Windows 2000 Active Directory detailed

Source: Internet
Author: User
Tags add object configuration settings copy file system interface domain server access
window| detailed

We know that one of the biggest breakthroughs and successes of the Win2K system is its newly introduced "Active Directory" service, which makes the Win2K system more tightly connected to the services and protocols on the Internet because it successfully named the directory with the "domain name" are named in a consistent manner, and then resolved through DNS, making consistent results with WINS resolution over the Internet. The Active Directory also illustrates Microsoft's strategic shift in network architecture, although some products (such as Exchange SERVER, IIS, and so on) have provided services similar to the Active Directory in previous NT times. However, as a new integrated service mode, the active catalogue comes after the birth of Win2K. The active catalogue appears to be ubiquitous throughout the Win2K system.

First, the origin of the active catalogue

The most reminiscent of the Active Directory is DOS under the "directory", "path" and Windows9x/me under the "folder", at that time the "directory" or "folder" only represents a file on the disk location and hierarchical relationship, After a file is generated relative to the directory of the file is also fixed (of course, you can delete, transfer, etc., now do not consider these), which means that its properties are relatively fixed, is static. This directory can only represent the location of all files in this directory and the total size of all files, and can not draw other relevant information, which affects the overall use of the directory efficiency, that is, affect the overall efficiency of the system, so that the entire management of the system become complex. Because there is no correlation, the same object in different applications to be configured more than once, the management of a considerable number of locks, affecting the use of system resources efficiency. To change this inefficient relationship and to strengthen the association with relevant protocols on the Internet, Microsoft has decided to overhaul the Win2K, introducing the concept of active catalogs. The key to understanding the Active Directory is "activity" two words, do not "activity" two words removed and only from the "directory" two words to understand, then you and I can not be separated from the original DOS in the directory or windows9x under the folder, because this directory is active, so it is dynamic, It is a directory containing service functions, it can do "interviewers" association, mapping, if found a user name, you can think of its account, birth information, E-mail, telephone and other basic information, although the files that make up this information may not be a piece. At the same time, the information can be shared among different applications, which reduces the waste of the system development resources and improves the utilization efficiency of the system resources.

The Active Directory includes two aspects: directory and directory-related services. A directory is a physical container for storing a variety of objects, from a static perspective, this directory is not fundamentally different from the "directory" and "folder" We've known before, just an object, an entity, and a directory service is a service that makes all the information and resources in the directory work. The Active Directory is a distributed directory service that can be dispersed across several different computers. To ensure that users can access quickly, because the same information on multiple machines, so there is a strong ability to control information, because of this, regardless of where the user access or information in the place, provide users with a unified view.

Ii. Related terminology

Although many of the technologies used in the Active Directory have been seen in other software products, as a comprehensive overall network solution is the first appearance, many of the terms or terms may be unheard of, so it is necessary to have a detailed understanding of the Active Directory of the relevant nouns or terminology.

1, Namespace: In essence, the Active Directory is a namespace, we can interpret the namespace as any given name of the parsing boundary, which refers to the name can provide or relate, map all the information range. In layman's parlance, we search the server by looking up all the associated information that an object can find, such as a user, if we have given this user defined in the server such as: User name, user password, work unit, contact telephone number, home address, etc., the sum above is generally understood as "user" The name of the name space, because we only enter a username to find all the information listed above. Name resolution is the process of translating a name into the object or information represented by that name. For example, in a phone directory to form a namespace, we can from the name of each phone account can be resolved to the corresponding phone number, rather than the name is now the name, the number of numbers, can not be horizontal contact. The file system of the Windows operating system also forms a namespace, and each file name can be parsed into the file itself (containing all the information it should have).

2, Object: Object is the Active Directory of information entities, that is, we usually see the "attributes", but it is a set of attributes, often representing the physical entities, such as user accounts, file names and so on. An object describes its basic characteristics through attributes, such as the user's name, phone number, e-mail address, and home address, which may be included in the attributes of a user account.

3. Container: A container is part of the Active Directory namespace, and, like a directory object, it has attributes, but unlike a directory object, it does not represent a physical entity, but rather represents a space for an object, because it represents only the space of an object, so it is smaller than the name space. For example, a user, it is an object, but the object's container is limited to the object itself can provide the information space, such as it can only provide user name, user password. Other such as: work units, contact telephone number, home address, etc. are not part of this object's container scope.

4. Directory tree: In any namespace, a directory tree refers to a hierarchy of containers and objects. The leaves and nodes of a tree are often objects, and the non leaf nodes of the tree are containers. The directory tree expresses the way objects are connected, and also shows the path from one object to another. In the Active Directory, the directory tree is the basic structure, from each container as the starting point, the layer depth, can constitute a Shang tree. A simple directory can form a tree, a computer network or a domain can also form a tree. It's also easy to understand, our first study of the computer is not in a comprehensive understanding of the concept of the path under DOS to start, in fact, this "directory tree" is a "path relationship", if you understand the DOS under the "path" believe that understanding the "directory tree" is no problem!

5, Domain: domain is the security boundary of Win2K network system. We know that the most basic unit of a computer network is "domain", which is not unique to Win2K, but the Active Directory can run through one or more domains. On a stand-alone computer, the domain refers to the computer itself, a domain can be distributed across multiple physical locations, while a physical location can divide different network segments into different domains, each with its own security policy and its trust relationship with other domains. When multiple domains are connected through a trust relationship, the Active Directory can be shared by multiple trusted domain domains

6. Organizational unit: A directory object type that is particularly useful in a domain is an organizational unit. An organizational unit is a container in which users, groups, computers, and other units can be placed in the Active Directory, and the organizational unit cannot include objects from other domains. An organizational unit is the smallest unit of action that can assign Group Policy settings or delegate administrative permissions. With organizational units, you can create containers in a domain that represents a logical hierarchy in an organizational unit, so that you can manage your accounts, the configuration and use of resources based on your organization model, and you can use organizational units to create management models that scale to any size. You can grant users administrative rights to all organizational units in a domain or to a single organizational unit, and the administrator of an organizational unit does not need to have administrative authority over any other organizational unit in the domain, and the organizational unit is a bit like our working group in the NT era, we can understand this from administrative authority.

7. Domain tree: A domain tree consists of multiple domains that share the same table structure and configuration to form a contiguous namespace. The domains in the tree are connected by trust relationships, and the Active Directory contains one or more domain trees. The deeper the domain hierarchy in the domain tree, the lower the level, a "." Represents a hierarchy, such as a domain child. is lower than, because it has two hierarchies, and has only one level. And the domain double is lower than the level, the reason is same.

Domains in the domain tree are connected by two-way transitive trust relationships. Because these trust relationships are two-way and transitive, the newly created domain in the domain tree or forest can immediately establish a trust relationship with each of the other domains in the domain tree or forest. These trust relationships allow a single sign-on process to authenticate users on all domains in the domain tree or forest, but this does not necessarily mean that authenticated users have the same rights and permissions in all domains in the domain tree. Because domains are security boundaries, users must be assigned the appropriate rights and permissions on a per-domain basis.

8. Domain forest: A domain forest is composed of one or more domain trees that do not form contiguous namespaces, and the most obvious difference from the domain tree mentioned above is that there is no contiguous namespace between these domain trees, while the domain tree is composed of fields with contiguous namespaces. However, all domain trees in the domain forest still share the same table structure, configuration, and global catalog. All domain trees in the domain forest are established through the Kerberos trust relationship, so each domain tree knows the Kerberos trust relationship, and different domain trees can cross-reference objects in other domain trees. The domain forest has a root domain, and the root domain of the domain forest is the first domain created in the domain forest, and the root domain of all domain trees in the domain forest establishes a transitive trust relationship with the root domain of the domain forest.

9. Site: site refers to a network location that includes the Active Directory domain server, usually one or more subnets connected by TCP/IP. Subnets within the site are connected through a reliable, fast network. The division of the site makes it easy for the administrator to configure the complex structure of the Active Directory, make better use of the physical network characteristics, so that the network communication in the optimal state. When a user logs on to the network, the Active Directory client finds the Active Directory domain server within the same site, and because the network traffic within the same site is reliable, fast, and efficient, he can log on to the network system in the fastest possible time for the user. Because the site is a subnet-bound, the Active Directory can easily locate the user's site when logging on, and then locate the Active Directory domain server to complete the login.

10. Domain controller: A domain controller is a computer that is configured with the Active Directory Installation Wizard Win2K Server. The Active Directory Installation Wizard installs and configures components that provide Active Directory services to network users and computers for users to choose to use. Domain controllers store directory data and manage user domain interactions, including user logon procedures, authentication, and directory searches, and one domain can have one or more domain controllers. For high availability and fault tolerance, small units that use a single local area network (LAN) may require only one domain with two domain controllers. Large companies with multiple network locations need one or more domain controllers at each location to provide high availability and fault tolerance.

The Win2K server domain controller extends the capabilities and features provided by the WINNT Server 4.0 domain controller, Win2K server multihomed replication synchronizes the directory data on each domain controller to ensure that the information remains consistent over time, i.e. dynamic, This is the role of the Active Directory. Multihomed replication is the development of the primary domain controller and backup domain controller model used in WINNT Server 4.0, and only one server in WINNT Server 4.0, the primary domain controller, has a writable copy of the directory.

Iii. The significance of the installation of the active catalogue

We say that one of the successes and creativity of Win2K is the successful introduction of the Active Directory service, so what is the point of installing the Active Directory? This is one of the first questions that all of us beginners win2k to ask. Since the Active Directory is not a service that the Win2K system must install, it is not easy to fully understand it, so what is the meaning of the installation activity directory? It is mainly embodied in the following aspects:

1, the security of information greatly enhanced

The security of the information after the installation of the Active Directory is fully integrated with the Active Directory, and user authorization management and Directory access control are integrated into the Active Directory (including user access and logon rights), which are key security measures for the Win2K operating system. The Active Directory centrally controls user authorization, and directory entry control is not only defined on objects in each directory, but can also be defined on each attribute of each object, which is not possible in any previous system, including Winnt 4.0. In addition, the Active Directory provides security policies for storage and application scopes that provide the storage and application of security policies. Security policies can contain account information, such as domain-wide password restrictions or access to specific domain resources. So you can say so from a certain program. Win2K Security is the security of the Active Directory, so how to configure the security of objects and attributes in the Active Directory is the key of a network management configuration of Win2K system.

2, the introduction of policy-based management, so that the management of the system more clear

The Active Directory service consists of a directory object data store and a logical hierarchy (a hierarchy of directories, directory trees, domains, domain trees, domain forests, etc.) as a directory that stores policies assigned to specific environments, called Group Policy objects. As a logical structure, it provides a layered environment for policy applications. A Group Policy object represents a set of business rules that includes settings related to the environment to be applied, and Group Policy is the configuration settings that are used when a user or computer initializes. All Group Policy settings are included in the Group Policy object (GPOs) that is applied to the Active Directory, domain, or organizational unit. The GPOs setting determines the access to directory objects and domain resources, what domain resources can be used by users, and how these domain resources are used. For example, a Group Policy object can determine what applications the user sees on their computers when they log on, how many users can connect to the server when it starts on the servers, and what files or services they can access when the user moves to a different department or group. Group Policy objects allow you to manage a small number of policies rather than large numbers of users and computers. The Active Directory allows you to apply Group Policy settings to the appropriate environment, whether it is your entire organization or a specific department in your organization.

3, has the very strong scalability

Win2K's Active Directory is highly scalable, and administrators can add new object classes to the plan or add new attributes to existing object classes. The schedule includes the definition of each object class and the properties of the object class that can be stored in the directory. For example, in E-commerce you can add a shopping authorization attribute to each user object, and then store each user's purchase permission as part of the user account.

4, has the very strong scalability

The Active Directory can be contained in one or more domains, each with one or more domain controllers, so that you can resize the directory to meet the needs of any network. Multiple domains can be composed of domain trees, and multiple domain trees can be composed of trees, the Active Directory will expand with the expansion of the field, well adapted to the changes in the Unit network. The directory distributes its schema and configuration information to all domain controllers in the directory, stored in the domain's first domain controller, and replicated to any other domain controller in the domain. When the directory is configured as a single domain, adding a domain controller changes the size of the directory without affecting the administrative overhead of other domains. Adding a domain to a directory allows you to classify directories for different policy environments and resize the directory to accommodate a large number of resources and objects.

5. Intelligent Information Reproduction Ability

Information replication provides information availability, fault tolerance, load balancing, and performance benefits for the directory, which uses multiple host replication, allowing you to synchronize updates to the directory on any domain controller rather than on a single primary domain controller. Multi-host mode has the advantage of greater fault tolerance because the use of multiple domain controllers allows replication to continue even if any individual domain controller stops working. Because of multiple host replication, they will update a single copy of the directory, and after the directory information is created or modified on the domain controller, the newly created or changed information is sent to all other domain controllers in the domain, so its directory information is current. Domain controllers require the latest directory information, but to be efficient, their own updates must be limited to new or changed directory information to avoid synchronization during peak periods of the network and affect network speed. The indiscriminate exchange of directory information between domain controllers can quickly overwhelm any network. Directory information that replicates only changes can be achieved through the Active Directory without a significant increase in the load on the domain controllers.

6, with DNS integrated tightly

The Active Directory uses Domain Name System (DNS) to name the server directory, and DNS is an Internet standard service that converts more easily understood host names, such as, to digital IP addresses, and facilitates mutual identification and communication between computers in a TCP/IP network. DNS's domain name is based on the DNS hierarchical naming structure, an inverted tree structure, a single root domain under which it can be parent and child domains (branches and leaves). On this point I will be in a special chapter in detail, here is only a brief introduction.

7. Interoperability with other directory services

Because the Active Directory is a standards-based Directory Access protocol, many application interfaces (APIs) allow developers to access these protocols, such as Active Directory Service Interface (ADSI), the Lightweight Directory Access Protocol (LDAP) third edition, and the Name Service Provider Interface (NSPI). It can therefore interoperate with other directory services that use these protocols. LDAP is a directory Access protocol used to query and retrieve information in the Active Directory. Because it is an industrial standard service agreement, you can use the LDAP development program to share Active Directory information with other directory services that support LDAP at the same time. The Active Directory supports the NSPI protocol used by the Microsoft Exchange 4.0 and 5.x clients to provide compatibility with the Exchange directory.

8, has the flexible inquiry

Any user can use the Search command on the Start menu, Network Places, or Active Directory Users and Computers to quickly find objects on the network through object properties. If you can find users by first name, last name, e-mail name, office location, or other properties of the user account, and vice versa. After a basic understanding of the Active Directory in the previous article, let me touch on the real side of the Active Directory-the structure of the Active Directory. In the last article we talked about the Active Directory is comprised of two aspects: directory and directory-related services. A directory is a physical container for storing various objects, which is no different from what we normally call directories, and the basic object of directory management is the resources of users, computers, files, and printers. While directory services are services that enable all information and resources in the directory to work, such as user and resource management, directory based network services, and web-based application management, it is the key and essence of Win2K's Active Directory. Directory service is the core of Win2K network operating system, but also the central management organization, so the introduction of directory services to the entire operating system has brought revolutionary changes, not only on the system platform of the basic modules, such as network security mechanisms, user management modules have changed, And the application of the upper level and the mode of development also have a corresponding change. Is it easier to understand the "Active Directory"?

At the same time the Active Directory is a distributed directory service, because the information can be dispersed on several different computers, ensuring fast access and fault tolerance for each computer user, and no matter where the user is accessing or where the information is, the user is provided with a unified view, which makes the user feel more easy to understand and master the use of the Win2K system. The Active Directory integrates key services for the Win2K server, such as Domain Name Service (DNS), Message Queuing Service (MSMQ), transaction Services (MTS), and so on.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.