In the first few, we talked about the basic principles and installation configurations of the Activity Directory, focusing on some of the superiority of the active directory, but it is not a separate service, it is successful after combining some of the previous agreements and services, For example, the perfect combination of DNS, LDAP protocol and activity directory, the application of site concepts is very prominent. Let's introduce these application technologies.
First, the application of DNS in the active directory
As a new operating system, Win2K is the introduction of an active directory, and a biggest feature of the active directory is to closely combine DNS and active directories. The Active Directory uses domain name service DNS as its location service while expanding standard DNS. Since DNS is using the most widely used positioning service, not only on the Internet, but even in many enterprise internal networks, DNS is also used as a positioning service. In a network system built using Winnt 4.0, the unique identification information for each host is its NetBIOS name, the system uses WINS services, information broadcasting methods, and LMHOST files, etc., the NetBIOS name is parsed to the corresponding IP address. Thereby information communication. In the internal network system (that is, usually in the local area network), it is very convenient and fast to use the NetBIOS name. However, in the Internet, unique identification information for a host is a domain name in its FQDN format (such as www.163.com), which is based on the DNS standard to implement domain names into the corresponding IP address. If the network system built by WinNT4.0 is connected to the Internet, each host in the NT network has a corresponding domain name, and the resolution of the domain name is implemented by the DNS service supported by Winnt 4.0. Configuring and implementing DNS is fully planned, design and implementation by artificial manual, in Winnt 4.0, and in the WinNT4.0 network system, each host has both NetBIOS names and domain names, and the actual significance is basically the same. This increases the management burden of the network management personnel to a certain extent, and simultaneous network management is more confusing.
In Win2k's Active Directory, the most basic unit is domain, and the domain is organized to form a tree, and the parent domain and subdomains are completely bidirectional trust relationships, and the trust relationship is transmitted. The organizational structure is similar to the DNS system. The naming strategy is basically implemented in the active directory, follow the DNS and LDAP3.0 two standards, the domain in the Active Directory and the domain in the DNS system use the exact same naming method, that is, the domain name in the active directory is the DNS domain name . Then depends on DNS as a positioning service in the active directory, and resolve the name to IP addresses. So when we use the Win2K to build an active directory, you must install the appropriate DNS at the same time, regardless of the user's IP address resolution or login verification, you will use DNS to locate the server in the active directory. This tight integration of the Active Directory and the DNS system means that the activity directory is also very suitable for the Internet and intranet environment, which is also an embodiment of Microsoft's idea for the Internet operating system for Internet. Enterprises can connect the active directory directly to the Internet to simplify information communication between customers and partners. In addition, the DNS service in Win2K allows customers to use DNS Dynamic Update Protocol (RFC 2136) to dynamically update resource records, and improve DNS management performance by shortening manually managing these same records. Computers running Win2K can dynamically register their DNS name and IP address.
Since the activity directory is integrated with DNS, the NetBIOS name in Win2k has gradually lost meaning, and the WINS service corresponding to this is also slowly eliminated. In Winnt For effective playing WINS dynamic characteristics, we usually integrate DNS to WINS, so that more accurate resolution results can be obtained. However, WINS is not an Internet standard protocol, while DNS solves the dynamic maintenance machine name and IP address comparison table as dynamic DNS. Dynamic DNS does not need to use WINS because it allows customers to dynamically assign IP addresses to register directly to the DNS server, instantly update the DNS comparison table. Win2K supports dynamic DNS, machine running an active directory service, can dynamically update the DNS table. WIN2K networks can no longer need WINS services, but Win2k still supports WINS, which is due to backward compatibility. Then, if the network system no longer uses Wins, how do the client find the domain controller when logging in to the network? This is because Win2k extends the standard DNS when the DNS is implemented, and a new record type SRV record is added in the DNS table, which points to the domain controller of the active directory. So if the network system has been fully upgraded to Win2K, you can no longer use WINS service. In Win2k, this integration has become no need to support dynamic update protocols (RFC 2136). DNS This has been widely adopted on the Internet, which has been widely used in the Internet, has become a unified standardization specification in network technology. Win2k's goal is to get widespread applications in the Internet and intranet environment, then its name resolution mode should fully comply with a single DNS standard.
The above is mainly telling the application of DNS in the active directory, but some people have to ask if there is no use of the active directory in WinNT4.0, only DNS to resolve domain names, what is the difference between the event directory and DNS, they How is it combined? Let's talk about it below.
1. The difference between the activity directory and DNS
(1), the stored object is different
The combination of DNS and Active Directory is the most important feature of the Windows2000 server, the DNS domain and the active directory domain use the same domain name for different namespaces. But they each store different data, so manage different objects. DNS stores its regional and resource records, active directory storage domains, and objects in the domain. For DNS, the domain name is based on DNS layer naming structure. It is a downstream structure: one root domain, the following domain is both a parent domain and a subdomain. Computers in each DNS domain can be identified by a fully qualified domain name (FQDN). Each Win2k domain connected to the Internet has a DNS name, and the computer in each Win2k domain has a DNS name. Therefore, the domains and computers represent the active directory object, and representative nodes.
(2), the database used in parsing is different
DNS is a name resolution service, DNS accepts request query DNS databases through the DNS server to resolve domains or computers to IP addresses. DNS customers send DNS names to query the DNS server they set, and the DNS server accepts requests or analyzes the name by local DNS database, or query the DNS database on the Internet, DNS does not require an active directory.
The Active Directory is a directory service. Active directory accepts the request query activity directory database to resolve the domain object name into object records. Active Directory Users send requests to the Active Directory Server through the LDAP protocol (a protocol that enters directory services). In order to locate the active directory database, you need to use DNS, that is, the active directory uses the DNS as a positioning service, put the active directory server Resolution is an IP address, and the active directory cannot be helpful in DNS. DNS can be independent of the active directory, but the active directory must have a DNS help to work. For the active directory, the DNS server must support service location (SRV) resource records, and the resource record maps the service name to the server name provided service. Active Directory Customer and Domain Controller uses SRV resource records to determine the IP address of the domain controller.
In addition to requiring the Win2K network to support SRV resource records, Microsoft also recommends that the DNS server provides dynamic upgrades to DNS. DNS Dynamic Upgrade defines a protocol that is automatically upgraded within a certain value. If this protocol is not available, the administrator has to manually configure new records generated by the domain controller. The new Win2K DNS service supports both SRV resource records and supports dynamic upgrades. If you choose other non-Win2K-based DNS servers, you must confirm that it supports SRV resource records. For a legal support for SRV resource record but does not support dynamically upgraded DNS servers, when you upgrade the Win2K server to a domain controller, it must be upgraded manually. These can be done with Netlogon.dns files, which is created by the Active Directory Intelligent Setup Wizard, exists in Folder% SystemRoot% / System32 / Config. 2. The combination of the two has since the DNS and the activity directory have such a big difference, how do they combine together? There are main ways: (1), the active directory domain and the DNS domain use the same hierarchical structure, although the functions and purposes are different, an organization's DNS name space and the active directory space have the same structure. (2) The DNS district can be stored in the active directory if you use Win2K DNS service, then the primary domain can store a replication service for other active directory domain controllers in an active directory and provide enhanced security for DNS services. (3) Active directory customer uses the DNS positioning domain controller For a specific domain, for the location domain controller, the Active Directory customer requests the resource record to the DNS server set. When a company uses the Win2K server version as their network operating system, the active directory is considered to be one or more hierarchies of the registered statutory DNS name root field. Depending on DNS naming rules, each part of the DNS name is representative of a node of the DNS tree hierarchy, and represents a potential activity directory domain for the Win2k domain hierarchy. The root node of the DNS is indicated by blank (""), and the root node of the active directory name space has no parent domain, which provides the LDAP entry point of the active directory. Second, the application (Site) Applications in the Active Directory We use WinNT4.0 to plan design our corporate network system, design according to the specific situation of the company, such as single field, multi-domain or single Main domain model, etc. We can use these types of domain models to plan the network environment of the enterprise to achieve organization, management, and control of corporate network. When we go to implement this network plan, it is often necessary to make a planning and design that meets the actual needs in accordance with the form of organizational structure within the enterprise. If it is a big company in a group, we often need to design a department or some sectors of some work-related relevance into a domain to facilitate organization and management. This gives us a very tricky problem that if such a domain is geographically distributed in different locations, it is composed of slow connection, then the information synchronization of the PDC and BDC of the slow connection will Take a large number of network traffic, affecting the overall performance of the network, in the face of such a problem, we can only have a handlessness, there is no control method at all. When I came into contact with Win2k, the powerful function and humanized design idea of the Active Directory makes our future network planning and design more convenient and flexible. The proposal and implementation of the Site concept in the Win2K Active Directory provides powerful tools to manage and control information between information between DCs, which effectively solves the problems that we have made up in front of us. The so-called Site refers to a collection of computers that can realize faster communication rates that are physically better, generally refers to a LAN. And Site is generally communicating with a slow connection. It can be seen that Site is an objective reflection of the actual physical distribution of the computer on the network.
With the concept of Site, we can discharge the computer in a domain according to the location of the location in several site. In a site, the active directory uses replication components and KCC to form a two-way annular ring between DCs, each DC has two replicated partners, which form a complete information synchronization. When a directory database in a DC changes, it will wait for a period of time to send change notifications to its replication partner, after the copy partner receives the change information from the changed DC, the change information of the directory data is copied. The same replication partner will also send change information to its replication partner to achieve synchronization of DC within the entire site. Since the fast and reliable network connection is used in Site, the replication data between the Site DC is not compressed, which adds the bandwidth of the requirements of the replication information, but reduces the burden of the processing data of the DC. In general, the information of the Site DC is synchronized with the RPC protocol, making the data to quickly, uniform, so that the DC maintains a higher data consistency. Between Site is generally connected slowly, only limited available bandwidth and data transmission is unreliable. In order not to affect other data communication on slow connection, the reliability of the DC directory replication is ensured that the DC between Site does not use the change notification notification method of replication between the Site DC, but is used to replication schedule. A schedule and time interval can be set between SITE, and the schedule determines which time allowed to be copied, and the time interval specifies how long the DC will check once within the time of replication. This way we can set the Site DC replication synchronization schedule (such as midnight). At this time, the network is not crowded relative to relatively reliable. Moreover, the compressed method can be replicated in the Site Inter-DC directory, and the copy information can be compressed to 10% to 15%, which effectively optimizes the network bandwidth. It can be seen that we can effectively control the synchronization of DC in the Active Directory by reasonably planning the SITE of the Activity Directory, optimize network bandwidth, and improve network performance. Since synchronization between DCs not only involves synchronization between DCs in a domain, not only, but also a small amount of information needs to be synchronized between DCs in different domains. When we use Site to achieve the replication layout between DCs in the Active Directory, you can help us with the Site Link and Site Link Bridge settings to create a more reasonable, more efficient, more reliable activity directory DC. Copy the layout to maximize our network system. Third, the application of LDAP in the active directory is LDAP's English full name is LightWeight Directory Access Protocol, referred to as LDAP. It is based on X.500 standard, but it is more simple than it, and a directory service protocol can be customized according to the needs. Unlike X.500, LDAP supports TCP / IP, which is necessary to access the Internet. The core specification of LDAP is defined in RFC, all of which are found in the LDAPMAN RFC web page. The working model of the directory service is a client / server model. In 1988, CCITT organizations first created this model, including directory structure, naming methods, search mechanisms, and protocol DAP (Directory Access Protocol) for clients and server communications. This standard is quickly referenced by ISO, numbered ISO 9594. However, in the process of practical applications, there is a lot of obstacles in X.500. Since the protocol of the DAP is strictly in accordance with complex ISO seven-layer protocol models, too much requirement, there is too much environment for related layer protocols, and the popularity of TCP / IP protocol system is more likely to make this agreement on many small systems. More and more uncomfortable needs. In this case, DAP's simplified jujube LDAP came into being.
Early design LDAP server is not a separate directory server, mainly playing the role of the LDAP client and the gateway between the X.500 server, both of the LDAP's server and the client of X.500. Today's LDAP servers can replace the X.500 server and provide services independently. The directory organization of the LDAP server is based on the "entry", and the structure is similar to the tree, each entry is a branched node or leaf on the tree. A entry consists of multiple "attributes", each attribute is composed of a "type" and one to more "values." The LDAP protocol is implemented directly-oriented TCP protocol to define communication processes and information formats between LDAP clients and LDAP servers. LDAP servers listens on the service port (default port number 389), after receiving the client's request, establish a connection and start the session. The meaning of the combination of the Active Directory and the DNS protocol is that the internal network is consistent with the external network naming method so that it is convenient for the management of the entire network. The LDAP protocol is a directory access protocol for querying and retrieving activity directory information. Since it is a directory service protocol based on industrial standards, programs that use LDAP can develop activities with other directory service sharing activities, which also support LDAP. Active Directory Information Activity Book With the LDAP Directory Access Protocol as a means of exchange information with other applications or directory services. LDAP has become a directory service, which is more simple and practical than the X.500 DAP protocol. Microsoft has provided support for LDAP V2 and LDAP V3 in the Exchange Server system, which provides more comprehensive support in Win2K's Active Directory Service. It is worth mentioning that the name format used in the LDAP protocol, because we need to access directory objects through the name information, so the name format is very important for users or applications. Active directory supports most name format types. There are two more common formats: (1) RFC822 life name method This nomenclature is: Object_name @ domain_name, the form is very similar to email addresses, such as MyName@mydomain.com. The Active Directory provides this type of good name for all users, so users can use the friendly name as an email address or the account name when logging in to the system. (2) LDAP URL and X.500 Name Any customer who supports LDAP can use the LDAP name to access the active directory through the LDAP protocol, and the LDAP name is not as intuitive, but the LDAP name is often hidden inside the application system. End users rarely use the LDAP name directly. The LDAP name uses the X.500 named specification, also known as the property nomenclature, including the server of the active directory service, and the object of the object.
