Active Directory Technology Summary for Windows 2000 (1)

Source: Internet
Author: User
Tags object file system include new features object object domain access
Window This article provides a technical overview of the Active Directory, a new directory service provided by the Microsoft Windows server operating system. In this paper, the important concepts, structural elements and characteristics of Active Directory are described in detail. The "Important Concepts" section describes the terminology you need to understand before you use the Active Directory. The next two sections "Structure" and "Active Directory Features" describe in more detail what the Active Directory can do, what new features it brings to Windows, and how these features are implemented. The migration section covers the content of the migration from the Windows NT 4.0 domain model and directory structure to Windows 2000. The last part, the FAQ, answers a series of practical questions about the Active Directory service and how it might run.

What is a directory service? is a source of information for storing information about objects of interest to users. For example, a directory of phone numbers stores information about telephone users. In a file system, the directory stores information about the file.

In a distributed computing system or a public computer network (such as the Internet), there are many objects of interest to users, such as printers, fax servers, applications, databases, and other users. Users want to find and use these objects, and managers want to manage the use of those objects.

In this document, the term directory refers to a directory in both public and private networks. A directory service differs from a directory in that it is both a directory source of information and a service that enables users to obtain and utilize information.

Why do I need a directory service? Directory services are one of the most important components of an extended computer system. Users and managers often do not know the exact names of the objects they are interested in. They may know one or more attributes of an object, and can query the directory for a list of objects that conform to attributes, such as: "Find all duplex printers in the 26 floor." The directory service allows the user to find any object by the specified property.

Directory services can: improve the security defined by managers to ensure that information is not compromised by intruders. Distributes directories across multiple computers in a network. Replicating directories allows more users to gain access to it and reduce errors. Assigning a directory to multiple storage media makes it possible to store objects of a very large size.

The directory service is both a management tool and a terminal user tool. Directory services become important when the number of objects in the network increases. The directory service is a large distribution system of the transformation Center.

What is an Active Directory? The Active Directory is the directory service for Windows Server. It extends the previous Windows-based directory service and adds some new features. The Active Directory is secure, distributed, partitioned, and replicable. It is designed to work well in any size installation, from a single server with hundreds of objects to thousands of servers and millions of objects. The Active Directory adds a lot of new features that make it easy to manage and roam on large scale information, saving time for both managers and end users.

Important Concepts

Some of the concepts and terminology used to describe the Active Directory are new, while others are not. Unfortunately, some of the terms that have been used for some time are used to indicate more than one particular thing. Before proceeding, it is important to understand how the following concepts and terms are defined in the context of the Active Directory.

The scope of the range Active Directory is enormous. It can include all single objects (printers, files, or users), all servers, and all domains in a single wide area network. The following terms not only apply to a single network, so it is important to realize that the Active Directory is scalable, from a single computer to a single network and many computer networks that are combined.

Name space as with any directory service, the name Space activity directory is fundamentally a name space. The name space telephone directory is a name space. The namespace name space is any bounded domain in which a given name can be parsed. Name resolution is an object or information that translates a name into an object expression. The name space telephone directory forms a name space, in which the telephone user can decide the telephone number. The Windows namespace file system forms a namespace in which the file name can determine the file itself.

The Active Directory forms a namespace in which the objects themselves can be determined by the name of the object in the directory.

An Object object is a significant naming of a particular thing's attributes, such as a user, printer, or application. Properties include descriptive data that the directory object uses to identify the topic. A user's properties may include the user's determined name, last name, and e-mail address.



Figure 11 A user object and its property container have the same attributes as one object and are part of the Active Directory namespace. However, unlike the object, it does not represent a specific thing. It is a container for a group of objects or other containers.

Tree in this document, the tree is always used to describe the hierarchical relationships of objects and containers. The end of a tree is usually an object. The node of the tree (the branch point of the tree) is a container. The tree shows how the object is connected or the path of an object to another object. A simple directory is a container. A computer network or domain is also a container. The adjacent subtree is any full path in the tree, including all the containers in that path.



Figure 21 Sequential subtree of file systems

The name is used to identify each object in the Active Directory. There are two different kinds of names.

Explicit name each object in the Active Directory has an explicit name (DN). Explicit name recognition includes the domain of the object and the full path to the object through the container hierarchy. A typical DN can be:

/o=internet/dc=com/dc=microsoft/

Cn=users/cn=james Smith

This DN identifies the user object "James Smith" in the microsoft.com domain.



Figure 3 The graphic representation of the name graphically indicates that the object's relative definite name (RDN) is part of the name that belongs to the property of the object itself. In the previous example, the RDN of the user object "James Smith" was Cn=james Smith. The RDN of the parent object is cn=users.

The naming context and the partition activity directory consist of one or more naming contexts or partitions. The naming environment is any adjacent subtree of the directory. The naming context is the unit of replication.

In the Active Directory, a single server usually includes at least three naming contexts:

Schema Configuration (replication topology and associated metadata) one or more user naming contexts (the subtree of the actual object in the directory) are independent security scopes for Windows NT or Windows 2000 computer networks. (See the Windows documentation for more information about the domain.) The Active Directory is composed of one or more domains. A domain can span more than one physical location. Each domain has its own security policy and security relationships that are seen in other domains of the domain. When multiple domains are connected through trust and have common patterns, configurations, and global catalogs, you have a domain tree. Multiple domain trees can be connected to form a forest.

A domain tree is composed of a number of domains that have a common pattern and configuration, forming a nearby namespace. The domains in the tree are also connected by trust relationships. The Active Directory is a collection of one or more trees.

Trees can be represented in two ways. One representation is the relationship between domains, and the other is the namespace of the domain tree.

Represents a trust relationship you can draw a picture of a domain tree based on individual domains and how they trust each other.

The trust relationship between Windows 2000 domains is based on the Kerberos security protocol. Kerberos trusts are transitive and hierarchical hierarchies-if domain A trusts domain B trusting domain C, domain A also trusts domain C.



Figure 41 The domain tree indicates that you can also draw a picture of a domain tree based on the name space in its trust relationship. You can determine the significant name of an object by following the name space of the domain tree. This representation is useful for compiling objects into a logical hierarchical hierarchical structure. The main advantage of a layered hierarchy near a namespace is that an in-depth lookup from a namespace can find the entire hierarchy.



Figure 5 Represents a domain tree as the name space forest is one or more collections that do not form near-namespace trees. Trees in forests have the same pattern, configuration, and global catalog. All trees in a given forest pass the hierarchical structure of the objects and the Kerberos trust relationship trusts each other. Unlike trees, a forest does not need a clear name. Forests exist as collections of related objects, and the Kerberos trust relationship is known to all tree members. Trees in the forest a hierarchical structure is formed for the purpose of Kerberos trusts; the name of the tree at the root of the trust can be used to determine a given forest.



Figure 6 Multiple tree sites in a forest are sites in the network that include Active Directory servers. The site is defined as one or more well-connected TCP/IP subnets. "Good connections" means network connections are highly reliable and fast (for example, a LAN speed of 10,000,000 bits per second or higher). Defining a collection of sites as subnets allows administrators to quickly and easily configure Active Directory usage and replication topologies, thereby facilitating the use of physical networks. When a user logs on, the Active Directory client locates the Active Directory service on the same site as the user. Because the machines on the same site are close to each other, the communication between the machines is reliable, rapid and efficient. Identifying a local site at logon is easy to implement because the user's workstation already knows what TCP/IP subnet It is on and is directly converted to the Active Directory site.

Structure

This brief section describes some of the basic architectural elements of the Active Directory.

The data Model Active Directory data model is derived from the X.500 data model. The directory includes objects that characterize various things in attributes. The scope of the objects that can be stored in the directory is defined in the schema. For each object type, the pattern defines what attributes must be in the category, what additional attributes can be attached, and what object types can be the parent of the existing object type.

The schema Active Directory pattern is applied as a collection of the types of objects stored in the directory. This is different from many catalogs that have schemas, where in their case the pattern is stored as a text file to read at startup. There are many advantages to storing patterns in the directory. For example, a user application can read patterns to determine what objects and properties are available.

Active Directory mode enables dynamic livelihoods. That is, an application can extend the new attributes and types of the schema, and it can use the extended portions immediately. Schema upgrades are implemented by creating or changing schema objects in the directory. As with all objects in the Active Directory, schema objects are protected by access control lists (ACLs), so only authorized users can change the mode.

The Security Model directory is part of Windows Trusted Computing base and is a complete participant in the basic Windows 2000 security architecture. ACLs protects all objects in the Active Directory. The Windows 2000 access verification process uses ACLs to confirm any attempts to access objects or properties in the Active Directory.

Management model

Authorized users are managed in the Active Directory. A user with a higher permission authorization can specify the objects and types of objects specified in certain subtree in the directory. This is called delegated management. Delegate management can completely control who can do what, and can establish delegated delegates without having to grant elevated privileges. The

Directory System Agent (DSA) is the process of managing the physical storage of a directory. The customer uses a supported interface to connect to the DSA to find, read, and write directory objects and their properties. DSA isolates the customer from the catalog data in the physical storage format.



Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.