規劃區域的網域控制站位置Planning Regional Domain Controller Placement

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

若要確保成本效率,計畫盡可能放置越少區域網域控制站。To ensure cost efficiency, plan to place as few regional domain controllers as possible. 首先,檢查」地理位置和通訊連結「(DSSTOPO_1.doc) 工作表中使用收集網路資訊以判斷位置是否中心。First, review the "Geographic Locations and Communication Links" (DSSTOPO_1.doc) worksheet used in Collecting Network Information to determine whether a location is a hub.

若要將在每個中樞位置每個網域地區網域控制站計劃。Plan to place regional domain controllers for each domain that is represented in each hub location. 您區域網域控制站放所有中樞位置之後,評估附屬位置撥區域網域控制站的需求。After you place regional domain controllers in all hub locations, evaluate the need for placing regional domain controllers at satellite locations. 排除不必要的地區網域控制站衛星位置降低維護遠端伺服器基礎結構所需的支援成本。Eliminating unnecessary regional domain controllers from satellite locations reduces the support costs required to maintain a remote server infrastructure.

此外,確定實體網域控制站在中心] 和 [附屬位置的安全性,因此未經授權的人員不能存取它們。In addition, ensure the physical security of domain controllers in hub and satellite locations so that unauthorized personnel cannot access them. 不放寫入網域控制站中心] 和 [附屬位置無法保證實體網域控制站的安全性。Do not place writable domain controllers in hub and satellite locations in which you cannot guarantee the physical security of the domain controller. 存取實體寫入網域控制站的人員可以攻擊系統:A person who has physical access to a writable domain controller can attack the system by:

  • 存取實體磁碟網域控制站在開始另一個作業系統。Accessing physical disks by starting an alternate operating system on a domain controller.

  • 移除(也可以使用取代)網域控制站的實體磁碟。Removing (and possibly replacing) physical disks on a domain controller.

  • 取得並操作一份網域控制站系統狀態備份。Obtaining and manipulating a copy of a domain controller system state backup.

新增寫入地區網域控制站位置,您可以在其中保證實體安全性。Add writable regional domain controllers only to locations in which you can guarantee their physical security.

在位置不當實體的安全性,以部署唯讀網域控制站 (RODC) 是建議的方案。In locations with inadequate physical security, deploying a read-only domain controller (RODC) is the recommended solution. 除了 account 的密碼,RODC 會保留所有的 Active Directory 物件和寫入網域控制站保留屬性。Except for account passwords, an RODC holds all the Active Directory objects and attributes that a writable domain controller holds. 不過,無法變更已儲存在 RODC 資料庫。However, changes cannot be made to the database that is stored on the RODC. 必須在 [寫入網域控制站和再複製到 RODC 變更。Changes must be made on a writable domain controller and then replicated back to the RODC.

要驗證 client 登入和本機檔案伺服器的存取權,大部分的組織加上的所有區域網域中指定的位置表示區域網域控制站。To authenticate client logons and access to local file servers, most organizations place regional domain controllers for all regional domains that are represented in a given location. 不過時,您必須考慮許多變數評估是否商務位置需要有 [本機驗證戶端或戶端可以賴以驗證和查詢寬區域 (wan) 的連結。However, you must consider many variables when evaluating whether a business location requires its clients to have local authentication or the clients can rely on authentication and query over a wide area network (WAN) link. 下圖顯示如何判斷是否放置網域控制站在衛星位置。The following illustration shows how to determine whether to place domain controllers at satellite locations.


現場專業技術可用性Onsite technical expertise availability

基於各種原因持續管理需要網域控制站。Domain controllers need to be managed continuously for various reasons. 只是在包含人員可以管理網域控制站或務必網域控制站可以從遠端管理的位置地區網域控制站的地方。Place a regional domain controller only in locations that include personnel who can administer the domain controller, or be sure that the domain controller can be managed remotely.

通常不佳實體安全性分支 office 環境和小資訊技術知識的人員,將部署 RODC 通常會建議的方案。In branch office environments with typically poor physical security and personnel with little information technology knowledge, deploying an RODC is often the recommended solution. 不需要任何網域或其他網域控制站的使用者權限授與使用者 RODC 本機系統管理員權限可以委派給任何網域使用者。Local administrative permissions for an RODC can be delegated to any domain user without granting that user any user rights for the domain or other domain controllers. 這可讓本機分支使用者登入 RODC 並執行的工作維護伺服器,例如升級驅動程式。This permits a local branch user to log on to an RODC and perform maintenance work on the server, such as upgrading a driver. 不過,分支使用者無法登入其他網域控制站或執行網域中的任何其他管理工作。However, the branch user cannot log on to any other domain controller or perform any other administrative task in the domain. 如此一來,可以分支使用者委派有效的網域或樹系的其他安全性危害管理分公司 RODC 的能力。In this way, the branch user can be delegated the ability to effectively manage the RODC in the branch office without compromising the security of the rest of the domain or the forest.

WAN 連結經常中斷的位置,不包含可以驗證使用者的網域控制站如果使用者導致重大生產力遺失。WAN links that experience frequent outages can cause significant productivity loss to users if the location does not include a domain controller that can authenticate the users. 如果您 WAN 連結可用性不是 100%您遠端網站無法容許服務中斷,將地區網域控制站放的位置使用者位置需要登入或交換存取伺服器 WAN 連結向時的能力。If your WAN link availability is not 100 percent and your remote sites cannot tolerate a service outage, place a regional domain controller in locations where the users require the ability to log on or exchange server access when the WAN link is down.

驗證可用性Authentication availability

例如銀行,某些組織需要驗證的使用者,在所有的時間。Certain organizations, such as banks, require that users be authenticated at all times. 地區網域控制站置於 WAN 連結可用性不是 100%,但使用者需要驗證隨時的位置。Place a regional domain controller in a location where the WAN link availability is not 100 percent but users require authentication at all times.

如果您 WAN 連結可用性可靠,位置撥網域控制站需求而定登入效能 WAN 連結。If your WAN link availability is highly reliable, placing a domain controller at the location depends on the logon performance requirements over the WAN link. 登入效能影響透過 WAN 因素包含連結速度和可用的頻寬的使用者並登入網路流量複寫資料傳輸與使用的設定檔,數字。Factors that influence logon performance over the WAN include link speed and available bandwidth, number of users and usage profiles, and the amount of logon network traffic versus replication traffic.

活動的單一使用者可以 congest 保守型 WAN 連結。The activities of a single user can congest a slow WAN link. 如果無法接受 WAN 連結登入效能,置於位置網域控制站。Place a domain controller at a location if logon performance over the WAN link is unacceptable.

頻寬利用平均百分比表示如何壅塞網路的連結。The average percentage of bandwidth utilization indicates how congested a network link is. 如果網路連結平均頻寬使用量大於可接受的值,將網域控制站在該位置。If a network link has average bandwidth utilization that is greater than an acceptable value, place a domain controller at that location.

數字的使用者與使用方式設定檔Number of users and usage profiles

使用者,他們使用的設定檔指定的位置,可協助您判斷是否需要放置地區的網域控制站在這個位置。The number of users and their usage profiles at a given location can help determine whether you need to place regional domain controllers at that location. 若要避免 WAN 連結失敗生產力遺失,放置地區網域控制站 100 或多個使用者的位置。To avoid productivity loss if a WAN link fails, place a regional domain controller at a location that has 100 or more users.

使用的設定檔表示使用者如何使用的網路資源。The usage profiles indicate how the users use the network resources. 您不需要將網域控制站包含只有少數使用者通常不會存取網路資源位置中。You do not need to place a domain controller in a location that contains only a few users who do not frequently access network resources.

與複寫流量登入網路流量Logon network traffic vs. replication traffic

如果無法為 Active Directory client 在同一個位置中使用的網域控制站,client 會在網路上建立流量登入。If a domain controller is not available within the same location as the Active Directory client, the client creates logon traffic on the network. 由數個原因,包括群組成員資格; 受影響的實體網路建立的登入網路流量數字與大小,群組原則物件 (Gpo)。登入指令碼。和功能,例如離線資料夾、資料夾重新導向,及漫遊設定檔。The amount of logon network traffic that is created on the physical network is influenced by several factors, including group memberships; number and size of Group Policy objects (GPOs); logon scripts; and features such as offline folders, folder redirection, and roaming profiles.

手動,會放在特定位置的網域控制站產生複寫網路上的資料傳輸。On the other hand, a domain controller that is placed at a given location generates replication traffic on the network. 頻率及更新的磁碟分割上的網域控制站的影響網路建立的複寫傳輸的量。The frequency and amount of updates made on the partitions hosted on the domain controllers influence the amount of replication traffic that is created on the network. 不同可的磁碟分割上的網域控制站的更新類型包括新增或變更使用者和使用者屬性、變更密碼,以及新增或變更的全域群組、印表機或磁碟區。The different types of updates that can be made on the partitions hosted on the domain controllers include adding or changing users and user attributes, changing passwords, and adding or changing global groups, printers, or volumes.

若要判斷您需要將地區網域控制站放在一個位置,比較建立網域控制站的成本不複寫流量由位置撥網域控制站的位置登入流量的費用。To determine if you need to place a regional domain controller at a location, compare the cost of logon traffic created by a location without a domain controller versus the cost of replication traffic created by placing a domain controller at the location.

例如,考慮分公司透過保守型連結到總部,可以輕鬆加入的網域控制站在連接的網路。For example, consider a network that has branch offices that are connected through slow links to the headquarters and in which domain controllers can easily be added. 如果每日登入及 directory 查詢流量的幾個遠端網站使用者造成更多的網路流量比分支複寫所有公司資料,請考慮將新加入的網域控制站。If the daily logon and directory lookup traffic of a few remote site users causes more network traffic than replicating all company data to the branch, consider adding a domain controller to the branch.

如果降低成本維護網域控制站的網路流量比重要,網域控制站的集中管理和執行不將任何區域網域控制站的位置或考慮位置撥 Rodc。If reducing the cost of maintaining domain controllers is more important than network traffic, either centralize the domain controllers for that domain and do not place any regional domain controllers at the location or consider placing RODCs at the location.

試算表中列出的位置區域網域控制站以及的每個網域都會在每個位置的使用者來協助您,會看到工作協助工具的 Windows Server 2003 部署套件 (https://go.microsoft.com/fwlink/?LinkID=102558),下載 Job_Aids_Designing_and_Deploying_Directory_and_Security_Services.zip, and 打開 (DSSTOPO_4.doc)」網域控制站位置]。For a worksheet to assist you in documenting the placement of regional domain controllers and the number of users for each domain that is represented in each location, see Job Aids for Windows Server 2003 Deployment Kit (https://go.microsoft.com/fwlink/?LinkID=102558), download Job_Aids_Designing_and_Deploying_Directory_and_Security_Services.zip, and open "Domain Controller Placement" (DSSTOPO_4.doc).

您將需要指向您要部署區域網域時放置地區的網域控制站的位置的相關資訊。You will need to refer to the information about locations in which you need to place regional domain controllers when you deploy regional domains. 如需部署網域區域的相關資訊,請查看部署 Windows Server 2008 地區網域For more information about deploying regional domains, see Deploying Windows Server 2008 Regional Domains.