使用组策略配置域成员客户端计算机Use Group Policy to Configure Domain Member Client Computers

适用于:Windows Server(半年频道)、Windows Server 2016Applies to: Windows Server (Semi-Annual Channel), Windows Server 2016

在本部分中,你将为组织中的所有计算机创建一个组策略对象、使用分布式缓存模式或托管缓存模式配置域成员客户端计算机,以及配置具有高级安全性的 Windows 防火墙以允许 BranchCache 流量。In this section, you create a Group Policy Object for all of the computers in your organization, configure domain member client computers with distributed cache mode or hosted cache mode, and configure Windows Firewall with Advanced Security to allow BranchCache traffic.

本部分包含以下过程。This section contains the following procedures.

  1. 创建组策略对象并配置 BranchCache 模式To create a Group Policy Object and configure BranchCache modes

  2. 配置具有高级安全性的 Windows 防火墙入站流量规则To configure Windows Firewall with Advanced Security Inbound Traffic Rules

  3. 若要配置具有高级安全性的 Windows 防火墙出站流量规则To configure Windows Firewall with Advanced Security Outbound Traffic Rules

提示

在以下过程中,系统会提示你在默认域策略中创建组策略对象,但你可以在组织单位中创建对象 (OU) 或适用于你的部署的其他容器。In the following procedure, you are instructed to create a Group Policy Object in the Default Domain Policy, however, you can create the object in an organizational unit (OU) or other container that is appropriate for your deployment.

您必须是Domain Admins的成员,或者是执行这些过程的等效项。You must be a member of Domain Admins, or equivalent to perform these procedures.

创建组策略对象并配置 BranchCache 模式To create a Group Policy Object and configure BranchCache modes

  1. 在安装了 Active Directory 域服务服务器角色的计算机上,在服务器管理器中单击 "工具",然后单击组策略管理"。On a computer upon which the Active Directory Domain Services server role is installed, in Server Manager, click Tools, and then click Group Policy Management. 此时会打开组策略管理控制台。The Group Policy Management console opens.

  2. 在组策略管理控制台中,展开以下路径: "林: example.com"、""、" example.com"、"组策略对象",其中 " example.com " 是要配置的 BranchCache 客户端计算机帐户所在的域的名称。In the Group Policy Management console, expand the following path: Forest: example.com, Domains, example.com, Group Policy Objects, where example.com is the name of the domain where the BranchCache client computer accounts that you want to configure are located.

  3. 右键单击“组策略对象”****,然后单击“新建”****。Right-click Group Policy Objects, and then click New. 此时将打开 "新建 GPO " 对话框。The New GPO dialog box opens. 在 "名称" 中,键入 (GPO) 的新组策略对象的名称。In Name, type a name for the new Group Policy Object (GPO). 例如,如果想要为对象 BranchCache 客户端计算机命名,请键入 " Branchcache 客户端计算机"。For example, if you want to name the object BranchCache Client Computers, type BranchCache Client Computers. 单击“确定”。Click OK.

  4. 在组策略管理控制台中,确保选中 "组策略对象",然后在 "详细信息" 窗格中,右键单击刚创建的 GPO。In the Group Policy Management console, ensure that Group Policy Objects is selected, and in the details pane right-click the GPO that you just created. 例如,如果你命名了 GPO BranchCache 客户端计算机,请右键单击 " BranchCache 客户端计算机"。For example, if you named your GPO BranchCache Client Computers, right-click BranchCache Client Computers. 单击 “编辑”Click Edit. 此时将打开组策略管理编辑器控制台。The Group Policy Management Editor console opens.

  5. 在组策略管理编辑器控制台中,展开以下路径: "计算机配置"、"策略"、"管理模板:策略定义" (ADMX 文件) 从 "本地计算机"、"网络"、" BranchCache" 中检索。In the Group Policy Management Editor console, expand the following path: Computer Configuration, Policies, Administrative Templates: Policy definitions (ADMX files) retrieved from the local computer, Network, BranchCache.

  6. 单击 " BranchCache",然后在详细信息窗格中,双击 "启用 BranchCache"。Click BranchCache, and then in the details pane, double-click Turn on BranchCache. 此时将打开 "策略设置" 对话框。The policy setting dialog box opens.

  7. 在 "打开 BranchCache " 对话框中,单击 "已启用",然后单击 "确定"In the Turn on BranchCache dialog box, click Enabled, and then click OK.

  8. 若要启用 BranchCache 分布式缓存模式,请在详细信息窗格中,双击 "设置 BranchCache 分布式缓存模式"。To enable BranchCache distributed cache mode, in the details pane, double-click Set BranchCache Distributed Cache mode. 此时将打开 "策略设置" 对话框。The policy setting dialog box opens.

  9. 在 "设置 BranchCache 分布式缓存模式" 对话框中,单击 "已启用",然后单击 "确定"In the Set BranchCache Distributed Cache mode dialog box, click Enabled, and then click OK.

  10. 如果你有一个或多个在托管缓存模式下部署 BranchCache 的分支机构,并且已在这些办公室中部署了托管缓存服务器,请双击 "通过服务连接点启用自动托管缓存发现"。If you have one or more branch offices where you are deploying BranchCache in hosted cache mode, and you have deployed hosted cache servers in those offices, double-click Enable Automatic Hosted Cache Discovery by Service Connection Point. 此时将打开 "策略设置" 对话框。The policy setting dialog box opens.

  11. 在 "通过服务连接点启用自动托管缓存发现" 对话框中,单击 "已启用",然后单击 "确定"In the Enable Automatic Hosted Cache Discovery by Service Connection Point dialog box, click Enabled, and then click OK.

    备注

    同时启用 "设置 BranchCache 分布式缓存模式" 和 "通过服务连接点启用自动托管缓存发现" 策略设置时,客户端计算机将在 BranchCache 分布式缓存模式下运行,除非它们在分支机构中查找托管缓存服务器,此时它们将在托管缓存模式下运行。When you enable both the Set BranchCache Distributed Cache mode and the Enable Automatic Hosted Cache Discovery by Service Connection Point policy settings, client computers operate in BranchCache distributed cache mode unless they find a hosted cache server in the branch office, at which point they operate in hosted cache mode.

  12. 使用以下过程在客户端计算机上使用组策略配置防火墙设置。Use the procedures below to configure firewall settings on client computers by using Group Policy.

配置具有高级安全性的 Windows 防火墙入站流量规则To configure Windows Firewall with Advanced Security Inbound Traffic Rules

  1. 在组策略管理控制台中,展开以下路径: "林: example.com"、""、" example.com"、"组策略对象",其中 " example.com " 是要配置的 BranchCache 客户端计算机帐户所在的域的名称。In the Group Policy Management console, expand the following path: Forest: example.com, Domains, example.com, Group Policy Objects, where example.com is the name of the domain where the BranchCache client computer accounts that you want to configure are located.

  2. 在组策略管理控制台中,确保选中 "组策略对象",然后在 "详细信息" 窗格中,右键单击之前创建的 BranchCache 客户端计算机 GPO。In the Group Policy Management console, ensure that Group Policy Objects is selected, and in the details pane right-click the BranchCache client computers GPO that you created previously. 例如,如果你命名了 GPO BranchCache 客户端计算机,请右键单击 " BranchCache 客户端计算机"。For example, if you named your GPO BranchCache Client Computers, right-click BranchCache Client Computers. 单击 “编辑”Click Edit. 此时将打开组策略管理编辑器控制台。The Group Policy Management Editor console opens.

  3. 在组策略管理编辑器控制台中,展开以下路径: "计算机配置"、"策略"、" windows 设置"、"安全设置"、"高级安全Windows 防火墙"、"具有高级安全性的 windows 防火墙"、"入站规则"。In the Group Policy Management Editor console, expand the following path: Computer Configuration, Policies, Windows Settings, Security Settings, Windows Firewall with Advanced Security, Windows Firewall with Advanced Security - LDAP, Inbound Rules.

  4. 右键单击“入站规则”****,然后单击“新建规则”****。Right-click Inbound Rules, and then click New Rule. 此时将打开 "新建入站规则向导"。The New Inbound Rule Wizard opens.

  5. 在 "规则类型" 中,单击 "预定义",展开选项列表,然后单击 " **BranchCache-内容检索" (使用 HTTP) **。In Rule Type, click Predefined, expand the list of choices, and then click BranchCache - Content Retrieval (Uses HTTP). 单击“下一步”。Click Next.

  6. 在 "预定义规则" 中单击 "下一步"。In Predefined Rules, click Next.

  7. 在 "操作" 中,确保选中 "允许连接" ,然后单击 "完成"。In Action, ensure that Allow the connection is selected, and then click Finish.

    重要

    你必须选择 "允许 BranchCache 客户端的连接才能在此端口上接收流量"。You must select Allow the connection for the BranchCache client to be able to receive traffic on this port.

  8. 若要创建 WS-RELIABLEMESSAGING 防火墙例外,请再次右键单击 "入站规则",然后单击 "新建规则"。To create the WS-Discovery firewall exception, again right-click Inbound Rules, and then click New Rule. 此时将打开 "新建入站规则向导"。The New Inbound Rule Wizard opens.

  9. 在 "规则类型" 中,单击 "预定义",展开选项列表,然后单击 " **BranchCache-对等发现" (使用 WSD) **。In Rule Type, click Predefined, expand the list of choices, and then click BranchCache - Peer Discovery (Uses WSD). 单击“下一步”。Click Next.

  10. 在 "预定义规则" 中单击 "下一步"。In Predefined Rules, click Next.

  11. 在 "操作" 中,确保选中 "允许连接" ,然后单击 "完成"。In Action, ensure that Allow the connection is selected, and then click Finish.

    重要

    你必须选择 "允许 BranchCache 客户端的连接才能在此端口上接收流量"。You must select Allow the connection for the BranchCache client to be able to receive traffic on this port.

若要配置具有高级安全性的 Windows 防火墙出站流量规则To configure Windows Firewall with Advanced Security Outbound Traffic Rules

  1. 在组策略管理编辑器控制台中,右键单击 "出站规则",然后单击 "新建规则"。In the Group Policy Management Editor console, right-click Outbound Rules, and then click New Rule. 此时将打开 "新建出站规则向导"。The New Outbound Rule Wizard opens.

  2. 在 "规则类型" 中,单击 "预定义",展开选项列表,然后单击 " **BranchCache-内容检索" (使用 HTTP) **。In Rule Type, click Predefined, expand the list of choices, and then click BranchCache - Content Retrieval (Uses HTTP). 单击“下一步”。Click Next.

  3. 在 "预定义规则" 中单击 "下一步"。In Predefined Rules, click Next.

  4. 在 "操作" 中,确保选中 "允许连接" ,然后单击 "完成"。In Action, ensure that Allow the connection is selected, and then click Finish.

    重要

    你必须选择 "允许 BranchCache 客户端的连接才能在此端口上发送流量"。You must select Allow the connection for the BranchCache client to be able to send traffic on this port.

  5. 若要创建 WS-RELIABLEMESSAGING 防火墙例外,请再次右键单击 "出站规则",然后单击 "新建规则"。To create the WS-Discovery firewall exception, again right-click Outbound Rules, and then click New Rule. 此时将打开 "新建出站规则向导"。The New Outbound Rule Wizard opens.

  6. 在 "规则类型" 中,单击 "预定义",展开选项列表,然后单击 " **BranchCache-对等发现" (使用 WSD) **。In Rule Type, click Predefined, expand the list of choices, and then click BranchCache - Peer Discovery (Uses WSD). 单击“下一步”。Click Next.

  7. 在 "预定义规则" 中单击 "下一步"。In Predefined Rules, click Next.

  8. 在 "操作" 中,确保选中 "允许连接" ,然后单击 "完成"。In Action, ensure that Allow the connection is selected, and then click Finish.

    重要

    你必须选择 "允许 BranchCache 客户端的连接才能在此端口上发送流量"。You must select Allow the connection for the BranchCache client to be able to send traffic on this port.