判斷所需的樹系的數目Determining the Number of Forests Required

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

若要判斷,您必須部署樹系的數目,您需要仔細找出評估隔離與自主性需求適用於您組織中的每個群組並將這些需求對應至適當的樹系設計模型。To determine the number of forests that you must deploy, you need to carefully identify and evaluate the isolation and autonomy requirements for each group in your organization and map those requirements to the appropriate forest design models.

時判斷您的組織中部署的樹系的請考慮下列動作:When determining the number of forests to deploy for your organization, consider the following:

  • 隔離需求限制您的設計選擇。Isolation requirements limit your design choices. 因此,如果您找出隔離需求,請確定該群組確實需要資料隔離和的資料自主性不足,無法他們的需求。Therefore, if you identify isolation requirements, make sure that the groups actually require data isolation and that data autonomy is not sufficient for their needs. 請確定您在組織中的各種群組清楚了解隔離和自主性的概念。Ensure that the various groups in your organization clearly understand the concepts of isolation and autonomy.

  • 協調的設計可以漫長處理程序。Negotiating the design can be a lengthy process. 它可以很難有關擁有權共識群組,並使用可用資源。It can be difficult for groups to come to an agreement about ownership and uses for available resources. 請確定您允許時間不足,無法群組的適當研究他們的需求找出您組織中。Make sure that you allow enough time for the groups in your organization to conduct adequate research to identify their needs. 設定穩固期限設計決策與的所有派對建立期限取得共識。Set firm deadlines for design decisions and get consensus from all parties on the established deadlines.

  • 判斷要部署的樹系的數目,包括平衡權益成本。Determining the number of forests to deploy involves balancing costs against benefits. 單一樹系模型是最具成本效益的選項,並需要最低的 [系統管理成本。A single-forest model is the most cost-effective option and requires the least amount of administrative overhead. 在組織中可能會想要獨立服務作業,但可能會更具成本效益的希望從打造且受信任的資訊 (IT) 技術群組服務傳遞組織。Although a group in the organization might prefer autonomous service operations, it might be more cost-effective for the organization to subscribe to service delivery from a centralized and trusted information technology (IT) group. 這樣自己的資料管理群組而不需要建立新增的服務管理成本。This allows the group to own data management without creating the added costs of service management. 平衡成本效益可能需要從贊助輸入。Balancing costs against benefits might require input from the executive sponsor.

    單一樹系是最簡單的設定來管理。A single forest is the easiest configuration to manage. 它可以讓的環境中的最大共同作業因為:It allows for maximum collaboration within the environment because:

    • 通用列出的單一森林中的所有物件。All objects in a single forest are listed in the global catalog. 因此,不同步跨樹系需要。Therefore, no synchronization across forests is required.

    • 不需要管理重複的基礎結構。Management of a duplicate infrastructure is not required.

  • 我們不建議單一樹系的 co-ownership 由兩個獨立及獨立 IT 組織。We do not recommend co-ownership of a single forest by two separate and autonomous IT organizations. 在未來的兩個群組 IT 目標可能會變更,,讓他們可以不再接受共用的控制。In the future, the goals of the two IT groups might change, so that they can no longer accept shared control.

  • 我們不建議外包以多個合作夥伴之外的服務管理。We do not recommend outsourcing service administration to more than one outside partner. 多語系有不同的國家或地區群組的組織可能會外包至不同的外部夥伴每個國家或地區的服務管理選擇。Multinational organizations that have groups in different countries or regions might choose to outsource service administration to a different outside partner for each country or region. 多個外協力廠商無法隔離,因為一個合作夥伴的動作可能會影響服務的其他,很難按住合作夥伴負責層級服務合約。Because multiple outside partners cannot be isolated from one another, the actions of one partner can affect the service of the other, which makes it difficult to hold the partners accountable to their service level agreements.

  • Active Directory domain 只有一個執行個體應該隨時存在。Only one instance of an Active Directory domain should exist at any time. Microsoft 不支援複製、分割,或從一個網域複製網域控制站在嘗試進行通訊相同的網域第二個。Microsoft does not support cloning, splitting, or copying domain controllers from one domain in an attempt to establish a second instance of the same domain. 如需有關這個限制,查看 [下一節。For more information about this limitation, see the following section.

重新建構限制Restructuring limitations

公司時取得另一家公司,營業,或 product 行購買公司也可能會想要取得對應 IT 資產從賣家。When a company acquires another company, business unit, or product line, the purchasing company might also want to acquire corresponding IT assets from the seller. 具體而言,買方可能會想要部分或所有的網域控制站裝載帳號、電腦帳號,以及對取得商務用資產對應安全性群組。Specifically, the buyer might want to acquire some or all of the domain controllers that host the user accounts, computer accounts, and security groups that correspond to the business assets that are to be acquired. 若要取得儲存賣家 Active Directory 森林中的 IT 資產買方僅限支援的方法如下:The only supported methods for the buyer to acquire the IT assets that are stored in the seller's Active Directory forest are as follows:

  1. 取得唯一之子-森林,包括所有網域控制站和 directory 資料賣家整個森林中的執行個體。Acquire the only instance of the forest, including all domain controllers and directory data in the seller's entire forest.

  2. 賣家的樹系或網域移轉 directory 所需的資料,其中一或多個購買者網域。Migrate the needed directory data from the seller's forest or domains to one or more of the buyer's domains. 這類移轉的目標可能會完全新的樹系或一或多個現有網域已購買者森林中部署。The target for such a migration might be an entirely new forest or one or more existing domains that are already deployed in the buyer's forest.

此支援限制存在,是因為:This support limitation exists because:

  • 每個網域 Active Directory 森林中的時建立的樹系指派獨特的身分。Each domain in an Active Directory forest is assigned a unique identity during the creation of the forest. 複製網域控制站原始網域到複製的網域折衷網域及樹系的安全性。Copying domain controllers from an original domain to a cloned domain compromises the security of both the domains and the forest. 原始網域和複製的網域威脅包含下列類型:Threats to the original domain and the cloned domain include the following:

    • 分享的密碼,可以用於存取資源Sharing of passwords that can be used to gain access to resources

    • 關於帳號權限的使用者和群組了Insight regarding privileged user accounts and groups

    • 對應的電腦名稱的 IP 位址Mapping of IP addresses to computer names

    • 新增、刪除及修改複製網域中的網域控制站曾建立網域控制站原始網域從網路連接 directory 資訊Additions, deletions, and modifications of directory information if domain controllers in a cloned domain ever establish network connectivity with domain controllers from the original domain

  • 複製的網域分享一般的安全性身分;因此,信任關係無法建立之間,即使一或多個網域已經重新命名。Cloned domains share a common security identity; therefore, trust relationships cannot be established between them, even if one or both of the domains have been renamed.

在本區段中In this section