What is a domain)

Today, many people are consciously or unconsciously dealing with the domain. If you use a computer in the company and your computer is connected to the company's Lan, your computer may be in a domain. How to check whether your computer is connected to a domain? Take windows as an example. Right-click my computer and choose Properties. You can see that the computer I am using is now added to a domain.

 

Domain has become a way for most companies to organize and connect to computers. So why should we use the domain? What benefits does it bring to us? Suppose you are the system administrator of the company. Your company has one thousand computers. If you want to set a Logon account for each computer and Set permissions (such as whether to allow the account to install software), you need to sit in front of these one thousand computers separately. If you want to make some changes, you also need to modify them on the one thousand computers. I believe that no administrator wants to work in this way without eating, drinking, or sleeping, so the concept of domain emerged.

 

Take windows as an example. In Microsoft's world, a domain is controlled by one or more domain controllers (in fact, domain controllers are not mysterious, it is nothing more than a computer with some special software installed ). When other computers join the domain, they must be controlled by the domain controller. The domain controller has two important tables: one is the list of computers that join the domain, and the other is used to save things called Active Directory. The Active Directory is the account you log on to the company network. Your permissions are stored in the activity directory. You log on to a computer. You enter the user name and password. Your computer first needs to send your login information to the domain controller. The Domain Controller first checks whether your login information is correct, then, return an accesskey to your computer. This access key contains your permissions to determine whether you can install software or use a printer.

With the domain, as an administrator, you can sit in front of a computer and log on to the domain controller to control all permissions without having to go to the computer and set the permissions. Work efficiency has improved a lot, but it is not enough. If the company has one thousand employees, do you need to set permissions for these one thousand individuals in the domain controller? This also sounds very troublesome. In fact, many employees have the same permissions. Can we set these permissions only once and then assign them to relevant employees? The answer is to use groups ). For example, in school, we set up student groups and teacher groups. On a computer, we set up a shared folder. the permissions of the student group are not accessible, and the Instructor Group can access the folder. We put different users into different groups, and then set permissions for the groups, which saves the trouble of setting each user. Organizations are larger than groups. An organizational unit can contain users, groups, resources (computers, printers, etc.), and other organizational units. For example, a computer in a mall is added to the mall domain, but the computer is placed in public places, which poses a great risk, therefore, we can place the computer in a separate organizational unit, and then set permissions for the organizational unit. For example, no matter who logs on to the organizational unit, you cannot change the password.

In many cases, a company has its own subsidiaries. Therefore, the parent company has a domain, and the subsidiary has a separate domain. How can the domain of the parent company be associated with the domain of the subsidiary company? We can establish a trust relationship between them. If the account of the parent company wants to be able to log on to the domain of the subsidiary company, the domain of the subsidiary company must establish a trust relationship with the domain of the parent company. When the account of the parent domain wants to log on to the sub-domain, the sub-domain will follow the access key returned by the domain controller of the parent domain because it trusts the parent domain. In turn, because the parent company's domain does not establish trust in its subsidiaries, it is impossible for a subsidiary's account to log on to the parent company's domain.

Although the above examples are all Windows domains, the concept of domains is by no means unique to Microsoft. You can also use a software named Samba in Linux to create a domain. If you want to build a domain environment in windows, pay attention to the following two points:

(1) You cannot use the Home Edition Windows operating system (as the name suggests, it is for your home, and you do not need to build a domain in your home ).

(2) the domain controller cannot use the web edition server because it does not have an Active Directory installed.

 

In the real environment, many companies use multiple domain controllers in the domain, because if only one domain controller is used, once the domain controller cannot work properly, the entire domain will be paralyzed. In samba, Linux uses two domain controllers: The primary domain controller and the backup domain controller. Once the master domain controller fails, the backup domain controller starts to work until the master Domain Controller returns to normal. The backup domain controller is a copy of the master domain controller, but its data is read-only, that is, the administrator cannot modify permissions on the backup domain controller.

In Windows, the primary domain controller and backup domain controller are not used. Each Domain Controller acts as the same role. For example, you have three domain controllers, you can modify user permissions on any domain controller. Your modifications will be copied to the other two domain controllers. Similarly, if a domain controller fails, the entire domain can still run normally as long as other domain controllers still work normally.

Finally, we will list two useful commands:

List all domain controllers in the domain: netdom query/D:MydomainDC

Check which domain controller you are using to log on to: Echo % logonserver %