使用組織網域樹系模式Using the Organizational Domain Forest Model

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

在 [組織網域森林型號,數個獨立群組每個擁有樹系網域。In the organizational domain forest model, several autonomous groups each own a domain within a forest. 每個群組控制網域層級的服務管理,讓它們,而樹系擁有者控制森林層級的服務管理獨立管理某些方面的服務管理。Each group controls domain-level service administration, which enables them to manage certain aspects of service management autonomously while the forest owner controls forest-level service management.

下圖顯示組織的網域森林模型。The following illustration shows an organizational domain forest model.

使用組織網域森林模型

層級網域服務自主Domain-level service autonomy

組織網域森林型號可讓您的授權單位網域層級的服務管理委派。The organizational domain forest model enables the delegation of authority for domain-level service management. 下表列出的服務管理可以控制網域層級的類型。The following table lists the types of service management that can be controlled at the domain level.

類型的服務管理Type of service management 相關聯的工作Associated tasks
管理的網域控制站作業Management of domain controller operations -建立並移除網域控制站- Creating and removing domain controllers
監視網域控制站的功能- Monitoring the functioning of domain controllers
-網域控制站執行的服務管理- Managing services that are running on domain controllers
-備份及還原 directory- Backing up and restoring the directory
設定的網域全設定Configuration of domain-wide settings -建立網域和使用者網域 account 原則,例如密碼、 Kerberos,以及 account 鎖定原則- Creating domain and domain user account policies, such as password, Kerberos, and account lockout policies
-建立及套用網域全群組原則- Creating and applying domain-wide Group Policy
層級資料的管理委派Delegation of data-level administration -建立組織單位 (Ou) 和管理委派- Creating organizational units (OUs) and delegating administration
修復組織單位擁有者不需要修正存取權的組織單位結構中的問題- Repairing problems in the OU structure that OU owners do not have sufficient access rights to fix
外部信任的管理Management of external trusts -建立信任關係的樹系外的網域- Establishing trust relationships with domains outside the forest

其他類型的服務管理,例如架構或複寫拓撲管理的樹系擁有者的責任。Other types of service management, such as schema or replication topology management, are the responsibility of the forest owner.

網域擁有者Domain owner

在組織網域森林模式下,網域擁有負責網域層級的服務管理工作。In an organizational domain forest model, domain owners are responsible for domain-level service management tasks. 網域擁有透過整個網域,以及存取森林中的所有其他網域擁有授權。Domain owners have authority over the entire domain as well as access to all other domains in the forest. 基於這個原因,網域擁有必須信任的樹系擁有者所選取的個人。For this reason, domain owners must be trusted individuals selected by the forest owner.

網域擁有者網域層級的服務管理委派符合下列條件:Delegate domain-level service management to a domain owner, if the following conditions are met:

  • 參與森林中所有群組都信任的新的網域擁有者和新的網域的服務管理做法。All groups participating in the forest trust the new domain owner and the service management practices of the new domain.

  • 新的網域擁有者信任的樹系擁有者和所有其他網域擁有者。The new domain owner trusts the forest owner and all the other domain owners.

  • 森林中的所有網域擁有都同意服務的系統管理員管理並選擇原則等於或自己更嚴格的做法,有新的網域擁有者。All domain owners in the forest agree that the new domain owner has service administrator management and selection policies and practices that are equal to or more strict than their own.

  • 森林中的所有網域擁有都同意網域控制站由新的網域擁有者新的網域中的實體安全。All domain owners in the forest agree that domain controllers managed by the new domain owner in the new domain are physically secure.

請注意,如果森林擁有者代理人網域層級的服務管理的網域所有人,其他群組可能未加入該樹系,是否您不信任的網域擁有者。Note that if a forest owner delegates domain-level service management to a domain owner, other groups might choose not to join that forest if they do not trust that domain owner.

必須注意,如果上述條件的任何變更未來,它可能會將組織網域多個的樹系部署所需的所有網域擁有者。All domain owners must be aware that if any of these conditions change in the future, it might become necessary to move the organizational domains into a multiple forest deployment.

注意

Windows Server 2008 Active Directory domain 安全性風險降到最低的另一個方法是使用系統管理員角色分離需要唯讀網域控制站 (RODC) 在您的基礎結構 Active Directory 部署。Another way to minimize security risks to a Windows Server 2008 Active Directory domain is to employ administrator role separation, which requires the deployment of a read-only domain controller (RODC) in your Active Directory infrastructure. RODC 是一種全新的網域控制站在 Windows Server 2008 作業系統裝載的 Active Directory 資料庫唯讀磁碟分割。An RODC is a new type of domain controller in the Windows Server 2008 operating system that hosts read-only partitions of the Active Directory database. 之前版本的 Windows Server 2008 網域控制站的任何伺服器維護工作必須執行網域系統管理員。Before the release of Windows Server 2008 , any server maintenance work on a domain controller had to be performed by a domain administrator. Windows Server 2008,您可以在不網域或其他網域控制站任何系統管理員權限授與使用者委派 RODC 網域中的所有使用者的本機系統管理員權限。In Windows Server 2008 , you can delegate local administrative permissions for an RODC to any domain user without granting that user any administrative rights for the domain or other domain controllers. 這可讓委派的 RODC 登入並執行維護工作,例如升級的驅動程式,在伺服器上的使用者。This permits the delegated user to log on to an RODC and perform maintenance work, such as upgrading a driver, on the server. 不過,這委派的使用者無法登入其他網域控制站或執行網域中的任何其他管理工作。However, this delegated user cannot log on to any other domain controller or perform any other administrative task in the domain. 如此一來,任何信任使用者可以委派有效的網域中的其餘部分安全性危害管理 RODC 的能力。In this way, any trusted user can be delegated the ability to effectively manage the RODC without compromising the security of the rest of the domain. 如需 Rodc,查看 AD DS: 唯讀網域控制站 (http://go.microsoft.com/fwlink/?LinkId=106616)。For more information about RODCs, see AD DS: Read-Only Domain Controllers (http://go.microsoft.com/fwlink/?LinkId=106616).