Shulou(Shulou.com)06/03 Report--

What is an AD domain

The real meaning of "domain" refers to the combination of computers in which the server controls whether computers on the network can join.

When it comes to combination, it is bound to be strictly controlled. Therefore, the implementation of strict management is very necessary for network security. In peer-to-peer mode, as long as any computer is connected to the network, other machines can access shared resources, such as shared Internet access. Although the shared file on the peer-to-peer network can be added with an access password, it is very easy to crack. The transmission of data is very unsafe. However, in "domain" mode, at least one server is responsible for the authentication of each computer and user connected to the network, which is equivalent to a unit's doorman, called a "domain controller".

The domain controller contains a database of information such as accounts, passwords, computers belonging to the domain, and so on. When a computer is connected to the network, the domain controller first needs to identify whether the computer belongs to the domain, whether the login account used by the user exists, and whether the password is correct. If one of the above information is incorrect, the domain controller will refuse the user to log in from this computer. Without login, the user cannot access the resources protected by permissions on the server, and he can only access the resources shared by Windows in the way of peer-to-peer users, which protects the resources on the network to a certain extent. In order to join a computer to a domain, it is far from enough to make it and the server "see" each other in the online neighborhood. it must be set up by the network administrator to join the domain. Only in this way can we achieve file sharing.

2. Why do you need AD domain

Microsoft management computers can use both domain and workgroup models, and by default the computer belongs to the workgroup after installing the operating system. We can see the description of the characteristics of the working group from many books, for example, the working group is decentralized, suitable for small networks, and so on.

Example:

Suppose there are now two computers in the workgroup, one is a server and the other is a client. As we all know, the function of the server is nothing more than providing and allocating resources. The resources provided by the server can be in many forms, such as shared folders, shared printers, e-mail boxes, databases, and so on. Now the server provides a simple shared folder as a service resource. Our task is to grant access to this shared folder to Zhang San, an employee in the company. Note that only Zhang San can access this folder! Then we have to consider how to achieve this task. in general, the administrator's idea is to create a user account for the user Zhang San on the server. if the visitor can answer the user name and password of the Zhang San account, we recognize that the visitor is Zhang San.

After watching this example, many friends may think that this problem has been solved very well in the working group mode, and we have successfully achieved the desired goal. Yes, it is true that there is nothing wrong with the workgroup model in this small network. But we need to expand the problem! Now suppose the company is not a server, but 500 servers, which is roughly the size of a medium-sized company, then our trouble comes. If there are resources to be allocated to Zhang San on these 500 servers, what will be the consequences? As the workgroup is characterized by decentralized management, it means that each server has to create a user account for Zhang San! Zhang San, a user, has to remember his user name and password on each server painfully. And the server administrator is not much better, each user account is re-created 500 times! What if there are 1000 people in the company? It is hard for us to imagine the consequences of managing network resources in this way, all of which are rooted in the decentralized management of the working group! Now you can see why the working group is not suitable to work in a large network environment. The sloppy management of the working group runs counter to the high efficiency required by the large network.

2.1. Centralized authority management and reduced management cost

In the domain environment, all network resources, including users, are maintained on the domain controller for centralized management. As long as all users log in to the domain, they can authenticate in the domain, managers can better manage computer resources, and the cost of managing the network is greatly reduced. Preventing employees from installing software at will on the client side can enhance client security, reduce client failures, and reduce maintenance costs. Through domain management, software and patches can be effectively distributed and assigned, which can be installed together in the network and ensure the unity of the software in the network. Restrict the Internet environment of employees and prohibit access to websites other than work.

2.2. Enhanced security performance and clearer permissions

It is beneficial to the management of some confidential information of the company, for example, a disk allows one person to read and write, but another person cannot read and write; which file is only for that person to read; or for some people to read, but not delete / change / move, and so on. The USB port of the client can be blocked to prevent the leakage of the company's confidential information. Security is fully integrated with active Directory.

Access controls can be defined not only on each object in the directory, but also on the properties of each object.

Active Directory provides the scope of storage and application of security policies.

Security policies can contain account information, such as domain-wide password restrictions or access to specific domain resources, and issuing and enforcing security policies through group policy settings.

2.3, account roaming and folder redirection

The working files and data of the personal account can be stored on the server for unified backup and management, and the user's data is more secure and secure. When the client fails, you only need to use another client to install the appropriate software to log in with the user account, and the user will find that his file is still in the "original location" (for example, my document) and is not lost. as a result, the fault can be fixed more quickly. When the server is offline (failure or otherwise), the offline folder technology automatically allows the user to continue to work with the local cached version of the file and synchronizes with the file on the server when logging out or logging in to the system, ensuring that the user's work will not be interrupted.

2.4. It is convenient for users to use all kinds of shared resources

The login script can be assigned by the administrator to map the distributed file system root directory and manage it uniformly. After logging in, the user can use the resources on the network just like using the local drive letter, and there is no need to enter the password again, and the user only needs to remember a pair of username / password. The access, read and modify permissions of various resources can be set, and different accounts can have different access rights. Even if the location of the resource changes, the user does not need to do anything, just need the administrator to change the link and set the relevant permissions, and the user will not even be aware of the change in the location of the resource. You have to remember which resources are on which server.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.