After a basic understanding of the Active Directory in the previous article, let me touch on the real side of the Active Directory-the structure of the Active Directory. In the last article we talked about the Active Directory is comprised of two aspects: directory and directory-related services. A directory is a physical container for storing various objects, which is no different from what we normally call directories, and the basic object of directory management is the resources of users, computers, files, and printers. While directory services are services that enable all information and resources in the directory to work, such as user and resource management, directory based network services, and web-based application management, it is the key and essence of Win2K's Active Directory. Directory service is the core of Win2K network operating system, but also the central management organization, so the introduction of directory services to the entire operating system has brought revolutionary changes, not only on the system platform of the basic modules, such as network security mechanisms, user management modules have changed, And the application of the upper level and the mode of development also have a corresponding change. Is it easier to understand the "Active Directory"?
At the same time the Active Directory is a distributed directory service, because the information can be dispersed on several different computers, ensuring fast access and fault tolerance for each computer user, and no matter where the user is accessing or where the information is, the user is provided with a unified view, which makes the user feel more easy to understand and master the use of the Win2K system. The Active Directory integrates key services for the Win2K server, such as Domain Name Service (DNS), Message Queuing Service (MSMQ), transaction Services (MTS), and so on. The Active Directory in applications integrates key applications such as email, network management, ERP, and so on. To understand the Active Directory, we must start with its logical structure and physical structure.
The logical structure of the Active Directory
"Logic" Two words believe that we usually see more, such as we often say "logical thinking, logical analysis", and so on, perhaps we talk about "logic" two words feel very abstract, difficult to understand. In fact, the "logical structure" we're talking about here, I think, is very well understood. Logic "is generally equivalent to" physics ", we know that" physical "refers to the real, then" logically "does not mean that the physical, not the entity, it is an abstract thing, such as a" relationship ", a" Space, scope "and so on. In the first article we talked about the logical structure of the Active Directory is very flexible, there is a directory tree, domain, domain tree, domain forest, etc., these names are not a real entity, but represent a relationship, a range, such as the directory tree is composed of directories on the same namespace, and the domain is composed of different directory trees, The same domain tree is made up of different domains, and the domain forest is made up of multiple domain trees. They are a complete tree-like, hierarchical view of a relationship that we can look at as a dynamic relationship. The logical structure is also directly related to the namespaces discussed previously, and the logical structure provides a great convenience for users and administrators to find and locate objects in a certain name space. The logical units in the Active Directory consist mainly of:
1, domain, domain tree, domain forest
The domain is not only the logical organizational unit of the Win2K network system, but also the container of objects (such as computers, users, etc.), which have the same security requirements, replication process and management, which should be quite easy to understand for network administrators. All domain controllers in the domain in Win2K are equal (this is not the same as WINNT4.0, the domain is a security boundary, and the domain administrator can only manage the internal domain, unless other domains explicitly grant him administrative rights to access or manage other domains. Each domain has its own security policy, as well as its security trust relationship with other domains. Here is the relationship between the different domains of trust and transfer relationships, the following is a specific talk about the domain trust relationship in Win2K.
There is a certain trust relationship between domains and domains that allow users in one domain to be authenticated by a domain controller in another domain in order for users in one domain to access resources in another domain. There are only two domains in all domain trusts: the trust and trusted relational domains. A trust relationship is domain A trusting domain B, and a user in domain B can access resources in domain A by authenticating to a domain controller in domain A, and the relationship between domain A and domain B is a trust relationship. A trusted relationship is a domain-trust relationship in which Domain B is trusted by domain A and the relationship between domain B and domain A is trusted. Trust and trusted relationships can be one-way or two-way, that is, a single trust relationship between domain A and domain B, or a two-sided trust relationship.
Passing a trust relationship in a domain is not constrained by two domains in the relationship. is passed up through the parent domain to the next field in the domain tree, that is, if domain A trusts domain B, then domain A also trusts the subdomain domain B1, domain B2, under domain B. Transitive trust relationships are always two-way: two domains in a relationship trust each other (that is, between the parent and child domains). By default, all Wiin2k trust relationships in a domain tree or forest (a forest can be considered to be composed of multiple directory trees in the same domain) are passed. By significantly reducing the number of delegated relationships that need to be managed, this simplifies the management of the domain to a large extent.
A domain-transitive trust relationship in Win2K is generally automatic, but you can also explicitly (manually) create a transitive trust relationship for wiin2k domains in the same domain tree or forest. This is important for forming a cross link trust relationship. Non-transitive trust relationships are constrained by two domains in a relationship and are not passed up through the parent domain to the next domain in the domain directory tree. You must explicitly create a non-transitive trust relationship. By default, it is one-way to not pass trust relationships, although you can create a two-way relationship by creating two one-way trust relationships. None of the delegated relationships established between the wiin2k domains in the same domain directory tree or forest are not delivered. The delegation relationships between all wiin2k domains and Winnt domains are not delivered, which is especially important when an enterprise uses both Win2K and Winnt domain controllers when upgrading from WindowsNT to Wiin2k. All existing WindowsNT trust relationships will remain unchanged. In a mixed-mode network, all WindowsNT trust relationships are not delivered. A one-way one-way trust relationship between the Win2K domain in the wiin2k domain and the Winnt domain forest and the wiin2k domain Win2K domain in another forest and the MITKerberosV5 realm is a separate delegate relationship. A two-way trust relationship consists of a pair of one-way delegation relationships, and all transitive trust relationships are two-way. To make a transitive trust relationship two-way, you must create two one-way trust relationships between the involved domains.
2. Organizational unit (OU)
An organizational unit (OU) is a container object that is part of the logical structure of the Active Directory, and we can organize objects in the domain into logical groups that can help us simplify management. OUs can contain a variety of objects, such as user accounts, user groups, computers, printers, and so on, and can even include other OUs, so we can use OUs to form an entirely logical hierarchy of objects in the domain. For an enterprise, you can group all users and devices into an OU hierarchy by department, form hierarchies by geography, and divide into multiple OU hierarchies by function and permissions. It is clear that organizational units have a clear hierarchy through the containment of organizational units, which allows managers to cut organizational units into domains to reflect the organization of the enterprise and to delegate tasks and authorizations. Building an organization model of containment structures can help us solve many problems while still using large domains, each object in the domain tree can be displayed in the global catalog, so that users can easily find an object with a service function regardless of its location in the domain tree structure.
Because the OU hierarchy is limited to the interior of the domain, the OU hierarchy in one domain has no relationship to the OU hierarchy in another domain. Because domains in the Active Directory can accommodate more objects than NT4 domains, it is possible for an enterprise to construct a corporate network with only one domain, at which point we can use OUs to group objects, form multiple management hierarchies, and greatly simplify network management. Different departments in an organization can be different domains, or an organizational unit, using hierarchical naming methods to reflect organizational structure and manage authorization. A granular management authority along the organizational structure can solve a lot of management headaches, while strengthening central management without losing mobility flexibility.
Many domains in WINNT4.0 can become OUs, creating larger domains and simpler domain relationships, and users and administrators can still quickly find objects and manage objects with the help of global catalogs (globalcatalog). Win2K can work in the existing WINNT4.0 environment to protect existing investments.