In the previous one after a basic understanding of the active directory, I will contact the structure of the active directory substantial one - the structure of the active directory. The last article, we told the activity directory to include two aspects: directory and directory-related services. The directory is a physical container that stores various objects. It does not differ from our usual directory. The basic objects of directory management are resources such as users, computers, files, and printers. Directory services are services that use all information and resources in the directory, such as users and resource management, directory-based network services, network-based application management, is the key and essence of the Win2k activity directory. The directory service is the core pillar of the Win2K network operating system, which is also a central management agency. The introduction of directory services has brought revolutionary changes to the entire operating system, not only the basic modules on the system platform, such as network security mechanisms, user management modules. Changes have changed, and the operation mode of the upper application and development model has also changed. Does this way to understand the "Active Directory"? Is it easier?
At the same time, the activity directory is a distributed directory service, because the information can be dispersed on multiple different computers, ensuring that the computer users quickly access and fault tolerance; while if the user is accessible or the information is provided, the user provides users. Unified views, users feel more easily understood and master the use of Win2K systems. The Active Directory integrates a key service of the Win2K server, such as Domain Name Service (DNS), Message Queue Service (MSMQ), Transaction Service (MTS), etc. In the application Active Directory integrates key applications, such as email, network management, ERP, etc. To understand the activity directory, we must start from its logical structure and physical structure.
First, the logical structure of the activity directory
"Logic" two words believe that everyone is more common, as we often say "logical thinking, logic analysis", etc., maybe everyone says that "logic", I feel very abstract, it is difficult to understand. In fact, we are talking about "logical structure", I think it is still very understandable, "logical" is generally equal to "physics", we know "physical" is real, then "logic" "Don't refer to the physical, non-entity thing, it is an abstract thing, such as a" relationship ", a" space, range ", etc. In the first one, the logical structure we told the active directory is very flexible. There are directory trees, domains, domain trees, and domain forests, etc., these names are not a real entity, but representing a relationship, a range If the directory tree is composed of a directory on the same name space, the domain is composed of different directory trees, and the homologous tree is composed of different domains, and the domain forest is composed of multiple domain trees. They are a complete tree, hierarchical view, which we can see as a dynamic relationship. The logical structure is also directly related to the namespace discussed above, and the logical structure is looking for users and administrators in a certain namespace, and the positioning object provides great convenience. The logic units in the active directory mainly include:
1, domain, domain tree, domain
The domain is both a logical organizational unit of the Win2K network system, which is a container of objects such as computers, users, etc., which have the same security requirements, replication process and management, which should be quite easy to understand for network management. All domain controllers in Win2K are equal (this is different from WinNT4.0, no main, deputy points), domain is a security boundary, and domain administrators can only manage domains, unless otherwise The domain explicitly imparts him management privileges, he can access or manage other domains. Each domain has its own security policy, as well as it with other domains of security trust. Here, the trust relationship and delivery relationship between different domains are involved, and the domain trust relationship in Win2k is specifically talked.
Domain and domains have a certain trust relationship, the domain trust relationship enables users in a domain to verify the domain controllers in another domain to enable users in one domain to access resources in another domain. There are only two domains in all domain trust: trust relational domains and trusted relational domains. The trust relationship is the domain A trust domain B, and the user in domain B can access the resources in domain A after authenticating the domain controller in domain A, and the relationship between domain A and domain B is trust relationship. The trust relationship is the relationship between a domain trust. In the above example, domain b is trusted by domain A, the relationship between domain B and domain A is trustworthy. Trust and trusting relationship can be unidirectional or two-way, that is, domain A and domain B can be unilaterally trust, or may be a trust relationship between both sides. In the domain, the trust relationship is not bound in two domains in the relationship. It is the next domain transmitted to the domain directory tree through the parent domain, that is, if domain A trust domain B, the domain A is also trusting the domain. B The subdomains below B1, domain B2 ..., the transfer trust relationship is always two-way: two domains in the relationship trust (refer to the parent domain and the subdomain). By default, all WiIN2K trust relationships in the domain directory tree or catalog forest (catalog forest can be seen as multiple directory tree in the same domain) are passed. This will greatly simplify the domain management by greatly reducing the number of entrustments required to manage.
The domain delivery trust relationship in Win2K is generally automatic, but for the same domain directory tree or WiIN2K domain, it can also be created (manually) to create a transfer trust relationship. This is very important for forming a cross-link trust relationship. Do not pass the constraints of two domains in the relationship and pass through the lower domain in the domain directory tree without the parent domain. It is necessary to explicitly create a trust relationship. By default, no trust relationship is unidirectional, although you can create a two-way relationship by creating two one-way trust relationships. All entrustments established between the Wiin2k domains in the same domain directory tree or forests are not passed. All principal relationships between Wiin2k domains and Winnt domains are not passed. This should pay special attention to a company while using Win2K and WinNT domain controllers. All existing WindowsNT trusts are upgraded from WindowsNT to WiIN2K. The relationship will remain unchanged. In the network of mixed mode, all WindowsNT trust relationships are not passed. Win2k fields in WiIn2k fields and Winnt domains and other WIN2K domains in the WIN2K domain and Mitkerberosv5 domains in the Win2k field and Mitkerberosv5 are separate and unidirectional trust relationships are separate delegation. The two-way trust relationship includes a pair of one-way entrustment relationships, all pass trust relationships are two-way. In order to make the relationship between non-transfer, two one-way trust relationships must be created between the domains involved.
2, organizational unit (OU)
Organizational Unit (OU) is a container object, which is also part of the logical structure of the active directory, we can organize objects in the domain into logical groups, which can help us simplify management. The OU may contain various objects, such as user accounts, user groups, computers, printers, etc., can even include other OUs, so we can use an OU to form a fully logically hierarchy using an object in the domain. For companies, all users and devices can be formed into an OU hierarchy in accordance with the department, or the hierarchy can be formed in a geographic location, and can be divided into multiple OU hierarchies according to functions and permissions. Obviously, through the inclusion of the organizational unit, the organizational unit has a clear hierarchy, which enables the manager to cut the organizational unit into the domain to react out the organization's organizational structure and can delegate tasks and authorization. The organization model for establishing an inclusive structure can help us solve many problems while still using large domains. Each object in the domain tree can be displayed in a global directory, so that users can use a service function to easily find an object regardless of It is located in the domain tree structure.
Since the OU hierarchy is limited to the interior of the domain, the OU hierarchy in one domain does not matter any relationship with the OU hierarchy in another domain. Because the domain in the active directory can accommodate more objects than NT4, a company may only use one domain to construct an enterprise network. At this time, we can use OU to group objects to form a variety of management hierarchies. Thus great simplifying network management work. Different sectors in the organization can become different domains, or an organizational unit to use hierarchical naming methods to reflect the organization structure and manage authority. The management of granulated management in organizing structures can solve a lot of management headaches, while strengthening central management, there is no mobility flexibility. Many domains in Winnt 4.0 can be an OU, establish a larger domain and a more simplified domain relationship, with a global directory (GlobalCatalog), users and administrators still able to quickly find objects and management objects. Win2k can work in an existing Winnt 4.0 environment to protect existing investments.
Second, the physical structure of the activity directory
In-activity-Active Directory, the physical structure is very different from the logical structure, and they are two concepts that are independent of each other. The logical structure focuses on the management of network resources, and the physical structure focuses on the configuration and optimization of the network. The physical structure of the active directory is primarily focused on the replication of the active directory information and performance optimization when the user logs in network. The two important concepts of the physical structure are site and domain controllers.
1, site
The site consists of one or more IP subnets, which are connected by high-speed network devices. Site often determines from the physical location distribution of the company, which can configure the access and copy topology relationship of the active directory in accordance with the site structure, which makes the network more efficiently, and make the replication policy more reasonable, the user logs in is faster, the active directory Site and domain are two completely independent concepts, there are multiple fields in a site, and multiple sites can also be in
In the same domain.
Active directory site and service can improve the efficiency of most configuration directory services by using sites. You can provide information about how to copy directory information and processing services using this information by using an active directory site and service to the active directory. The computer site is specified according to its position in the subnet or a set of connected subnets, the subnet provides a simple method of network packets, which is similar to our common postal codes. The subnet is formatted into the form of the network and directory connection physical information, and the computer is placed in one or more connected subnets to fully embody the site all computers must connect to this standard, because the same subnet The connection between the computer is usually better than the selected computer in the network. The meaning of using the site is mainly:
(1) Increase the efficiency of the verification process
When the customer uses a domain account to log in, the login mechanism first searches for the domain controller in the same site. Using the domain controller within the customer site first allows the network to transmit localization, speed up the speed of authentication, and improve the verification process. s efficiency.
(2), balance the replication frequency
Active directory information can be replicated between the site or between the site or site and the site, but due to the reason, the frequency of replication information in the site is higher than the replication frequency between the site within the site. This can balance the restrictions on the latest directory information requirements and available network bandwidth. You can customize how to copy your activity directory through site links to specify the connection method of the site, and the activity directory uses the information about how to connect to generate a connection object to provide effective replication and fault.
(3), provide information about site link information
Active Directory can use the site link information fee, link usage, link to when and link usage, etc., which site should be used to copy information, and when to use this site. Custom Replication Plan makes the replication at a specific time (such as network transmission idle) makes the replication more efficient. Typically, all domain controllers can be used for exchange of information between site, but can also further control replication behavior by specifying the bridgehead server to prioritize and receive information between stationary information. When you have a specific server you want to use to replicate in the station, you would rather build a bridgehead server without using other available servers. Or create a bridgehead server when configuring the proxy server, is used to send and receive information through the firewall. 2, domain controller
The domain controller refers to a server running a Win2KServer version that saves a copy of the active directory information. The domain controller management directory information changes and copies these changes to other domain controllers in the same domain, so that the directory information on each domain controller is synchronized. The domain controller is also responsible for the user's login process and other operations related to the domain, such as identification, directory information lookups, etc., can have multiple domain controllers. Smaller domains can only need two domain controllers, one actually use, and the other for fault tolerance check. Multiple domain controllers can be used in large domains.
Unlike the domain structure of Win2K and WinNT. The domain controller in the active directory does not have the primary and secondary divisions. The active directory uses a multi-host replication scheme, and each domain controller has a writable directory copy. This has brought endless benefits for the catalog information fault. Although at a certain moment, directory information in different domain controllers may vary, but once all domain controllers in the active directory perform synchronization operations, the latest change information will be consistent.
Although the active directory supports multi-host replication schemes, due to replication traffic and network potential punch, changes in dissemination are not necessarily smooth. It is therefore necessary to specify a global directory server and operator in the domain controller. - Global directory is an information warehouse that contains a part of the properties of all objects in the active directory, which is often accessible to the most frequent properties in the query process. With this information, you can be positioned to any location actual location, and the global directory server is a domain controller that saves a copy of the global directory and performs query operations for global directory. Global Directory Server can improve the performance of large-scale object retrieval in the active directory, such as querying all printer operations in the domain forest. If there is no global directory server, such query operations must mobilize the query process in the domain forest. If there is only one domain controller in the domain, it is a global directory server if there are multiple domain controllers, then the administrator must configure a domain controller as a global directory controller.