Security principal
Security principals include the following:
- Any entity that can be authenticated by the system, such as a user account, a computer account, or a thread or process that runs in the security context of a user or computer account.
- Security groups of these accounts.
Every security principal is automatically assigned a security identifier (SID) when it is created.
http://technet.microsoft.com/en-us/library/cc780957(WS.10).aspx
Organizational units
http://technet.microsoft.com/en-us/library/cc758565(WS.10).aspx
Trusts
A trust is a relationship established between domains that enables users in one domain to be authenticated by a domain controller in the other domain. Trust 是域与域之间的关系,两个有trust关系的域允许在一个域中的用户被另一个域的DC所认证。
Communication between domains occurs through trusts. Trusts are authentication pipelines that must be present in order for users in one domain to access resources in another domain. 现在有如下几种Trust:
- Parent and child :
- Tree-root :
- External : provide access to resources located on a Windows NT 4.0 domain or a domain located in a separate forest that is not joined by a forest trust
- Realm : form a trust relationship between a non-Windows Kerberos realm and a Windows Server domain
- Forest : share resources between forests
- Shortcut : improve user logon times between two domains within a Windows Server forest
http://technet.microsoft.com/en-us/library/cc736874(WS.10).aspx
Groups
A group is a collection of user and computer accounts, contacts and other groups that can be managed as a single unit. Users and computers that belong to a particular group are referred to as group members.
Sites
Sites in Active Directory® represent the physical structure, or topology, of your network. Active Directory uses topology information, stored as site and site link objects in the directory, to build the most efficient replication topology. You use Active Directory Sites and Services to define sites and site links. A site is a set of well-connected subnets. Sites differ from domains; sites represent the physical structure of your network, while domains represent the logical structure of your organization.
Sites help facilitate several activities within Active Directory, including:
- Replication. Active Directory balances the need for up-to-date directory information with the need for bandwidth optimization by replicating information within a site more frequently than between sites. You can also configure the relative cost of connectivity between sites to further optimize replication. For more information, see Replication between sites and Managing replication.
- Authentication. Site information helps make authentication faster and more efficient. When a client logs on to a domain, it first searches its local site for a domain controller to authenticate against. By establishing multiple sites, you can ensure that clients authenticate against domain controllers nearest to them, reducing authentication latency and keeping traffic off WAN connections.
- Active Directory-enabled services. Active Directory-enabled services can leverage site and subnet information to enable clients to locate the nearest server providers more easily. For information about services, see Services.
Schema
The Active Directory schema contains the definitions for all objects in the directory. Every new directory object you create is validated against the appropriate object definition in the schema before being written to the directory. The schema is made up of object classes and attributes. The base (or default) schema contains a rich set of object classes and attributes to meet the needs of most organizations, and is modeled after the International Standards Organization (ISO) X.500 standard for directory services. Because it is extensible, you can modify and add classes and attributes to the base schema. However, you should carefully consider each change you make, because extending the schema affects the entire network. For more information, see Extending the schema.
DNS integration
Active Directory is integrated with DNS in the following ways:
- Active Directory and Domain Name System (DNS) have the same hierarchical structure.
Although separate and implemented differently for different purposes, an organization's namespace for DNS and Active Directory have an identical structure. For example, microsoft.com is a DNS domain and an Active Directory domain. For more information, see Namespace planning for DNS. - DNS zones can be stored in Active Directory.
If you are using the Windows Server 2003 DNS Server service, primary zone files can be stored in Active Directory for replication to other Active Directory domain controllers. For more information, see Active Directory integration. - Active Directory uses DNS as a locator service, resolving Active Directory domain, site, and service names to an IP address.
To log on to an Active Directory domain, an Active Directory client queries their configured DNS server for the IP address of the LDAP service running on a domain controller for a specified domain. For more information about how Active Directory clients rely on DNS, see Locating a domain controller.
While Active Directory is integrated with DNS and shares the same namespace structure, it is important to distinguish the difference between them:
- DNS is a name resolution service.
DNS clients send DNS name queries to their configured DNS server. The DNS server receives the name query and either resolves the name query through locally stored files or consults another DNS server for resolution. DNS does not require Active Directory to function. - Active Directory is a directory service
Active Directory provides an information repository and services to make information available to users and applications. Active Directory clients send queries to domain controllers using the Lightweight Directory Access Protocol (LDAP). In order to locate a domain controller, an Active Directory client queries DNS. Active Directory requires DNS to function.
Kerberos
http://www.cnblogs.com/artech/archive/2007/07/05/807492.html