ä¸ãActive Directory Domain Services(AD DS)
in the Windows Server 2008 network enviroment ,Active Directory Domain Services(AD DS),provide with organizingãmanagingãcontrolling network resources.
1-1 active directory domain services overview
directory :telephone directory;file directory
å¦æè¿äºdirectoryå
çæ°æ®è½å¤ç³»ç»çå 以æ´ççè¯ï¼ç¨æ·å°±è½å¤å®¹æä¸è¿
éçæ¥æ¾å°æéæ件ã
Active Directoryçç»ææ¯directoryï¼åå
çdirectoryæ¯ç¨æ¥åå¨ç¨æ·å¸æ·ã计ç®æºå¸æ·ãæå°æºä¸å
±äº«æ件夹ç对象ï¼æ们æè¿äºå¯¹è±¡çåå¨å°ç¹ç§°ä¸ºç®å½æ°æ®åºï¼directory databaseï¼ã
Active Directory åå
è´è´£æä¾ç®å½æå¡çç»ä»¶å°±æ¯active directoryåæå¡ï¼active directory domain services
å®è´è´£ç®å½æ°æ®åºçåå¨ãæ·»å ãå é¤ãä¿®æ¹ä¸æ¥è¯¢æä½ã
1-1-1 active directory domain service scope
active directory domain service å¯ä»¥ç¨å¨ä¸å°è®¡ç®æºãLANæè
æ°ä¸ªWANçèåï¼å®å
å«æ¤èå´ææç对象ï¼ä¾å¦æ件ãæå°æºãåºç¨ç¨åºãæå¡å¨ãåæ§å¶å¨ä¸ç¨æ·å¸æ·çã
1-1-2nameSpace
bounded area ,ä¸åçå®å¥½çåºåï¼å¨æ¤åºåå
ï¼æ们å¯ä»¥å©ç¨æ个å称æ¥æ¾å°ä¸è¿ä¸ªå称æå
³çä¿¡æ¯ã
active directory åæå¡å
ï¼active directoryå°±æ¯ä¸ä¸ªå称空é´ï¼å¨active directoryå
æ们å¯ä»¥éè¿å¯¹è±¡åæ¥æ¾å°ä¸è¿ä¸ªå¯¹è±¡ç¸å
³çææçä¿¡æ¯ã
active directory domain services ä¸DNSç´§å¯éæå¨ä¸èµ·ï¼å
¶åçå称空é´ä¹æ¯éç¨DNSæ¶æï¼å æ¤ååéç¨DNSæ ¼å¼æ¥å½å
1-1-3 object and attribute
ad dså
çèµæºé½æ¯ä»¥å¯¹è±¡çå½¢å¼åå¨çï¼ä¾å¦ç¨æ·ã计ç®æºãæå°æºï¼å¯¹è±¡éè¿å±æ§æ¥æè¿°å
¶ç¹å¾ã对象æ¬èº«æ¯å±æ§çéåï¼å¯¹è±¡ç±»çæ¦å¿µ-object class
1-1-4容å¨ï¼containerï¼åç»ç»åä½ï¼organization unitsï¼
ä¸å¯¹è±¡ä¸åçæ¯å®¹å¨å
å¯ä»¥å
å«å
¶ä»å¯¹è±¡ï¼ä¹å¯ä»¥å
å«å
¶ä»ç容å¨ãèç»ç»åä½æ¯ä¸ä¸ªæ¯è¾ç¹æ®ç容å¨ï¼é¤äºå¯ä»¥å
æ¬å
¶ä»å¯¹è±¡ä¸ç»ç»åä½å¤ï¼è¿æç»çç¥çåè½ã
AD DSæ¯å±æ¬¡åçç»æï¼hierarchicalï¼å°å¯¹è±¡ã容å¨ä¸ç»ç»åä½çç»åå¨ä¸èµ·ï¼å¹¶å°å
¶åå¨å°active directoryæ°æ®åºä¸ã
1-1-5åæ ç®å½
æ ¹åï¼root domainï¼
subdomainåå
åå空é´æ¯è¿ç»æ§çï¼continuousï¼ï¼ååçååå
å«çå
¶ç¶åçååã
åæ ç®å½å
çææåå
±äº«ä¸ä¸ªactive directoryæ°æ®åºï¼ä¹å°±æ¯å¨è¿ä¸ªåæ ç®å½ä¹ä¸åªæä¸ä¸ªactive directoryæ°æ®åºï¼ä¸è¿è¿ä¸ªactive directoryæ°æ®åºå
çæ°æ®åæ£å°å个åå
ï¼æ¯ä¸ªååªåå¨å±äºè¯¥åçæ°æ®ã
1-1-6ä¿¡ä»»ï¼trustï¼
两个åï¼trust relationshipï¼ï¼ç¶åæå¯ä»¥è®¿é®å¯¹æ¹åå
çèµæºã
ä»»ä½ä¸ä¸ªæ°AD DSå被å å
¥å°åç®å½åï¼è¿ä¸ªåä¼èªå¨ä¿¡ä»»å
¶åä¸å±çç¶åï¼åæ¶ç¶åä¹ä¼èªå¨ä¿¡ä»»è¿ä¸ªæ°å å
¥çååï¼èä¸è¿ç§ä¿¡ä»»å
³ç³»å
·æååä¼ éæ§ï¼Two-way transitiveï¼,kerberosä¿¡ä»»ã
å ä¸ºä¼ éæ§å¾å°çä¿¡ä»»å
³ç³»ï¼å¯ç§°ä¸ºéæ§çä¿¡ä»»å
³ç³»ï¼impicit trustï¼ã
æ以å½ä»»ä½ä¸ä¸ªAD DSåå å
¥å°åæ ç®å½åï¼å®ä¼èªå¨ååä¿¡ä»»è¿ä¸ªåæ ç®å½å
çææåï¼å æ¤åªè¦æ¥æéå½æéï¼è¿ä¸ªæ°åå
çç¨æ·ä¾¿å¯ä»¥è®¿é®å
¶ä»åçèµæºï¼åçï¼å
¶ä»åå
çç¨æ·ä¹å¯ä»¥è®¿é®è¿ä¸ªæ°åå
çèµæºã
1-1-7 forest
ææ¯ç±ä¸ä¸ªæå¤ä¸ªåæ ç®å½ç»æï¼æ¯ä¸ä¸ªåæ ç®å½é½æèªå·±å¯ä¸çå称空é´ã
æ¨æå建ç第ä¸ä¸ªåæ ç®å½çæ ¹åï¼å°±æ¯æ´ä¸ªæçæ ¹åï¼åæ¶å
¶ååå°±æ¯æçæåã
ä¾å¦sayms.com æ¯æ´ä¸ªæçæ ¹åï¼æ´ä¸ªæçååæ¯sayms.com
å½å建ææ¶ï¼æ¯ä¸ä¸ªåæ ç®å½å
çæ ¹åï¼root domainï¼ä¹é´ååçãä¼ éæ§çä¿¡ä»»å
³ç³»é½ä¼è¢«èªå¨å建ãå æ¤æ¯ä¸ªåæ ç®å½ä¸çæ¯ä¸ªåå
çç¨æ·ï¼åªè¦æ¥ææéï¼é½å¯ä»¥è®¿é®å
¶ä»ä»»ä½ä¸ä¸ªåæ ç®å½å
çèµæºï¼ä¹å¯ä»¥å°å
¶ä»ä»»ä½ä¸ä¸ªåæ ç®å½å
ç计ç®æºç»å½ã
1-1-8æ¶æï¼schemaï¼
AD DSå
ç书é¦ç±»åä¸å±æ§æ°æ®æ¯å®ä¹å¨schemaå
çãæ¯å¦schemaå®ä¹äºå¯¹è±¡ç±»åå
å
å«äºåªäºå±æ§ã没ä¸ä¸ªå±æ§çæ°æ®ç±»åçä¿¡æ¯ã
åºç¨ç¨åºå¯ä»¥å¨schemaå
æ·»å å
¶æéè¦ç对象类åæå±æ§ï¼ç³»ç»ç®¡çåï¼æschema admins ç»å
çç¨æ·ï¼å¯ä»¥ä¿®æ¹æ¶æå
çæ°æ®ãå¨ä¸ä¸ªforestå
çall domain treeå
±äº«ç¸åçschemaã
1-1-9åæ§å¶å¨
AD DSçç®å½æ°æ®æ¯åå¨å¨åæ§å¶å¨å
çãä¸ä¸ªåå
å¯ä»¥æå¤å°åæ§å¶å¨ï¼æ¯ä¸å°åæ§å¶å¨çå°ä½ï¼å ä¹ï¼æ¯å¹³ççãä»ä»¬åèªåå¨çä¸ä»½å ä¹å®å
¨ç¸åçvactive directoryæ°æ®åºãæ¯å¦å½å¨ä»»ä½ä¸å°åæ§å¶å¨å
æ·»å ä¸ä¸ªç¨æ·å¸æ·åï¼è¿ä¸ªå¸æ·é»è®¤æ¯è¢«å建å¨æ¤åæ§å¶å¨çactive directoryæ°æ®åºå
ï¼ä¹åè¿ä»½æ°æ®ä¼èªå¨è¢«replicateå°å
¶ä»åæ§å¶å¨çactive directoryæ°æ®åºå
ï¼ä»¥ä¾¿è®©ææåæ§å¶å¨å
çAD DSæ°æ®é½è½å¤åæ¥ï¼synchronizeï¼ã
å¤å°åæ§å¶å¨å¯ä»¥æé«ç³»ç»çå¯é æ§ï¼æä¾å®¹éåè½ï¼åæ¶å¯ä»¥æ¹åç»å½æçã
åæ§å¶å¨ä¸è¬æ¯ä¸å°æå¡å¨çº§å«ç计ç®æºï¼å¨windows server 2008家æä¸ï¼é¤äº windows web server 2008ä¹å¤ï¼å
¶ä»é½å¯ä»¥æ®æ¼åæ§å¶å¨çè§è²ã
1-1-10active directoryçå¤å¶æ¨¡å¼
åæ§å¶å¨ä¹é´å¨å¤å¶active directoryæ°æ®åºæ¶ï¼å
¶å¤å¶æ¹å¼å¯ä»¥ä¸ºä»¥ä¸ä¸¤ç§æ¨¡å¼ï¼
å¤ä¸»æºå¤å¶æ¨¡å¼ï¼multi-master replication modelï¼
å½å¨ä»»ä½ä¸å°åæ§å¶å¨çactive directoryæ°æ®åºå
æ·»å ä¸ä¸ªç¨æ·å¸æ·åï¼è¿ä¸ªå¸æ·ä¼èªå¨è¢«å¤å¶å°åå
çå
¶ä»åæ§å¶å¨ãactive directoryæ°æ®åºå
ç大é¨åçæ°æ®æ¯å©ç¨è¿ç§æ¨¡å¼å¨å¤å¶ã
å主æºå¤å¶æ¨¡å¼ï¼single-master replication modelï¼
å½æåºæ´æ¹å¯¹è±¡æ°æ®ç请æ±çæ¶åï¼ä¼ç±å
¶ä¸ä¸å°åæ§å¶å¨ï¼æä½ä¸»æºï¼è´è´£æ¥æ¶ä¸å¤çæ¤è¯·æ±ï¼ä¹å°±æ¯è¯´è¯¥å¯¹è±¡æ¯å
被æ´æ°å¨æä½ä¸»æºï¼åç±è¿å°æä½ä¸»æºå°å®å¤å¶å°å
¶ä»çåæ§å¶å¨ã
1-1-11åä¸çå
¶ä»æå计ç®æº
è¦å
å管ç计ç®æºï¼éè¦å°è¿äºè®¡ç®æºå å
¥å°åå
ï¼å¦æç¨æ·è¦ä½¿ç¨active directoryæ°æ®åºå
çåç¨æ·å¸æ·æ¥ç»å½ï¼è¿äºè®¡ç®æºä¹å¿
é¡»å å
¥åã没æå å
¥åç计ç®æºåªè½å¤ä½¿ç¨æ¬å°ç¨æ·å¸æ·ç»å½ã
åä¸çæå计ç®æºå
æ¬ï¼
æåæå¡å¨ï¼member serverï¼
æå¡å¨çº§å«ç计ç®æºå å
¥åå被称为æåæå¡å¨ï¼member serverï¼ï¼æåæå¡å¨çåºå«ä¸æ¯ç¡¬ä»¶ï¼èæ¯æä½ç³»ç»ãæåæå¡å¨å¯ä»¥æ¯ï¼
windows server 2008
windows server 2003
windows 2000 server
windows NT server 4.0
è¥ä¸è¿°æå¡å¨æ²¡æå å
¥å°åï¼åä»ä»¬è¢«ç§°ä¸ºç¬ç«æå¡å¨ï¼stand-alone serverï¼æå·¥ä½ç»æå¡å¨ï¼workgroup server ï¼,æ 论æ¯member serverè¿æ¯stand-alone serverï¼ä»ä»¬é½ææ¬å°çSAMï¼security accounts managerï¼ï¼ç³»ç»å¯ä»¥ç¨SAMæ¥å®¡æ ¸æ¬å°çç¨æ·ç身份ã
å
¶ä»å®¢æ·ç«¯è®¡ç®æº
windows vista Ultimate ãwindows vista enterprise ãwindows vista bussiness
windows XP professional
windows 2000 professional
windows NT workstation
PS:postscript
注æ:ista home premiumãvista home basic ãvista starterãXP home editionç计ç®æºå¨ç»å½çªå£ä¸æ æ³éæ©åç¨æ·æ¥ç»å½ï¼åªè½å©ç¨æ¬å°ç¨æ·å¸æ·æ¥ç»å½ã
å¨windowsç½ç»ç¯å¢ä¸ï¼å¯ä»¥å°ç¬ç«æå¡å¨ææåæå¡å¨å级æ为åæ§å¶å¨ï¼ä¹å¯ä»¥å°åæ§å¶å¨é级为ç¬ç«æå¡å¨ææåæå¡å¨ã
1-1-12 DNSæå¡å¨
åæ§å¶å¨éè¦å°èªå·±æ³¨åå°DNSæå¡å¨å
ï¼ä»¥ä¾¿è®©å
¶ä»è®¡ç®æºéè¿DNSæå¡å¨æ¥æ¾å°è¿å°åæ§å¶å¨ãå æ¤æ建åç¯å¢éè¦æå¯æ¯æAD DSçDNSæå¡å¨ãåæ¶è¿å°DNSæå¡å¨æ好æ¯æå¨ææ´æ°ï¼dynamic updateï¼ï¼ä»¥ä¾¿å½åæ§å¶å¨çè§è²æåå¨æåæå计ç®æºçIPå°åçæ°æ®æ´æ¹æ¶ï¼å¯ä»¥èªå¨æ´æ°DNSæå¡å¨çè®°å½ã
1-1-13è½»åç®å½è®¿é®åè®®ï¼LDAPï¼
LDAP(lightweight directory access protocol)è½»åç®å½è®¿é®åè®®æ¯ç¨æ¥è®¿é®active directoryæ°æ®åºçç®å½æå¡åè®®ãAD DSæ¯å©ç¨LDAPå称路å¾ï¼LDAP naming pathï¼æ¥è¡¨ç¤ºå¯¹è±¡å¨active directoryæ°æ®åºä¸çä½ç½®ï¼ä»¥ä¾¿ç¨å®æ¥è®¿é®active directoryæ°æ®åºå
ç对象ãLDAPå称路å¾å
æ¬ï¼
distinguished Nameï¼DNï¼
DNæ¯å¯¹è±¡å¨active directoryæ°æ®åºå
çå®æ´è·¯å¾
å
¶ä¸çDCï¼domain componentï¼è¡¨ç¤ºDNSååä¸çç»ä»¶ï¼OU为ç»ç»åä½ï¼organization unitï¼ï¼CN为common name
relative distinguished nameï¼RDNï¼
RDNæ¯å¨DNçå®æ´è·¯å¾ä¸ï¼ç¨æ¥ä»£è¡¨æ个对象çé¨åè·¯å¾
GUIDï¼global unique identifierï¼
GUIDæ¯ä¸ª128ä½çæ°å¼ï¼æ¨æå建çä»»ä½ä¸ä¸ªå¯¹è±¡ï¼ç³»ç»é½ä¼èªå¨ä¸ºå
¶æå®ä¸ä¸ªå¯ä¸çGUIDãè½ç¶å¯ä»¥æ¹å对象çå称ï¼ä½æ¯å
¶GUIDæ°¸è¿ä¸åã
User Principal Name
æ¯ä¸ä¸ªç¨æ·è¿å¯ä»¥æå 个æ¯DNæ´çãæ´å®¹æè®°å¿çUPNå½¢å¼ä¸º
[email protected]ï¼ç¨æ·å¨ç»å½çæ¶åæ好æ¯ç¨UPN
详ç»è§
http://www.360doc.com/content/11/0512/22/265705_116313614.shtml