoch Active Directory Tip theo chung ta chon chiu Trust, chung ta cung lua chon Trust 2 chiu, lua chon nay oi hoi chung ta phi co Account voi quyn Admin o Domain kia co th thuc hin INFORMATICS SERVICE PROVIDER INC Quy hoch Active Directory Cua s User name and Password hin ra oi ta nhp Account co quyn Admin o Domain i din vao. INFORMATICS SERVICE PROVIDER INC Quy hoch Active Directory Sau khi nhp Account co quyn Admin xong chung ta bm Next. Mo ra cua s Outgoing Trust Authentication Level Local Domain. Tai y chung ta co 2 lua chon. Chung ta s lua chon phong phap chung thuc Domain Wide Authentication trn local Domain co nghia la Windows s chung thuc tu ng user cua domain khac i voi cac tai nguyn cua minh. Dy la phong phap chung thuc thich hp voi cac Domain thuc cung mt t chuc. Bm Next tip tuc INFORMATICS SERVICE PROVIDER INC Quy hoch Active Directory Mo ra cua s Outgoing Trust Authentication Level SpeciIied Domain. Cua s nay la ngc lai cua cua s trn nhm lua chon phong phap chung thuc trn SpeciIied Domain Chung ta cung chon option Domain Wide authentication INFORMATICS SERVICE PROVIDER INC Quy hoch Active Directory Cua s Trust Selections Complete hin ra thng bao rng qua trinh Trust sn sang. Bm Next tao quan h Trust INFORMATICS SERVICE PROVIDER INC Quy hoch Active Directory Cua s Trust Creation Complete hin ra bao rng tao Trust Relationship thanh cng. Bm Next cu hinh Trust INFORMATICS SERVICE PROVIDER INC Quy hoch Active Directory Trong cua s ConIirm Outgoing Trust chon Yes chp nhn chiu Trust i INFORMATICS SERVICE PROVIDER INC Quy hoch Active Directory Trong cua s ConIirm Incoming Trust chon Yes chp nhn chiu Trust n INFORMATICS SERVICE PROVIDER INC Quy hoch Active Directory Bm Finish hoan thanh qua trinh Trust Relationship INFORMATICS SERVICE PROVIDER INC Quy hoch Active Directory ;. *rou+ <o8icy: Sau khi tin hanh cu hinh xong DNS chun b cho Trust Relationship chung ta tin hanh cu hinh Group Policy. Yu cu t ra o y la mt user thuc ISPHCM1.COM co th ngi trn may thuc Domain ISPHN1.COM truy cp vao Domain ISPHCM1.COM. INFORMATICS SERVICE PROVIDER INC Quy hoch Active Directory D thuc hin iu nay chung ta cn chinh sua Group Policy cua Domain ISPHN1.COM cho php user HCM co th log on locally trn cac may thuc Domain ISPHN1.COM Chung ta su dung cng cu Domain Controller Security Settings add quyn truy cp log on locally cho cac user. Cac boc tin hanh nh sau: O cua s Domain Controller Security Settings, chon Users Right Assigment bn khung bn trai INFORMATICS SERVICE PROVIDER INC Quy hoch Active Directory Tip n chon Allow Log On Locally bn khung bn phi Trong hp thoai Allow Log On Locally chung ta chon Add User or Group INFORMATICS SERVICE PROVIDER INC Quy hoch Active Directory Sau y trong hp thoai Add user or group chung ta g tn User hay Group o trong HCM ma chung ta cho php log on locally vao may thuc Domain HN. INFORMATICS SERVICE PROVIDER INC Quy hoch Active Directory O y chung ta s cho php user co tn la KT thuc Forest ISPHCM1.COM co quyn Log On Locally. Lu y: Sau khi bm OK lu lai thay i, chung ta phi vao RUN g cu lnh GPUPDATE cp nht ngay lp tuc nhung thay i trong Group Policy. INFORMATICS SERVICE PROVIDER INC Quy hoch Active Directory Dn y chung ta cu hinh thanh cng cac boc Trust giua 2 Forest ISPHN1.COM va ISPHCM1.COM co th cho php 1 User co tn la KT thuc Forest ISPHCM1.COM co th ngi trn may cua Forest ISPHN1.COM log on vao Forest ISPHCM1.COM. INFORMATICS SERVICE PROVIDER INC Quy hoch Active Directory INFORMATICS SERVICE PROVIDER INC