與隔離自主性Autonomy vs. Isolation

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

您可以設計 Active Directory 邏輯結構以達成下列其中一個動作:You can design your Active Directory logical structure to achieve either of the following:

  • 自主性Autonomy. 包括獨立,但不是專屬資源的控制項。Involves independent but not exclusive control of a resource. 當您達到自主性時,系統管理員可以管理資源獨立; 的權限不過,系統管理員的更大的授權有者也可以控制那些資源和可以控制地點的氣象必要。When you achieve autonomy, administrators have the authority to manage resources independently; however, administrators with greater authority exist who also have control over those resources and can take control away if necessary. 您可以設計 Active Directory 邏輯結構以達成下列幾種自主性:You can design your Active Directory logical structure to achieve the following types of autonomy:

    • 服務自主性Service autonomy. 這種類型的自主涉及的服務管理全部或部分的控制。This type of autonomy involves control over all or part of service management.

    • 資料自主性Data autonomy. 這種類型的自主包括控制全部或部分 directory 或成員加入 directory 的電腦上儲存的資料。This type of autonomy involves control over all or part of the data stored in the directory or on member computers joined to the directory.

  • 隔離Isolation. 包括獨立且專屬資源的控制項。Involves independent and exclusive control of a resource. 當您達到隔離時,系統管理員權限管理資源獨立下來其他的系統管理員可以地點的氣象資源的控制項。When you achieve isolation, administrators have the authority to manage a resource independently, and no other administrator can take away control of the resource. 您可以設計 Active Directory 邏輯結構達成隔離下列類型:You can design your Active Directory logical structure to achieve the following types of isolation:

    • 服務隔離Service isolation. 防止控制或干擾服務管理系統管理員 (以外,這些系統管理員專門控制服務管理)。Prevents administrators (other than those administrators who are specifically designated to control service management) from controlling or interfering with service management.

    • 資料隔離Data isolation. 防止控制,或檢視資料子集 directory 或加入 directory 成員電腦的系統管理員 (以外,這些系統管理員專門控制項或檢視的資料)。Prevents administrators (other than those administrators who are specifically designated to control or view data) from controlling or viewing a subset of data in the directory or on member computers joined to the directory.

需要只自主性系統管理員接受擁有等於或大於管理授權其他系統管理員,可以等於或大於控制管理服務或資料。Administrators who require only autonomy accept that other administrators who have equal or greater administrative authority have equal or greater control over service or data management. 需要隔離的系統管理員可以專屬控制管理服務或資料。Administrators who require isolation have exclusive control over service or data management. 建立達成自主性設計是通常成本較低建立達成隔離設計。Creating a design to achieve autonomy is generally less expensive than creating a design to achieve isolation.

在 Active Directory Domain Services (AD DS),系統管理員可以委派服務管理和達成自主性或獨立資料管理。In Active Directory Domain Services (AD DS), administrators can delegate both service administration and data administration to achieve either autonomy or isolation between organizations. 服務管理組合,組織的資料管理、 自主和隔離需求影響用於委派管理 Active Directory 容器。The combination of service management, data management, autonomy, and isolation requirements of an organization impact the Active Directory containers that are used to delegate administration.

隔離和自主需求Isolation and autonomy requirements

您要部署的樹系數量根據自主和獨立在組織中的每個群組的需求。The number of forests that you need to deploy is based on the autonomy and isolation requirements of each group within your organization. 找出您的樹系設計需求,您必須在組織中找出所有群組的自主和獨立需求。To identify your forest design requirements, you must identify the autonomy and isolation requirements for all groups in your organization. 具體而言,您必須找出需資料隔離、 資料自主性、 服務隔離和服務自主。Specifically, you must identify the need for data isolation, data autonomy, service isolation, and service autonomy. 您還必須在組織中辨識區域的有限連接。You must also identify areas of limited connectivity in your organization.

隔離的資料Data isolation

隔離的資料包括專屬群組或擁有資料組織的資料控制。Data isolation involves exclusive control over data by the group or organization that owns the data. 請務必注意服務系統管理員可以控制資料的系統管理員原位資源。It is important to note that service administrators have the ability to take control of a resource away from data administrators. 而且資料管理員不需要的功能,以避免服務管理員存取它們控制資源。And data administrators do not have the ability to prevent service administrators from accessing the resources that they control. 因此,您無法隔離資料時,在組織中的另一個群組是負責管理服務。Therefore, you cannot achieve data isolation when another group within the organization is responsible for service administration. 如果群組需要資料隔離,該群組也必須假設服務管理的責任。If a group requires data isolation, that group must also assume responsibility for service administration.

因為資料儲存在 AD DS 和電腦加入到 AD DS 不能與服務的系統管理員隔離、 完整的資料的隔離群組組織中的唯一方式是建立不同的樹系的資料。Because data stored in AD DS and on computers joined to AD DS cannot be isolated from service administrators, the only way for a group within an organization to achieve complete data isolation is to create a separate forest for that data. 遭受惡意軟體或服務強制型轉系統管理員的結果非常大的組織可能選擇建立不同的樹系隔離的資料。Organizations for which the consequences of an attack by malicious software or by a coerced service administrator are substantial might choose to create a separate forest to achieve data isolation. 法律要求通常建立這種類型的資料隔離的需求。Legal requirements typically create a need for this type of data isolation. 例如:For example:

  • 金融機構,才能在法律限制屬於戶端在電腦與位於該管轄系統管理員使用者特定管轄的資料的存取權。A financial institution is required by law to limit access to data that belongs to clients in a particular jurisdiction to users, computers, and administrators located in that jurisdiction. 雖然機構信任服務系統管理員的工作外受保護的區域,如果違反存取限制時,將不會再無法在該管轄業務機構。Although the institution trusts service administrators that work outside the protected area, if the access limitation is violated, the institution will no longer be able to do business in that jurisdiction. 因此,金融機構,必須隔離服務系統管理員以外的管轄的資料。Therefore, the financial institution must isolate data from service administrators outside that jurisdiction. 請注意加密不一定此方案的另一個方法。Note that encryption is not always an alternative to this solution. 加密不可能的服務管理員保護資料。Encryption might not protect data from service administrators.

  • 法律需要防禦承包商限制至指定的使用者專案資料的存取權。A defense contractor is required by law to limit access to project data to a specified set of users. 雖然承包商信任服務控制相關的其他專案的電腦系統管理員,違反本存取限制的會造成失去商務承包商。Although the contractor trusts service administrators who control computer systems related to other projects, a violation of this access limitation will cause the contractor to lose business.

    注意

    如果您有資料隔離需求,您必須選擇您要找出您的資料服務系統管理員從或資料系統管理員與一般的使用者。If you have a data isolation requirement, you must decide if you need to isolate your data from service administrators or from data administrators and ordinary users. 如果您的需求隔離根據隔離的資料系統管理員與一般的使用者,您可以使用隔離資料的存取控制清單 (Acl)。If your isolation requirement is based on isolation from data administrators and ordinary users, you can use access control lists (ACLs) to isolate the data. 針對此設計程序,隔離資料管理員和一般使用者並非資料隔離需求。For the purposes of this design process, isolation from data administrators and ordinary users is not considered a data isolation requirement.

資料自主性Data autonomy

資料自主性包括群組或組織管理自己的資料,包括讓系統判斷資料,以及執行任何需要管理工作,而不需要的 \ [核准從另一部授權的能力。Data autonomy involves the ability of a group or organization to manage its own data, including making administrative decisions about the data and performing any required administrative tasks without the need for approval from another authority.

資料自主性不防止森林中的系統管理員服務存取的資料。Data autonomy does not prevent service administrators in the forest from accessing the data. 例如研究群組中大型的組織可能希望可以管理他們的特定專案資料本身,但不是需要其他森林中的系統管理員從保護資料。For example, a research group within a large organization might want to be able to manage their project-specific data themselves but not need to secure the data from other administrators in the forest.

隔離服務Service isolation

服務隔離的主要占 Active Directory 基礎結構。Service isolation involves exclusive control of the Active Directory infrastructure. 要求服務的隔離群組需要群組以外的任何系統管理員可以干擾 directory 服務的作業。Groups that require service isolation require that no administrator outside of the group can interfere with the operation of the directory service.

操作或法律需求,通常會建立服務隔離需要。Operational or legal requirements typically create a need for service isolation. 例如:For example:

  • 製造公司有控制的設備工廠重要的應用程式。A manufacturing company has a critical application that controls equipment on the factory floor. 此時組織的其他部分的網路上的服務不允許干擾出廠的作業。Interruptions in the service on other parts of the network of the organization cannot be allowed to interfere with the operation of the factory floor.

  • 管理公司提供多個戶端服務。A hosting company provides service to multiple clients. 每個 client 需要服務隔離,因此影響一個 client 任何服務中斷不會影響其他戶端。Each client requires service isolation so that any service interruption that affects one client does not affect the other clients.

服務自主Service autonomy

服務自主包含管理的需求占; 不基礎結構的功能例如,當群組想要變更 (例如新增或移除網域、 修改的網域名稱系統 」 (DNS) 命名空間,或修改架構) 的基礎結構而森林擁有者的 \ [核准。Service autonomy involves the ability to manage the infrastructure without a requirement for exclusive control; for example, when a group wants to make changes to the infrastructure (such as adding or removing domains, modifying the Domain Name System (DNS) namespace, or modifying the schema) without the approval of the forest owner.

服務自主可能需要組織群組,希望能控制 AD DS 服務程度 (新增與移除所需的網域控制站) 或無法安裝 directory 功能的應用程式需要的架構延伸需要群組中。Service autonomy might be required within an organization for a group that wants to be able to control the service level of AD DS (by adding and removing domain controllers, as needed) or for a group that needs to be able to install directory-enabled applications that require schema extensions.

連接限制Limited connectivity

如果在組織中的一組擁有的裝置,以限制或限制連接之間網路 (例如防火牆和網路位址轉譯 (NAT) 的裝置) 來分隔的網路,這可能會影響您的樹系設計。If a group within your organization owns networks that are separated by devices that restrict or limit connectivity between networks (such as firewalls and Network Address Translation (NAT) devices), this can impact your forest design. 當您找出您的樹系設計需求時,請務必注意有限網路連接的所在位置。When you identify your forest design requirements, be sure to note the locations where you have limited network connectivity. 可讓您有關的樹系設計做出需要這項資訊。This information is required to enable you to make decisions regarding the forest design.