Fundamental article of Windows 2000 Active Directory

zhaozj2021-02-16  83

One of the biggest breakthroughs and success of Win2K system is that it is introduced to "Active Directory" service, so that all services and protocols on the Win2K system Internet are more closely intended, because it is successful for the name of the directory. The land is consistent with the "domain name", and then parses by DNS so that the effect is consistent with WINS parsing on the Internet. The Active Directory also illustrates the policy transfer of Microsoft in the network structure. Although there are also some products (Exchange Server, IIS, etc.) in the previous NT era (Exchange Server, IIS, etc.) provide services similar to the active directory, however the active directory is in a new comprehensive service The birth of Win2K is followed. The figure of the active directory seems to be everywhere in the entire Win2K system. However, to truly understand the "Active Directory", it is easy to talk about it. Let's take a few chapters to make a detailed analysis of the majorities of the active directory through some popular explanations. I hope that there are also fear of those who have a Win2k's activities. Psychological novice a comprehensive opportunity.

First, the origin of the activity directory

Talking about the event catalog is mostly ideal that the "Directory", "Path" and Windows9x / ME under DOS "folder", "Directory" or "Folder" at that time only represents a disk on disk. Location and hierarchical relationship, after a file generation, the directory of this file is fixed (of course, you can delete, transfer, etc. Now, don't consider these), that is, its attribute is relatively fixed, is static . This directory can represent only the storage location of all files and the total size of all files in this directory, which cannot be obtained, which affects the overall use of the directory, which affects the overall efficiency of the system. The entire management of the system is complicated. Because there is no interrelation, it is necessary to make multiple configurations in different applications, and it is fairly lockable to manage the use efficiency of system resources. In order to change this inefficient relationship and strengthen the association with the relevant protocol on the Internet, Microsoft decided to comprehensively reform in Win2k, which is the concept of introducing the active directory. The key to understanding the activity directory is "Activities" two words, don't drop the "activity" word to the word only from the "directory", then you will reason if you want to go, you can't get it from the original DOS under the directory or folder under Windows 9x, just because this directory is active, it is dynamic, it is a directory containing service functions, which can be "thus and one" association, mapping, such as Find a username, you can think of all of its account, birth information, e-mail, phone, etc., although the files that make up this information may not be in one. At the same time, this information can be shared, reducing the waste of system development resources, and improving the utilization efficiency of system resources.

Active directory includes two aspects: directory and services related to the directory. The directory is a physical container that stores various objects. It is understood from a static perspective that this activity directory is not essentially different from our previous "directory" and "folder". It is only an object, and it is an entity; The directory service is a service that enables all information and resources in the directory, the activity directory is a distributed directory service, and the information can be dispersed on multiple different computers, ensuring that users can access because there are the same information on multiple setsters. Therefore, there is a strong control capability in the information Rongdea, and because of this, the user provides a unified view of the user regardless of where the user is access or information.

Second, the relevant noun

While many of the technologies used in the active catalog have already appeared in other software products, as a comprehensive overall network plan is still debut, there are many nouns or terms perhaps unheard, so it is necessary to learn more.

A view or terminology of the active directory.

1, name space: From essentially, the active directory is a name space, we can understand the namespace as the parsing boundary of any given name, which means that this name can provide or associated, mapped all information ranges. It is popular that we are in the server through the sum of all associated information that can be found by finding an object, such as a user, if we have defined this user in the server, such as user name, user password, work unit, contact number, Family address, etc., the sum of the generals the best, the name of the name "User", because we only enter a username to find all the information I have listed above. Name analysis is a process of translating a name into object or information represented by the name. For example, in a telephone directory forming a namespace, we can be parsed from the name of each phone account, instead of the same name, number belonging now, and cannot be lascape at all. The file system of the Windows operating system also forms a namespace, each file name can be parsed to the file itself (including all the information it should have). 2. Object: Object is an information entity in the active directory, that is, the "property" we usually see, but it is a set of properties, often represents tangible entities, such as user accounts, file names, etc. Objects describe its basic feature by attribute, for example, in the properties of a user account, may include user name, telephone number, email address, and home address.

3, container: Container is part of the active directory name space, like a directory object, it also has an attribute, but is different from the directory object, it does not represent a tangible entity, but represents the space of the object, because it only represents The space of an object, so it is smaller than the namespace. For example, a user, it is an object, but the container of this object is limited to the information space available from this object itself, such as it only provides user name, user password. Other such as: work units, contact calls, home address, etc., are not included in this object.

4. Directory Tree: In any name space, the directory tree is a hierarchy constituted by the container and object. The leaves of the tree, nodes are often objects, and the non-leaf node of the tree is a container. The directory tree expresses the connection of the object, and also shows the path from an object to another. In the active directory, the directory tree is a basic structure, from each container as a starting point, and the layer is in-depth, a sub-tree can be constituted. A simple directory can constitute a tree, a computer network or a domain can also form a tree. This is also very easy to understand. When we initially learned the computer, it is not starting on the path concept under full understanding of DOS. In fact, this "directory tree" is a "path relationship", if you understand DOS "Path" believes that this "directory tree" is no problem!

5. Domain: The domain is the security boundaries of the Win2K network system. We know that a computer network is the most basic unit is "domain", which is not unique to Win2K, but the active directory can run through one or more domains. On a stand-alone computer, the domain refers to the computer itself, one domain can be distributed in multiple physical locations, while a physical location can also be divided into different domains, each domain has its own security policy and it Trust relationship in other domains. When multiple domains are connected through trust relationship, the active directory can be shared by multiple trust domains.

6. Organizational unit: The type of directory object containing a particularly useful in the domain is an organizational unit. The organizational unit is a container that can put the user, group, computer, and other units into the active directory, and the organizational unit cannot include objects from other domains. The organizational unit is a minimum action unit that can assign group policy settings or delegate administrative privileges. With an organizational unit, you can create a container in the domain of the logical hierarchy in the organizational unit, so you can use the organizational unit to create an arbitrary scale using the organizational unit according to your organization model management account, resource configuration and use. model. The user can grant all organizational units in the domain or administrators for a single organizational unit, the administrator of the organizational unit does not need to have the management of any other organizational unit in the domain, and the organizational unit is a bit like the working group in the NT era, we It can be so understandable on management permissions. 7, domain tree: The domain tree consists of multiple domains, and these domains share the same table structure and configuration to form a continuous namespace. The domain in the tree is connected by trust, and the active directory contains one or more domain trees. The lower the domain hierarchy in the domain tree, the lower the "." Represents a level, such as the domain child.microsoft.com is lower than microsoft.com, because it has two hierarchical relationships, and Microsoft.com only One time. The domain grandchild.child.microsoft.com is lower than the child.microsoft.com level, which is the same. The domain in the domain tree is connected together through the two-way passed trust relationship. Since these trust relationships are bidirectional and deliverable, newly created domains in domain trees or woods can immediately establish trust relationships with each other domain in the domain tree or wood. These trust relationships allow for a single login process, authenticate users on all domains in the domain tree or wood, but this does not necessarily mean that authenticated users have the same rights and permissions in all domains of domain trees. Because the domain is a security limit, it must be assigned corresponding rights and permissions based on each domain.

8, domain forest: Domain forest refers to a domain tree that does not form a continuous name space, which is the most obvious difference between the domain tree described above is that there is no continuous name space between these domain trees. The domain tree consists of some domains with continuous namespace. However, all domain trees in the domain forest still share with a table structure, configuration, and global directory. All domain trees in the domain forest are established through the Kerberos trust relationship, so each domain tree knows the Kerberos trust relationship, and different domain trees can cross the objects in other domain trees. Domain forests have root domains, the root domain of domain forests is the first domain created in the domain, and the root field of all domain trees in the domain forest is established to be delivered to the root field of domain forest.

9. Site: Site refers to a network location including the active directory domain server, usually one or more subnets connected via TCP / IP. The subnet inside the site is connected by a reliable, fast network. The division of the site allows the administrator to easily configure the complex structure of the Active Directory, better utilize physical network characteristics, so that network communication is in the optimal state. When the user logs in to the network, the Active Director client finds an active directory domain server in the same site, because network communication within the same site is reliable, fast and efficient, so he can be in the fastest Log in to the network system within the time. Because the site is based on the subnet, the active directory is easy to find the site where the user is located, and then find the active directory domain server to complete the login work.

10, domain controller: The domain controller is a computer that uses the Win2k Server configured using the Active Directory installation wizard. Active Directory Installation Wizard Install and configure components for network users and computers to provide Active Directory Services for users to choose from. The domain controller stores directory data and manages the interaction of the user domain, including the user login process, authentication, and directory search, one or more domain controllers. In order to obtain high availability and fault tolerance, small units using a single local area network (LAN) may only need a domain with two domain controllers. Big companies with multiple network locations require one or more domain controllers to provide high availability and fault tolerance.

The Win2k Server domain controller extends the capabilities and features provided by the domain controller of Winnt Server 4.0. Win2k Server multomrend replicates synchronization of directory data on each domain controller to ensure that these information can still be maintained over time. The same, that is, it is dynamic, this is the role of the activity directory. Multi-hoster copy is the development of the primary domain controller and backup domain controller model used in WinNT Server 4.0, only one server in Winnt Server 4.0, that is, the main domain controller, has a readable write copy of the directory. Third, the meaning of installing the activity directory

We said that one of Win2K's success and creativity is the successful introduction of an active directory service, then what is the significance of installing an activity directory? This is a question of all of our beginners win2k. Because the activity directory is not a service that the Win2K system is required to install, it is very difficult to comprehensively understand it, so where is the meaning of the installation activity directory? It is mainly reflected in the following aspects:

1. The security of information is greatly enhanced

After installing the activities of the Activity Directory, the information is fully integrated with the Active Directory, User Authorization Management and Directory Enter Control has been integrated in the active directory (including users' access and login permissions, etc.), and they are key security for Win2K operating systems. . Active Directory Controls User Authorization, directory access control is not only defined on the objects in each directory, and can also be defined at each attribute of each object, this is the previous system, including WinNT 4.0 . In addition, the active directory can also provide security policies for storage and application scope to provide security policies storage and application range. Security policies can include account information, such as password restrictions within the domain range or access to a particular domain resource. So from a certain program, you can say that Win2K security is the security embodied by the Active Directory, whereby the security of how the object and attributes in the active directory for the network management is a network management to configure the key to the Win2k system.

2. Introduce strategy-based management to make the system more clear

Active Directory Services include directory object data storage and logical hierarchical structures (the hierarchy of the directory, directory tree, domain, domain, domain, domain forest, etc.), as a directory, stored in a specific environment Policy, called Group Policy objects. As a logical structure, it provides a hierarchical environment for policy applications. The Group Policy object represents a set of business rules that include settings related to the environment you want to apply, the Group Policy is the configuration settings used in the user or computer initialization. All Group Policy settings are included in Group Policy Objects (GPOs) applied to the Active Directory, Domain, or Organizational Unit. GPOS settings determine the entry permissions of directory objects and domain resources, what domain resources can be used by users, and how these domain resources are used. For example, group policy objects can determine what application sees on their computer when the user logs in, how many users can connect to Server when it starts on the server, and when the user transferred to different sectors or groups What file or service can be accessed. Group Policy objects allow you to manage a small amount of policies instead of a large number of users and computers. Through the Active Directory, you can apply the Group Policy settings in the appropriate environment, whether it is your entire unit or a specific department in your unit.

3, with strong scalability

Win2k's Active Directory has strong scalability, administrators can add new object classes to the plan, or add new properties to existing object classes. The plan includes the definition of each object class in the directory and the properties of the object class. For example, in e-commerce you can add a shopping authorization attribute to each user object, and then store each user purchase permission as part of the user account.

4, with strong scalability

Active directory can be included in one or more domains, each domain has one or more domain controllers so that you can adjust the size of the directory to meet the needs of any network. Multiple domains can be composed of domain trees, and multiple domain trees can be constructed as a wood, and the active directory is also stretched with the domain telescopic, which is better to adapt to changes in the unit network. The directory distributes its architecture and configuration information to all domain controllers in the directory, which stores in the first domain controller of the domain and copies any other domain controller in the domain. When the directory is configured as a single domain, the Domain Controller will change the size of the directory without affecting the management overhead of other domains. Add the domain to the directory allows you to divide the directory for different policy environment and adjust the size of the directory to accommodate a lot of resources and objects. 5, intelligent information copy capability

Information Copy provides information availability, fault tolerance, load balancing, and performance advantages. The active directory uses multi-host replication, allowing you to synchronize the update directory on any domain controller instead of a single primary domain controller. Multi-host mode has a greater fault tolerance because the multi-domain controller can continue to replicate even if any separate domain controller stops. Since multi-host replication, they will update a single copy of the directory. After the directory information is created or modified on the domain controller, the newly created or changed information will be sent to all other domain controllers in the domain, so their directory information is Newest. The domain controller requires the latest directory information, but to achieve high efficiency, you must limit your update to only new or change directory information, so as to avoid synchronization in the peak period of the network. The directory information that is not selectively switched between the domain controllers can quickly get rid of any network. You can reach only copy of the changed directory information, not to increase the load of the domain controller.

6, integrated with DNS

Active Directory uses a domain name system (DNS) to name the server directory, DNS is the Internet standard service that will easier understanding (such as Mike.MyCompany.com) into a digital IP address, which is beneficial to computers in TCP / IP networks. Mutual identification and communication. DNS domain name is based on DNS layered naming structure, which is an inverted tree structure, a single root domain, which can be a parent domain and subdomain (branch and leaves). About this point I will tell a detailed chapter in the back, here is only a brief introduction.

7, with other directory services have interoperability

Since the active directory is a standard directory access protocol, many application interfaces (APIs) allow developers to enter these protocols, such as the Active Directory Service Interface (ADSI), Light Directory Access Protocol (LDAP) Third Edition and Name Service Provider Interface (NSPI), so it can operate with other directory services that use these protocols. LDAP is a directory access protocol for querying and retrieving information in an active directory. Because it is an industrial standard service agreement, you can use the LDAP development program to share the Active Directory Services to support LDAP. Active Directory supports NSPI protocols used by Microsoft Exchange 4.0 and 5.x clients to provide compatibility with the Exchange directory.

8, with a flexible query

Any user can use the "Search" command on the Start menu, "Online Neighbor" or "Active Directory User and Computer", quickly find the object on the network via the object property. If you can find users through the name, last name, email name, office location, or other attribute of the user account, and vice versa.

转载请注明原文地址:https://www.9cbs.com/read-13981.html

New Post(0)