Windows 2000 Active Directory Application article

Source: Internet
Author: User
Tags ldap ldap protocol require resource rfc dns names fully qualified domain name

The first few we talked about the basics of Active Directory and installation configuration, highlighting the advantages of some Active Directory, but it is not a stand-alone service, it is in conjunction with some of the previous protocols and services before the successful implementation, such as DNS, LDAP protocol and the perfect combination of Active Directory, Site concept of the application, etc. are very prominent evidence. Below we will introduce each of these several technology.

The application of DNS in Active Directory

Win2K as a brand new operating system, its biggest feature is the introduction of Active Directory, and the Active Directory is one of the biggest feature of the DNS and Active Directory tightly together. The Active Directory uses the domain Name service DNS as its location service and extends the standard DNS. Because DNS is the most widely used location service, DNS is used not only on the Internet, but also in many enterprise internal networks as a location service. In the network system built by using WINNT4.0, the unique identification information of each host is its NetBIOS name, which resolves the NetBIOS name to the corresponding IP address by means of the WINS service, the information broadcast way and the Lmhost file, thus realizes the information communication. In the Internal network system (which is commonly referred to as the LAN), the use of NetBIOS name to achieve information communication is very convenient and fast. But the only identifying information on the Internet for a host is the domain name in its FQDN format (such as www.163.com), which uses DNS standards to resolve domain names to their corresponding IP addresses. If the network system built by WINNT4.0 is connected with the Internet, every host in the NT network also has the corresponding domain name, and its domain name is resolved through the DNS service supported by WINNT4.0. In the WINNT4.0 configuration and implementation of DNS is entirely manual to plan, design and implementation, by the above visible, in WINNT4.0 network system, each host has both NetBIOS name and domain name, but the actual meaning is basically the same, this to a certain extent, increased the management burden of network administrators, At the same time, the entire network management seems more confusing.

In the Active Directory of Win2K, the most basic unit is domain, which organizes the domain to form a tree through the schema of the parent and child domains, and a completely two-way trust between the parent domain and the subdomain, and the trust relationship is passed, and its organizational structure is similar to that of the DNS system. Naming policies in the Active Directory are basically implemented according to Internet standards, and in accordance with DNS and LDAP3.0 two standards, domains in the Active Directory and domains in the DNS system use the exact same naming method, that is, the domain name in the Active Directory is the DNS domain name. Then, in the Active Directory, DNS is relied on as the location service, and the implementation resolves the name to an IP address. So when we build the Active Directory using Win2K, we must install the appropriate DNS at the same time, regardless of whether the user implements IP address resolution or logon authentication, it uses DNS to locate the server in the Active Directory. This tight integration of the Active Directory with the DNS system means that the Active Directory is ideal for both the Internet and Intranet environments, which is a reflection of Microsoft's idea of creating a network operating system for the Internet. Organizations can connect active directories directly to the Internet to simplify information communication with customers and partners. In addition, the DNS service in Win2K allows customers to dynamically update resource records using the DNS dynamic update protocol (RFC 2136) to improve DNS management performance by shortening the time to manually manage these same records. Computers running Win2K can dynamically register their DNS names and IP addresses.

Because the Active Directory is already integrated with DNS, the NetBIOS name in Win2K is gradually becoming meaningless, and the corresponding WINS service is also in the process of being phased out. In order to effectively play the dynamic characteristics of wins in Winnt, we usually integrate DNS with WINS, so that we can get more accurate parsing results. However, WINS is not an Internet standard protocol, and the DNS solution for dynamically maintaining machine names and IP address tables is dynamic DNS. Dynamic DNS does not require WINS because it allows clients that dynamically assign IP addresses to register directly with the DNS server and update the DNS tables immediately.

Win2K supports dynamic DNS, and machines running the Active Directory service can dynamically update DNS tables. The WINS service can no longer be required in the Win2K network, but Win2K still supports wins because of backward compatibility. So if the network system no longer uses wins, how does the client locate the domain controller when the user logs on to the network? This is because Win2K extends the standard DNS when implementing DNS, adding a new record type SRV record in the DNS table that points to the domain controller of the Active Directory. So if your network system is fully upgraded to Win2K, then you can no longer use the WINS service. In Win2K, this integration also becomes unnecessary because of the support for the Dynamic update protocol (RFC 2136). DNS, an open protocol widely used on the internet, consisting of a series of interpretation requests (RFCS) standards, has become a unified and standardized specification in network technology. Win2K's goal is to be widely used in the Internet and intranet environments, its name resolution model should be fully compliant with a single DNS standard.

The above is mainly about the application of DNS in the Active Directory, but perhaps someone to ask the original in WINNT4.0 did not use the Active Directory, only DNS to resolve the domain name, in the End Active Directory and DNS what is the difference between them and how to combine it? Here's a concrete story.

1. The difference between Active Directory and DNS

(1), stored objects are different

The combination of DNS and Active Directory is the most important feature of the Windows2000 server, and the DNS domain and Active Directory domain use the same domain name for different namespaces. But they each store different data, so they manage different objects. DNS stores its zone and resource records, and the Active Directory stores the objects in the domain and domain. For DNS, domain names are based on the hierarchical naming structure of DNS, which is an inverted tree structure: a root domain in which the following domains are both parent and child domains. Computers in each DNS domain can be identified by a fully qualified domain name (FQDN). Each Win2K domain that is connected to the Internet has a DNS name, and computers in each Win2K domain also have a DNS name. Therefore, both the domain and the computer represent the Active Directory object and the domain node.

(2), the database used by the resolution is different

DNS is a name resolution service that DNS servers accept requests to query DNS databases to resolve domains or computers to IP addresses. DNS clients send DNS names to query their DNS servers, DNS servers accept requests or resolve names through the local DNS database, or query DNS databases on the Internet, and DNS does not require active catalogs to function.

The Active Directory is a directory service through which the domain controller accepts requests to query the Active Directory database to resolve domain object names to object records. The Active Directory user sends the request to the Active Directory server through the LDAP protocol (a protocol to enter the directory service), in order to locate the Active Directory database, it needs the help of DNS, that is, the Active Directory uses DNS as the location service, resolves the Active Directory server to the IP address, The Active Directory cannot have the help of DNS. DNS can be independent of the Active Directory, but the Active Directory must have the help of DNS to work. For the Active Directory to work correctly, the DNS server must support Service locator (SRV) resource records, which map the service name to the server name that provides the service. Active Directory clients and domain controllers use SRV resource records to determine the IP address of a domain controller.

In addition to requiring Win2K network DNS servers to support SRV resource records, Microsoft also recommends that DNS servers provide a dynamic upgrade of DNS. DNS dynamic upgrade defines a protocol that automatically upgrades a DNS server within a certain value, and without this protocol, administrators have to manually configure new records generated by domain controllers. The new Win2K DNS service supports both SRV resource records and dynamic upgrades. If you choose another win2k based DNS server, you must verify that it supports SRV resource records. For a legitimate DNS server that supports SRV resource records but does not support dynamic upgrades, you must manually upgrade its resource records when you upgrade the Win2K server to a domain controller. These can be done with the Netlogon.dns file, which is created by the Active Directory Intelligent Installation Wizard and exists in the folder%SystemRoot%\System32\Config.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.