了解 Active Directory 逻辑模型Understanding the Active Directory Logical Model

适用于:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

为 Active Directory 域服务 (AD DS) 设计逻辑结构涉及定义目录中的容器之间的关系。Designing your logical structure for Active Directory Domain Services (AD DS) involves defining the relationships between the containers in your directory. 这些关系可能基于管理需求,如颁发机构委托,或者可能由操作要求定义,例如需要控制复制。These relationships might be based on administrative requirements, such as delegation of authority, or they might be defined by operational requirements, such as the need to control replication.

在设计 Active Directory 逻辑结构之前,了解 Active Directory 逻辑模型非常重要。Before you design your Active Directory logical structure, it is important to understand the Active Directory logical model. AD DS 是一种分布式数据库,用于存储和管理有关网络资源的信息,以及从启用目录的应用程序中特定于应用程序的数据。AD DS is a distributed database that stores and manages information about network resources as well as application-specific data from directory-enabled applications. AD DS 允许管理员将网络 ((如用户、计算机和) 设备)的元素组织为分层包含结构。AD DS allows administrators to organize elements of a network (such as users, computers, and devices) into a hierarchical containment structure. 顶层容器是林。The top-level container is the forest. 林中为域,在域中是组织单位 (Ou) 。Within forests are domains, and within domains are organizational units (OUs). 这称为逻辑模型,因为它独立于部署的物理方面,例如每个域和网络拓扑中所需的域控制器的数量。This is called the logical model because it is independent of the physical aspects of the deployment, such as the number of domain controllers required within each domain and network topology.

Active Directory 林Active Directory forest

林是一个或多个 Active Directory 域的集合,这些域共享公共逻辑结构、目录架构 (类和属性定义) 、目录配置 (站点和复制信息) 以及 (林范围内的全局编录) 搜索功能。A forest is a collection of one or more Active Directory domains that share a common logical structure, directory schema (class and attribute definitions), directory configuration (site and replication information), and global catalog (forest-wide search capabilities). 同一林中的域自动与双向可传递信任关系关联。Domains in the same forest are automatically linked with two-way, transitive trust relationships.

Active Directory 域Active Directory domain

域是 Active Directory 林中的分区。A domain is a partition in an Active Directory forest. 通过对数据进行分区,组织可以仅将数据复制到需要的位置。Partitioning data enables organizations to replicate data only to where it is needed. 通过这种方式,目录可通过带宽有限的网络进行全局缩放。In this way, the directory can scale globally over a network that has limited available bandwidth. 此外,域还支持与管理相关的许多其他核心功能,包括:In addition, the domain supports a number of other core functions related to administration, including:

  • 网络范围的用户标识。Network-wide user identity. 域允许创建一次用户标识,并在加入域所在的林的任何计算机上引用用户标识。Domains allow user identities to be created once and referenced on any computer joined to the forest in which the domain is located. 构成域的域控制器用于存储用户帐户和用户凭据 (如安全) 密码或证书。Domain controllers that make up a domain are used to store user accounts and user credentials (such as passwords or certificates) securely.

  • 身份验证。Authentication. 域控制器为用户提供身份验证服务,并提供额外的授权数据(如用户组成员身份),这些数据可用于控制对网络上资源的访问。Domain controllers provide authentication services for users and supply additional authorization data such as user group memberships, which can be used to control access to resources on the network.

  • 信任关系。Trust relationships. 域可通过信任将身份验证服务扩展到其自身林以外的域中的用户。Domains can extend authentication services to users in domains outside their own forest by means of trusts.

  • 复制。Replication. 域定义了一个目录分区,其中包含的数据足以提供域服务,然后在域控制器之间进行复制。The domain defines a partition of the directory that contains sufficient data to provide domain services and then replicates it between the domain controllers. 通过这种方式,所有域控制器都是域中的对等方,并作为一个单元进行管理。In this way, all domain controllers are peers in a domain and are managed as a unit.

Active Directory 组织单位Active Directory organizational units

Ou 可用于构成域中容器的层次结构。OUs can be used to form a hierarchy of containers within a domain. Ou 用于出于管理目的对对象进行分组,如应用组策略或颁发机构委托。OUs are used to group objects for administrative purposes such as the application of Group Policy or delegation of authority. 通过 OU 和其内部的对象控制 () 由访问控制列表 (Acl) 在 OU 和 OU 中的对象上。Control (over an OU and the objects within it) is determined by the access control lists (ACLs) on the OU and on the objects in the OU. 为了便于管理大量对象,AD DS 支持授权委派的概念。To facilitate the management of large numbers of objects, AD DS supports the concept of delegation of authority. 通过委派,所有者可以将对象的完全或有限管理控制转移到其他用户或组。By means of delegation, owners can transfer full or limited administrative control over objects to other users or groups. 委派非常重要,因为它有助于跨多个受信任的用户(这些用户可以执行管理任务)分发大量对象的管理。Delegation is important because it helps to distribute the management of large numbers of objects across a number of people who are trusted to perform management tasks.