審查網域模型Reviewing the Domain Models

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

下列因素會影響您的網域設計模型:The following factors impact the domain design model that you select:

  • 您願意配置給 Active Directory Domain Services (AD DS),您網路上的可用容量量。Amount of available capacity on your network that you are willing to allocate to Active Directory Domain Services (AD DS). 選取 [提供有效的複寫資訊的影響降到最低的可用的網路頻寬模型的目標是。The goal is to select a model that provides efficient replication of information with minimal impact on available network bandwidth.

  • 您在組織中的使用者人數。Number of users in your organization. 如果您的組織包含了大量的使用者,部署多個網域可讓您將磁碟分割您的資料,讓您更多複寫會通過特定的網路流量的控制。If your organization includes a large number of users, deploying more than one domain enables you to partition your data and gives you more control over the amount of replication traffic that will pass through a given network connection. 這可讓您控制資料會複寫位置,並減少慢速您網路中的連結︰ 複寫流量所建立的載入。This makes it possible for you to control where data is replicated and reduce the load created by replication traffic on slow links in your network.

最簡單的網域設計是一個單一的網域。The simplest domain design is a single domain. 在單一網域設計,網域控制站的所有複寫所有資訊。In a single domain design, all information is replicated to all of the domain controllers. 如有需要,但是,您可以部署其他地區網域。If necessary, however, you can deploy additional regional domains. 這可能是如果保守型連結,來連接網路基礎結構的部分,並想要確定複寫交通不會超過配置給廣告 DS 容量的森林擁有者。This might occur if portions of the network infrastructure are connected by slow links, and the forest owner wants to be sure that replication traffic does not exceed the capacity that has been allocated to AD DS.

最好是最小化網域部署您森林中的數目。It is best to minimize the number of domains that you deploy in your forest. 這降低部署的整體複雜,如此一來,可減少取得成本。This reduces the overall complexity of the deployment and, as a result, reduces total cost of ownership. 下表列出加入網域地區相關聯的系統管理成本。The following table lists the administrative costs associated with adding regional domains.

成本Cost 影響Implications
管理的多服務的系統管理員群組Management of multiple service administrator groups 每個網域有需要獨立管理自己服務管理員群組。Each domain has its own service administrator groups that need to be managed independently. 這些服務的系統管理員群組成員資格必須小心控制。The membership of these service administrator groups must be carefully controlled.
維持一致性,在群組原則設定,都有多個網域Maintaining consistency among Group Policy settings that are common to multiple domains 森林中的每個人網域必須分開套用群組原則設定需要套用樹系。Group Policy settings that need to be applied forest-wide must be applied separately to each individual domain in the forest.
維持一致性存取控制與稽核多個網域常見的設定Maintaining consistency among access control and auditing settings that are common to multiple domains 存取控制與稽核需要跨樹系套用的設定必須套用分開森林中的每個人網域。Access control and auditing settings that need to be applied across the forest must be applied separately to each individual domain in the forest.
增加的網域之間移動物件的可能性Increased likelihood of objects moving between domains 網域數字越大,越,使用者必須將移到另一個網域。The greater the number of domains, the greater the likelihood that users will need to move from one domain to another. 此移動可以可能會影響的使用者。This move can potentially impact end users.


Windows Server 2008 精細的密碼,以及 account 鎖定原則也會影響您的網域設計模型。Windows Server 2008 fine-grained password and account lockout policies can also impact the domain design model that you select. 此版本的 Windows Server 2008、之前您可能會套用只有一個密碼,以及 account 鎖定原則,指定預設網域原則網域中,所有使用者網域中。Before this release of Windows Server 2008 , you could apply only one password and account lockout policy, which is specified in the domain Default Domain Policy, to all users in the domain. 因此,如果您想要不同的密碼和 account 鎖定設定不同的使用者的設定,您必須建立密碼篩選或部署多個網域。As a result, if you wanted different password and account lockout settings for different sets of users, you had to either create a password filter or deploy multiple domains. 您現在可以使用細緻密碼原則,來指定多密碼原則,以及將不同的密碼的限制和 account 鎖定原則套用到不同設定單一網域中的使用者。You can now use fine-grained password policies to specify multiple password policies and to apply different password restrictions and account lockout policies to different sets of users within a single domain. 如需有關精細的密碼,以及 account 鎖定原則,Step-by-Step 指南 Fine-Grained 密碼,以及 Account 鎖定原則設定 (https://go.microsoft.com/fwlink/?LinkID=91477)。For more information about fine-grained password and account lockout policies, see the Step-by-Step Guide for Fine-Grained Password and Account Lockout Policy Configuration (https://go.microsoft.com/fwlink/?LinkID=91477).

單一網域模型Single domain model

單一網域模型是最簡單的方法管理,且至少成本維護。A single domain model is the easiest to administer and the least expensive to maintain. 它包含之子-森林包含單一網域。It consists of a forest that contains a single domain. 這個網域森林根網域中,且其中包含的所有使用者和群組帳號森林中。This domain is the forest root domain, and it contains all of the user and group accounts in the forest.

單一網域森林模型減少管理複雜提供下列優點:A single domain forest model reduces administrative complexity by providing the following advantages:

  • 任何網域控制站可以驗證任何森林中的使用者。Any domain controller can authenticate any user in the forest.

  • 所有網域控制站都可以全球錄,因此您不需要的通用伺服器位置計劃。All domain controllers can be global catalogs, so you do not need to plan for global catalog server placement.

在單一網域樹系所有 directory 資料會都複寫裝載網域控制站的所有地理位置。In a single domain forest, all directory data is replicated to all geographic locations that host domain controllers. 此模型是最簡單的方法管理,同時也會建立最多複寫流量的兩個網域模型。While this model is the easiest to manage, it also creates the most replication traffic of the two domain models. 分割多個網域 directory 限制複寫物件特定地區,但在更多系統管理成本。Partitioning the directory into multiple domains limits the replication of objects to specific geographic regions but results in more administrative overhead.

地區網域模型Regional domain model

複製所有網域控制站在這個網域中網域中的所有物件資料。All object data within a domain is replicated to all domain controllers in that domain. 因此,如果您的樹系包含了大量的使用者分散至不同的地理位置的寬形的區域網路 (WAN),來連接您可能需要部署區域來減少複寫流量 WAN 連結到網域。For this reason, if your forest includes a large number of users that are distributed across different geographic locations connected by a wide area network (WAN), you might need to deploy regional domains to reduce replication traffic over the WAN links. 根據網路 WAN 連接可以組織地理位置為基礎的區域網域。Geographically based regional domains can be organized according to network WAN connectivity.

地區網域型號可讓您長期維護穩定的環境。The regional domain model enables you to maintain a stable environment over time. 用來定義網域中穩定的項目,例如大陸邊界模型地區為基礎。Base the regions used to define domains in your model on stable elements, such as continental boundaries. 網域根據其他因素而有所不同,例如群組中的組織,可以常常變更,而且可能會要求您重建您的環境。Domains based on other factors, such as groups within the organization, can change frequently and might require you to restructure your environment.

地區網域型號包含森林根網域和一或多個地區網域。The regional domain model consists of a forest root domain and one or more regional domains. 建立網域地區模型設計包含哪些網域森林根網域找出並判斷符合您複寫所需的其他網域數目。Creating a regional domain model design involves identifying what domain is the forest root domain and determining the number of additional domains that are required to meet your replication requirements. 如果您的組織包含需要資料隔離或組織中其他群組服務隔離群組,建立不同的樹系這些群組。If your organization includes groups that require data isolation or service isolation from other groups in the organization, create a separate forest for these groups. 網域隔離的資料或服務隔離不提供。Domains do not provide data isolation or service isolation.