For many just beginning to study Microsoft technologies friends, a domain is to make them feel a headache objects. There is no doubt of the importance of the domain, required to support Microsoft's heavyweight product basically need service domain, many companies recruit engineers also explicitly requires candidates to be familiar with or proficient in Active Directory. But the domain for beginners seem some complex, many of the technical terms, such as Active Directory, site, group policy, replication topology, operations master roles, the global catalog .... Many beginners easy to fall into these technical details and the lack of a global grasp. Starting today, we will launch a series of Active Directory Bowen, hoping to learn the majority of AD to help a friend.
Today, the first question is why are we talking about the need to manage domain model? As we all know, Microsoft managed computers can use domain, and workgroup two models, the computer after you install the operating system by default is part of the Working Group. In many books we can see a description of the characteristics of the working group, for example, belong to the working group of decentralized management, suitable for small networks, and so on. Then we have to consider the question, why the working group is not suitable for medium and large networks it, do not you each computer decentralized management? Let's discuss this with an example.
Suppose there are two computers in the workgroup now, a server Florence, is a client Perth. The server functions we all know, is that the provision of resources and the allocation of resources. There are many forms of resources provided by the server, may be a shared folder, you can share a printer, can be e-mail, can also be a database and so on. Florence servers now provide a simple shared folder as service resources, our task is to make access to the shared folder granted to employees in the company Zhang Jianguo, note that this folder only Zhang Jianguo, a person can access! Then we have to think about how to accomplish this task, the administrator of the general idea is to create a user account for the user on the server that Zhang Jianguo, Zhang Jianguo, if visitors can answer a user account name and password, we recognize this the visitor is Zhang Jianguo. We conduct operations on the specific implementation of this simple server-based management ideas.
First, as shown below, we have created a user account on the server to Zhang Jianguo.
Then assign permissions on a shared folder, as shown below, we only read access to the shared folder to grant the user Zhang Jianguo.
好,接下来张建国就在客户机Perth上准备访问服务器上的共享文件夹了,张建国准备访问资源//Florence/人事档案,服务器对访问者提出了身份验证请求,如下图所示,张建国输入了自己的用户名和口令。
如下图所示,张建国成功地通过了身份验证,访问到了目标资源。
看完了这个实例之后,很多朋友可能会想,在工作组模式下这个问题解决得很好啊,我们不是成功地实现了预期目标嘛!没错,在这个小型网络中,确实工作组模型没有暴露出什么问题。但是我们要把问题扩展一下!现在假设公司不是一台服务器,而是500台服务器,这大致是一个中型公司的规模,那么我们的麻烦就来了。如果这500台服务器上都有资源要分配给张建国,那会有什么样的后果呢?由于工作组的特点是分散管理,那么意味着每台服务器都要给张建国创建一个用户账号!张建国这个用户就必须痛不欲生地记住自己在每个服务器上的用户名和密码。而服务器管理员也好不到哪儿去,每个用户账号都重新创建500次!如果公司内有1000人呢?我们难以想象这么管理网络资源的后果,这一切的根源都是由于工作组的分散管理!现在大家明白为什么工作组不适合在大型的网络环境下工作了吧,工作组这种散漫的管理方式和大型网络所要求的高效率是背道而驰的。
既然工作组不适合大型网络的管理要求,那我们就要重新审视一下其他的管理模型了。域模型就是针对大型网络的管理需求而设计的,域就是共享用户账号,计算机账号和安全策略的计算机集合。从域的基本定义中我们可以看到,域模型的设计中考虑到了用户账号等资源的共享问题,这样域中只要有一台计算机为公司员工创建了用户账号,其他计算机就可以共享账号了。这样就很好地解决刚才我们提到的账号重复创建的问题。域中的这台集中存储用户账号的计算机就是域控制器,用户账号,计算机账号和安全策略被存储在域控制器上一个名为Active Directory的数据库中。
This simple example illustrates above the tip of the iceberg domain power, in fact, far more than these domains. From next blog we will begin to introduce deploy and manage domains, we hope to gradually increase the perceptual knowledge in the course of field has more in-depth and comprehensive understanding of Active Directory can master this knowledge, Microsoft engineers required an important point.