The foundation of Win2000 Active Directory

  

We know that one of the biggest breakthroughs and successes of WIN2K system is its newly introduced Active Directory service, which makes WIN2K system and various services and protocols on the Internet. It is more closely related because it successfully naming the directory with the "domain name" naming method, and then parsing it through DNS, so that it achieves the same effect as WINS parsing on the Internet. The Active Directory also illustrates Microsoft's strategic shift in network architecture. Although some products (such as EXCHANGE SERVER, IIS, etc.) have provided services similar to Active Directory in the previous NT era, Active Directory is a new integrated service. After the birth of WIN2K came along. The Active Directory appears to be ubiquitous throughout the WIN2K system. However, it is easy to really understand all aspects of the Active Directory. I would like to take a few chapters to make a detailed analysis of the main aspects of the Active Directory through some popular explanations. I hope that there will be fears for WIN2K's Active Directory. A newcomer to psychology has a comprehensive understanding of opportunities.

First, the origin of the Active Directory

When it comes to Active Directory, the most interesting thing is the "directory", "path" under DOS and "folder" under Windows9X/ME. The "directory" or "folder" at that time only represents the position and hierarchical relationship of a file on the disk. After a file is generated, the directory where the file is located is fixed. (Of course, it can be deleted, transferred, etc., now not considered. These), that is to say its properties are relatively fixed, static. This directory can only represent the storage location of all files in this directory and the total size of all files, and can not get other relevant information, which affects the efficiency of the overall use of the directory, which affects the overall efficiency of the system. Make the entire management of the system complicated. Because there is no correlation, the same object has to be configured multiple times in different applications, which is quite complicated to manage and affects the efficiency of system resources. In order to change this inefficient relationship and strengthen the relationship with the relevant protocols on the Internet, Microsoft decided to comprehensively reform in WIN2K, which is to introduce the concept of Active Directory. The key to understanding the Active Directory is the word "activity". Don't remove the word "activity" and just understand it from the "directory". Then you and I must still be able to leave the original. The directory under DOS or the folder under Windows9x, because this directory is active, it is dynamic, it is a directory containing service functions, it can do "association and mapping", such as Once you find a username, you can think of all the basic information such as its account number, birth information, E-mail, phone number, etc., although the files that make up this information may not be in one piece. At the same time, different information can be shared between different applications, which reduces the waste of system development resources and improves the utilization efficiency of system resources.

Active Directory consists of two aspects: the directory and the directory-related services. A directory is a physical container for storing various objects. From a static perspective, this Active Directory is not essentially different from the "directory" and "folder" we have previously met. It is just an object, an entity; Directory service is a service that makes all the information and resources in the directory work. Active Directory is a distributed directory service. Information can be distributed on multiple different computers to ensure users can access quickly because multiple machines have the same information. Therefore, it has strong control over information, so that users are provided with a unified view regardless of where they are accessed or where the information is located.

Second, related terminology

Although many of the technologies used in the Active Directory have appeared in other software products, but as a comprehensive overall network solution is still debut, many of them Nouns or terms may be unheard of, so it is necessary to learn more about the nouns or terms in the Active Directory.

1. Namespace: In essence, the Active Directory is a namespace. We can understand the namespace as the resolution boundary of any given name. This boundary refers to the name that can be provided or associated. A range of all information that is mapped. In layman's terms, we sum up all the related information that we can find on the server by looking up an object, such as a user. If we have defined this user in the server, such as: user name, user password, work unit, contact number, The home address, etc., the sum mentioned above is broadly understood to be the name space of the name "user", because we can only find a user name to find all the information listed above. Name resolution is the process of translating a name into an object or information represented by the name. For example, in a directory where a phone directory is formed, we can resolve the name of each phone account to the corresponding phone number, instead of the name being the name, the number being the number, and not being able to be contacted horizontally. The file system of the Windows operating system also forms a namespace, and each file name can be parsed into the file itself (including all the information it should have).

2, object: Object is the information entity in the Active Directory, which is the "attribute" we usually see, but it is a collection of attributes, often representing tangible entities, such as user accounts, File name, etc. The object describes its basic characteristics through attributes. For example, the attributes of a user account may include the user's name, phone number, email address, and home address.

3, container: container is part of the Active Directory namespace, like the directory object, it also has attributes, but unlike the directory object, it does not represent a tangible entity, but represents the space of the object Because it only represents the space in which an object is stored, it is smaller than the namespace. For example, a user, it is an object, but the container of this object is limited to the information space that can be provided from the object itself, such as it can only provide the user name, user password. Others such as: work unit, contact number, home address, etc. are not part of the container of this object.

4, directory tree: In any namespace, the directory tree refers to the hierarchy of containers and objects. The leaves and nodes of the tree are often objects, and the non-leaf nodes of the tree are containers. The directory tree expresses how objects are connected and also shows the path from one object to another. In the Active Directory, the directory tree is the basic structure. From each container as a starting point, you can form a subtree. A simple directory can form a tree, a computer network or a domain can also constitute a tree. It is also very easy to understand. When we first learned the computer, did it start on the basis of a comprehensive understanding of the path concept under DOS? In fact, this "directory tree" is also a kind of "path relationship", if you understand the DOS "Path" believes that understanding this "directory tree" is no problem!

5. Domain: The domain is the security boundary of the WIN2K network system. We know that the most basic unit of a computer network is the "domain". This is not unique to WIN2K, but the Active Directory can run through one or more domains. On a stand-alone computer, the domain refers to the computer itself. A domain can be distributed in multiple physical locations. At the same time, one physical location can divide different network segments into different domains. Each domain has its own security policy and it Trust relationships in other domains. After multiple domains are connected through a trust relationship, Active Directory can be shared by multiple trusted domain.

6. Organizational unit: The type of directory object that is particularly useful in the domain is the organizational unit. An organizational unit is a container that puts users, groups, computers, and other units into Active Directory, and organizational units cannot include objects from other domains. An organizational unit is the smallest unit of action that can be assigned Group Policy settings or delegated administrative rights. With organizational units, you can create containers in domains that represent logical hierarchies in organizational units, so you can manage accounts, resource configuration, and usage based on your organizational model, and you can use organizational units to create scalable to any size management model. Users can be granted administrative rights to all organizational units in the domain or to individual organizational units. The administrator of the organizational unit does not need to have the management rights of any other organizational unit in the domain. The organizational unit is a bit like our working group in the NT era, we Administrative authority can be understood in this way.

7, domain tree: domain tree consists of multiple domains, these domains share the same table structure and configuration, forming a continuous namespace. The domains in the tree are connected by a trust relationship, and the Active Directory contains one or more domain trees. The deeper the level of the domain in the domain tree, the lower the level. A "." represents a hierarchy. For example, the domain child.Microsoft.com is lower than the domain level of Microsoft.com because it has two hierarchical relationships, while Microsoft.com only has One level. The domain Grandchild.Child.Microsoft.com is lower than Child.Microsoft.com, and the truth is the same.

Domains in the domain tree are connected by a two-way transitive trust relationship. Because these trust relationships are bidirectional and transitive, newly created domains in a domain tree or forest can immediately establish a trust relationship with each other domain in the domain tree or forest. These trust relationships allow a single sign-on process to authenticate users on all domains in the domain tree or the forest, but this does not necessarily mean that authenticated users have the same rights and permissions in all domains in the domain tree. Because domains are security boundaries, users must be assigned appropriate rights and permissions on a per-domain basis.

8. Domain forest: Domain forest is composed of one or more domain trees that do not form a continuous namespace. The most obvious difference between the domain tree and the domain tree mentioned above is that there is no domain between these domain trees. A continuous namespace is formed, and the domain tree is composed of domains with consecutive namespaces. However, all domain trees in the domain forest still share the same table structure, configuration, and global catalog. All domain trees in the domain forest are established through Kerberos trust relationships, so each domain tree knows the Kerberos trust relationship, and different domain trees can cross-reference objects in other domain trees. The domain forest has a root domain. The root domain of the domain forest is the first domain created in the domain forest. The root domain of all domain trees in the domain forest establishes a transferable trust relationship with the root domain of the domain forest.

9. Site: A site is a network location that includes an Active Directory domain server, usually one or more subnets connected by TCP/IP. Subnets inside the site are connected through a reliable, fast network. The division of the site allows the administrator to easily configure the complex structure of the Active Directory and make better use of the physical network features to optimize network communication. When a user logs in to the network, the Active Directory client finds the Active Directory domain server in the same site. Since the network communication within the same site is reliable, fast, and efficient, it is the fastest for the user. Log in to the network system within the time. Because the site is subnet-bound, Active Directory can easily find the site where the user is located when logging in, and then find the Active Directory domain server to complete the login.

10, domain controller: The domain controller is the computer of WIN2K Server configured using the Active Directory Installation Wizard. The Active Directory Installation Wizard installs and configures components that provide Active Directory services for network users and computers for users to choose from. The domain controller stores directory data and manages user domain interactions, including user login procedures, authentication, and directory searches. A domain can have one or more domain controllers. For high availability and fault tolerance, a small unit using a single local area network (LAN) may only need one domain with two domain controllers. Large companies with multiple network locations require one or more domain controllers at each location to provide high availability and fault tolerance.

WIN2K Server domain controllers extend the capabilities and features provided by WINNT Server 4.0 domain controllers, and WIN2K Server multi-homed replication synchronizes directory data on each domain controller to ensure over time This information is still consistent, that is, dynamic, which is what Active Directory does. Multi-homed replication is a development of the primary domain controller and backup domain controller model used in WINNT Server 4.0. In WINNT Server 4.0, there is only one server, the primary domain controller, that has a readable and writable copy of the directory.

Copyright © Windows knowledge All Rights Reserved