森林設計模型Forest Design Models

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

您可以將其中一項下列三種樹系設計機型套用 Active Directory 環境中:You can apply one of the following three forest design models in your Active Directory environment:

  • 組織樹系模型Organizational forest model

  • 資源森林模型Resource forest model

  • 限制的存取森林模型Restricted access forest model

很有可能,您將需要使用這些型號的組合,您在組織中所有不同群組的需求。It is likely that you will need to use a combination of these models to meet the needs of all the different groups in your organization.

組織樹系模型Organizational forest model

在 [組織樹系型號,帳號資源森林中所包含和獨立管理。In the organizational forest model, user accounts and resources are contained in the forest and managed independently. 組織的樹系可用於提供服務自主、 服務隔離或資料隔離,如果樹系設定以防止外面樹系的人的存取。The organizational forest can be used to provide service autonomy, service isolation, or data isolation, if the forest is configured to prevent access to anyone outside the forest.

若組織森林中的使用者存取其他森林 (反之亦然) 中的資源,可以建立信任關係組織樹和其他的樹系。If users in an organizational forest need to access resources in other forests (or the reverse), trust relationships can be established between one organizational forest and the other forests. 這可讓系統管理員權限授與其他森林中的資源。This makes it possible for administrators to grant access to resources in the other forest. 下圖顯示組織的樹系模型。The following illustration shows the organizational forest model.

森林設計模型

每個 Active Directory 設計包含至少組織的樹系。Every Active Directory design includes at least one organizational forest.

資源森林模型Resource forest model

資源森林型號,在不同的樹系用來管理資源。In the resource forest model, a separate forest is used to manage resources. 資源森林不包含帳號以外所需的服務管理,以及需要提供其他資源的存取權的樹系,如果組織森林中的使用者帳號無法使用。Resource forests do not contain user accounts other than those required for service administration and those required to provide alternate access to the resources in that forest, if the user accounts in the organizational forest become unavailable. 信任的樹系所建立,讓使用者從其他森林可以存取資源森林中所包含的資源。Forest trusts are established so that users from other forests can access the resources contained in the resource forest. 下圖顯示資源森林模型。The following illustration shows the resource forest model.

森林設計模型

資源森林提供服務獨立用來保護的網路,必須維持可用性狀態的區域。Resource forests provide service isolation that is used to protect areas of the network that need to maintain a state of high availability. 例如,如果您的公司包含製造設備需要繼續運作,在網路上的其他問題時,,您可以建立不同的資源樹系製造群組。For example, if your company includes a manufacturing facility that needs to continue to operate when there are problems on the rest of the network, you can create a separate resource forest for the manufacturing group.

限制的存取森林模型Restricted access forest model

限制的存取權的樹系型號,在不同的樹系建立包含帳號及必須隔離的其餘的組織的資料。In the restricted access forest model, a separate forest is created to contain user accounts and data that must be isolated from the rest of the organization. 限制的存取森林提供獨立情形何處嚴重危害專案資料的結果中的資料。Restricted access forests provide data isolation in situations where the consequences of compromising project data are severe. 下圖顯示限制的存取森林模型。The following illustration shows a restricted access forest model.

森林設計模型

從其他樹系使用者無法授與限制資料的存取權因為信任不存在。Users from other forests cannot be granted access to the restricted data because no trust exists. 在此模式,使用者會有一般組織資源存取組織森林中的 account 和另外帳號限制的存取樹系用於機密資料的存取權。In this model, users have an account in an organizational forest for access to general organizational resources and a separate user account in the restricted access forest for access to the classified data. 這些使用者必須要有兩個不同的工作站、 連接到組織的樹系和其他連接到限制的存取權的樹系。These users must have two separate workstations, one connected to the organizational forest and the other connected to the restricted access forest. 這會防止的樹系服務系統管理員可以存取工作站限制森林中的可能性。This protects against the possibility that a service administrator from one forest can gain access to a workstation in the restricted forest.

極端萬一,可能會不同實體網路上限制的存取樹系維護。In extreme cases, the restricted access forest might be maintained on a separate physical network. 有時候分類的政府專案運作的組織維持在不同的網路,以符合安全性需求上限制的存取森林。Organizations that work on classified government projects sometimes maintain restricted access forests on separate networks to meet security requirements.