了解 Active Directory 邏輯模型Understanding the Active Directory Logical Model

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Active Directory Domain Services (AD DS) 設計您邏輯結構涉及定義您 directory 中容器之間的關聯。Designing your logical structure for Active Directory Domain Services (AD DS) involves defining the relationships between the containers in your directory. 這些關聯性可能根據委派權限,例如系統需求,或也可以透過操作需求,例如需要控制複寫定義。These relationships might be based on administrative requirements, such as delegation of authority, or they might be defined by operational requirements, such as the need to control replication.

則設計 Active Directory 邏輯結構之前,請務必以了解 Active Directory 邏輯模型。Before you design your Active Directory logical structure, it is important to understand the Active Directory logical model. AD DS 是分散式的資料庫來儲存及管理網路資源,以及應用程式特定資料的相關資訊從 directory 功能的應用程式。AD DS is a distributed database that stores and manages information about network resources as well as application-specific data from directory-enabled applications. AD DS 成階層包含結構,讓組織項目(例如,使用者、電腦與裝置)的網路系統管理員。AD DS allows administrators to organize elements of a network (such as users, computers, and devices) into a hierarchical containment structure. 最上層容器是樹。The top-level container is the forest. 森林中的網域,並網域中的組織單位 (Ou)。Within forests are domains, and within domains are organizational units (OUs). 因為它是不受影響的實體部署,例如網域控制站在每種網域和網路拓撲所需的層面稱為邏輯模型。This is called the logical model because it is independent of the physical aspects of the deployment, such as the number of domain controllers required within each domain and network topology.

Active Directory 森林Active Directory forest

樹系是一或多個 Active Directory 網域共用相同的邏輯結構的集合 directory 架構(課程和屬性定義)、directory 設定(網站與複寫資訊),與通用(樹系的搜尋功能)。A forest is a collection of one or more Active Directory domains that share a common logical structure, directory schema (class and attribute definitions), directory configuration (site and replication information), and global catalog (forest-wide search capabilities). 在相同的樹系的網域自動雙向、轉移信任關係的連結。Domains in the same forest are automatically linked with two-way, transitive trust relationships.

Active Directory domainActive Directory domain

Active Directory 森林中的磁碟分割網域。A domain is a partition in an Active Directory forest. 分割資料,讓組織複寫只需要的位置資料。Partitioning data enables organizations to replicate data only to where it is needed. 如此一來,directory 可以全球有限的頻寬,在網路上縮放。In this way, the directory can scale globally over a network that has limited available bandwidth. 此外,網域支援許多其他核心管理相關功能包括:In addition, the domain supports a number of other core functions related to administration, including:

  • 全網路使用者的身分。Network-wide user identity. 網域讓使用者建立一次並加入網域所在的樹系的任何電腦上所參照的身分。Domains allow user identities to be created once and referenced on any computer joined to the forest in which the domain is located. 網域構成網域控制站用來儲存確實帳號及使用者認證(例如密碼或憑證)。Domain controllers that make up a domain are used to store user accounts and user credentials (such as passwords or certificates) securely.

  • 驗證。Authentication. 網域控制站提供驗證使用者服務,並提供額外的授權資料,例如使用者群組成員資格,可以用來控制資源網路上的存取權。Domain controllers provide authentication services for users and supply additional authorization data such as user group memberships, which can be used to control access to resources on the network.

  • 標示為信任的關聯。Trust relationships. 網域可以透過信任擴充驗證服務自己的樹系外網域中的使用者。Domains can extend authentication services to users in domains outside their own forest by means of trusts.

  • 複寫。Replication. 網域定義 directory 包含不足提供網域服務的資料,再將它複製之間的網域控制站的磁碟分割。The domain defines a partition of the directory that contains sufficient data to provide domain services and then replicates it between the domain controllers. 如此一來,所有網域控制站的同儕網域中的,並為單位管理。In this way, all domain controllers are peers in a domain and are managed as a unit.

Active Directory 組織單位Active Directory organizational units

Ou 可用於形成的容器階層網域中。OUs can be used to form a hierarchy of containers within a domain. Ou 用於群組物件給系統管理員使用群組原則的應用程式或授權委派例如。OUs are used to group objects for administrative purposes such as the application of Group Policy or delegation of authority. 控制項(透過組織單位,它中的物件)由存取控制清單 (Acl) 在 [組織單位和組織單位中的物件。Control (over an OU and the objects within it) is determined by the access control lists (ACLs) on the OU and on the objects in the OU. 若要加速管理大量物件,AD DS 支援委派權限的概念。To facilitate the management of large numbers of objects, AD DS supports the concept of delegation of authority. 透過委派,擁有者可以轉移到其他使用者或群組的完整或有限管理控制物件。By means of delegation, owners can transfer full or limited administrative control over objects to other users or groups. 因為它有助於跨多個以執行管理工作受信任的人散發大量物件的管理委派務必。Delegation is important because it helps to distribute the management of large numbers of objects across a number of people who are trusted to perform management tasks.