1. Working Group
A Work Group is the most common, simple and common resource management mode. Computers are grouped into different groups based on their functions for easy management.
For example, in a network, there may be hundreds of thousands of work computers, if these computers are not grouped, are listed in the “network neighborhood”, imagine the chaos.
To solve this problem, Windows 9X /NT/2000 introduced the concept of “workgroups”. For example, a university would be divided into departments such as mathematics, Chinese, etc., and then all the computers of mathematics department would be included in the working group of mathematics department, and all the computers of Chinese department would be included in the working group of Chinese department… If you want to access resources in a particular department, look for the name of that department’s workgroup in “Online Neighbors” and double-click to see computers in that department.
All computers in a workgroup are equal. There is no distinction between managed and managed computers, so workgroup networks are also called peer-to-peer networks.
As a result, working groups can sometimes be difficult for managers to manage, and this is where you need to understand the concept of domains.
2, the domain
The domainDomain
Can be simply understood as the upgraded version of the working group, if the working group is “free hotel” then the domain is “star hotel”; Workgroups can come and go at will, while domains are tightly controlled.
In the “domain” mode, at least one server is responsible for the authentication of each connected computer and user. It is like a gatekeeper in a unit. It is called the domain controller.
A domain controllerDomain Controller
DC for short, a domain controller contains a database composed of the accounts, passwords, computers belonging to the domain, and other information.
When a computer is connected to the network, the domain controller first checks whether the computer belongs to the domain, whether the login account used by the user exists, and whether the password is correct. If any of the above information is incorrect, the domain controller will deny the user login from the computer. If users cannot log in, they cannot access the protected resources on the server. In this way, resources on the network are protected to a certain extent.
Because domain control serves as an authentication function, taking down domain control is critical from an penetration standpoint. When you take down the domain control, you have access to the account numbers and passwords of all the computers in the domain.
To implement a domain environment, you have to install an active directory on your computer, or if you install an active directory on a computer on your Intranet, it becomes a domain controller. In addition to the domain controller, there are member servers, clients, and standalone servers in the domain.
Parent domain and subdomain
As the name implies, a new domain created within a domain is called a subdomain. Figuratively speaking, a department has a domain, so if the department has branches, each branch can be called a subdomain, and the large department is called a parent domain. Each domain has its own security policy.
Domain tree
A domain tree consists of multiple domains that share the same table structure and configuration, forming a contiguous namespace.
The domains in the tree are connected by trust relationships, and the active directory contains one or more domain trees. The deeper the domain level in the domain tree, the lower the level, a “. A domain such as child.Microsoft.com is lower in level than Microsoft.com because it has two hierarchies whereas Microsoft.com has only one.
The domain Grandchild.Child.Microsoft.com is lower than the level of Child.Microsoft.com,. They all belong to the same domain tree. Child.Microsoft.com belongs to the Microsoft.com subdomain.
Multiple domain trees can form a domain forest.
Domain Lin
A domain forest is composed of one or more domain trees that do not form a continuous namespace. The most obvious difference between a domain forest and a domain tree is that there is no continuous namespace between them, while a domain tree is composed of some domains that have a continuous namespace.
However, all domain trees in the domain forest still share the same table structure, configuration, and global directory. All domain trees in the domain forest are established through Kerberos trust relationships, so each domain tree is aware of Kerberos trust relationships, and different domain trees can cross-reference objects in other domain trees. The root domain of the domain forest is the first domain created in the domain forest. The root domain of all the domain trees in the domain forest and the root domain of the domain forest establish transmittable trust relationship.
For example, benet.com.cn can create accp.com.cn belonging to the same forest, they are in the same domain forest.
When the first domain controller is created, the first domain (also known as the forest root domain) and the first forest are created.
Forests consist of one or more domains that share a common schema and global catalog, each with a separate security policy and trust relationships with other domains. A unit can have more than one forest.
3. Active Directory
Active Directory, short for AD, is a centralized Directory management service that is responsible for the large-scale network environment in The Windows Server. It is built into the Windows Server product in the Windows 2000 Server.
Directories contain information about various objects, such as users, user groups, computers, domains, organizational units (OU), and security policies. Directories are stored on domain controllers and can be accessed by network applications or services.
An active directory is a directory of various resources on the Intranet. Users can quickly locate these resources by using the active directory.
4, the DMZ
DMZ demilitarized Zone (DMZ) is a Chinese name for the DMZ demilitarized zone. It is to solve the problem that the external network users can not access the internal network server after the installation of the firewall, so as to set up a buffer between the insecure system and the secure system.
The DMZ is a special network zone that is different from the Internet or Intranet. There are public servers that do not contain confidential information, such as WEB servers, E-mail servers, and FTP servers. In this way, visitors from the Internet can only access services in the DMZ, but cannot access information stored on the Intranet. Even if the server in the DMZ is damaged, the information on the Intranet is not affected.
5. Various permissions within the domain
First of all, you need to understand the concept of a group. A group contains many users. When an administrator wants to assign rights to a user, he or she only needs to add the user to a group with corresponding rights, which improves management efficiency.
Domain local group
Member scope: all fields; Scope of use: your domain
Global group
Member scope: its own domain; Scope of use: all domains
General group
Member scope: all fields; Scope of use: all domains
A – G – DL – P strategy
The a-g-DL -p policy is to add user accounts to global groups, add global groups to local domain groups, and then assign resource permissions to the local domain groups.
- A indicates the user account
- G stands for global group
- U indicates the general group
- DL indicates a domain local group
- P indicates the resource permission
For more information, please follow my wechat official account: TeamsSix
The original link: www.teamssix.com/year/210203…
Reference links:
baike.baidu.com/item/DMZ
baike.baidu.com/item/AGDLP
Zh.wikipedia.org/wiki/Active…
Baike.baidu.com/item/Window…
Baike.baidu.com/item/%E5%9F…
Baike.baidu.com/item/%E5%9F…
Baike.baidu.com/item/%E5%B7…
Baike.baidu.com/item/%E6%B4…
