In the previous one after a basic understanding of the active directory, I will contact the structure of the active directory substantial one - the structure of the active directory. The last article, we told the activity directory to include two aspects: directory and directory-related services. The directory is a physical container that stores various objects. It does not differ from our usual directory. The basic objects of directory management are resources such as users, computers, files, and printers. Directory services are services that use all information and resources in the directory, such as users and resource management, directory-based network services, network-based application management, is the key and essence of the Win2k activity directory. The directory service is the core pillar of the Win2K network operating system, which is also a central management agency. The introduction of directory services has brought revolutionary changes to the entire operating system, not only the basic modules on the system platform, such as network security mechanisms, user management modules. Changes have changed, and the operation mode of the upper application and development model has also changed. Does this way to understand the "Active Directory"? Is it easier? At the same time, the activity directory is a distributed directory service, because the information can be dispersed on multiple different computers, ensuring that the computer users quickly access and fault tolerance; while if the user is accessible or the information is provided, the user provides users. Unified views, users feel more easily understood and master the use of Win2K systems. The Active Directory integrates a key service of the Win2K server, such as Domain Name Service (DNS), Message Queue Service (MSMQ), Transaction Service (MTS), etc. In the application Active Directory integrates key applications, such as email, network management, ERP, etc. To understand the activity directory, we must start from its logical structure and physical structure. I. The logical structure of the event directory "logic" two words believe that everyone will see more, as we often say "logical thinking, logic analysis", etc., maybe everyone says that "logic" is very abstract. It is difficult to understand. In fact, we are talking about "logical structure", I think it is still very understandable, "logical" is generally equal to "physics", we know "physical" is real, then "logic" "Don't refer to the physical, non-entity thing, it is an abstract thing, such as a" relationship ", a" space, range ", etc. In the first one, the logical structure we told the active directory is very flexible. There are directory trees, domains, domain trees, and domain forests, etc., these names are not a real entity, but representing a relationship, a range If the directory tree is composed of a directory on the same name space, the domain is composed of different directory trees, and the homologous tree is composed of different domains, and the domain forest is composed of multiple domain trees. They are a complete tree, hierarchical view, which we can see as a dynamic relationship. The logical structure is also directly related to the namespace discussed above, and the logical structure is looking for users and administrators in a certain namespace, and the positioning object provides great convenience. The logic units in the active directory mainly include: 1, domain, domain tree, domain forest domain is both a logical organizational unit of a Win2K network system, a container of an object (such as computer, user, etc.), these objects have the same security demand, copy process And management, this should be quite easy to understand for network management personnel. All domain controllers in Win2K are equal (this is different from WinNT4.0, no main, deputy points), domain is a security boundary, and domain administrators can only manage domains, unless otherwise The domain explicitly imparts him management privileges, he can access or manage other domains. Each domain has its own security policy, as well as it with other domains of security trust. Here, the trust relationship and delivery relationship between different domains are involved, and the domain trust relationship in Win2k is specifically talked.
Domain and domains have a certain trust relationship, the domain trust relationship enables users in a domain to verify the domain controllers in another domain to enable users in one domain to access resources in another domain. There are only two domains in all domain trust: trust relational domains and trusted relational domains. The trust relationship is the domain A trust domain B, and the user in domain B can access the resources in domain A after authenticating the domain controller in domain A, and the relationship between domain A and domain B is trust relationship. The trust relationship is the relationship between a domain trust. In the above example, domain b is trusted by domain A, the relationship between domain B and domain A is trustworthy. Trust and trusting relationship can be unidirectional or two-way, that is, domain A and domain B can be unilaterally trust, or may be a trust relationship between both sides. In the domain, the trust relationship is not bound in two domains in the relationship. It is the next domain transmitted to the domain directory tree through the parent domain, that is, if domain A trust domain B, the domain A is also trusting the domain. B The subdomains below B1, domain B2 ..., the transfer trust relationship is always two-way: two domains in the relationship trust (refer to the parent domain and the subdomain). By default, all WiIN2K trust relationships in the domain directory tree or catalog forest (catalog forest can be seen as multiple directory tree in the same domain) are passed. This will greatly simplify the domain management by greatly reducing the number of entrustments required to manage. The domain delivery trust relationship in Win2K is generally automatic, but for the same domain directory tree or WiIN2K domain, it can also be created (manually) to create a transfer trust relationship. This is very important for forming a cross-link trust relationship. Do not pass the constraints of two domains in the relationship and pass through the lower domain in the domain directory tree without the parent domain. It is necessary to explicitly create a trust relationship. By default, no trust relationship is unidirectional, although you can create a two-way relationship by creating two one-way trust relationships. All entrustments established between the Wiin2k domains in the same domain directory tree or forests are not passed. All principal relationships between Wiin2k domains and Winnt domains are not passed. This should pay special attention to a company while using Win2K and WinNT domain controllers. All existing WindowsNT trusts are upgraded from WindowsNT to WiIN2K. The relationship will remain unchanged. In the network of mixed mode, all WindowsNT trust relationships are not passed. Win2k fields in WiIn2k fields and Winnt domains and other WIN2K domains in the WIN2K domain and Mitkerberosv5 domains in the Win2k field and Mitkerberosv5 are separate and unidirectional trust relationships are separate delegation. The two-way trust relationship includes a pair of one-way entrustment relationships, all pass trust relationships are two-way. In order to make the relationship between non-transfer, two one-way trust relationships must be created between the domains involved. 2. Organizational Unit (OU) Organization Unit (OU) is a container object, which is also part of the logical structure of the active directory, we can organize objects in the domain into logical groups, which can help us simplify management. The OU may contain various objects, such as user accounts, user groups, computers, printers, etc., can even include other OUs, so we can use an OU to form a fully logically hierarchy using an object in the domain. For companies, all users and devices can be formed into an OU hierarchy in accordance with the department, or the hierarchy can be formed in a geographic location, and can be divided into multiple OU hierarchies according to functions and permissions. Obviously, through the inclusion of the organizational unit, the organizational unit has a clear hierarchy, which enables the manager to cut the organizational unit into the domain to react out the organization's organizational structure and can delegate tasks and authorization. The organization model for establishing an inclusive structure can help us solve many problems while still using large domains. Each object in the domain tree can be displayed in a global directory, so that users can use a service function to easily find an object regardless of It is located in the domain tree structure.
Since the OU hierarchy is limited to the interior of the domain, the OU hierarchy in one domain does not matter any relationship with the OU hierarchy in another domain. Because the domain in the active directory can accommodate more objects than NT4, a company may only use one domain to construct an enterprise network. At this time, we can use OU to group objects to form a variety of management hierarchies. Thus great simplifying network management work. Different sectors in the organization can become different domains, or an organizational unit to use hierarchical naming methods to reflect the organization structure and manage authority. The management of granulated management in organizing structures can solve a lot of management headaches, while strengthening central management, there is no mobility flexibility. Many domains in Winnt 4.0 can be an OU, establish a larger domain and a more simplified domain relationship, with a global directory (GlobalCatalog), users and administrators still able to quickly find objects and management objects. Win2k can work in an existing Winnt 4.0 environment to protect existing investments. Second, the physical structure of the Active Directory - Among the active directories, the physical structure is very different from the logical structure, and they are two concepts independent of each other. The logical structure focuses on the management of network resources, and the physical structure focuses on the configuration and optimization of the network. The physical structure of the active directory is primarily focused on the replication of the active directory information and performance optimization when the user logs in network. The two important concepts of the physical structure are site and domain controllers. 1. The site site consists of one or more IP subnets, which are connected by high-speed network devices. Site often determines from the physical location distribution of the company, which can configure the access and copy topology relationship of the active directory in accordance with the site structure, which makes the network more efficiently, and make the replication policy more reasonable, the user logs in is faster, the active directory Site and domain are two fully independent concepts, and there are multiple fields in a site, and multiple sites can also be in the same domain. Active directory site and service can improve the efficiency of most configuration directory services by using sites. You can provide information about how to copy directory information and processing services using this information by using an active directory site and service to the active directory. The computer site is specified according to its position in the subnet or a set of connected subnets, the subnet provides a simple method of network packets, which is similar to our common postal codes. The subnet is formatted into the form of the network and directory connection physical information, and the computer is placed in one or more connected subnets to fully embody the site all computers must connect to this standard, because the same subnet The connection between the computer is usually better than the selected computer in the network. The meaning of the site is mainly: (1), improve the efficiency of the verification process When the customer uses a domain account login, the login mechanism first searches for the domain controller in the same site in the same site, first can first use the domain controller within the customer site. Make the network to localize, speed up the speed of authentication, and improve the efficiency of the verification process. (2), balance the copy frequency activity directory information can be copied between the site or between the site and the site, but due to the reason, the frequency of the activity directory is higher than the frequency of the site between the site. This can balance the restrictions on the latest directory information requirements and available network bandwidth. You can customize how to copy your activity directory through site links to specify the connection method of the site, and the activity directory uses the information about how to connect to generate a connection object to provide effective replication and fault. (3) Provide information on site link information activity directories to use site link information fees, link usage, links, and link usage, and other information, which site should be used to copy information, and when to use this site. Custom Replication Plan makes the replication at a specific time (such as network transmission idle) makes the replication more efficient.
