Working group and domain analysis of Intranet

1 Intranet Foundation

Intranet / LAN （Local Area Network,LAN）, It refers to the computer group formed by the interconnection of multiple computers in a certain area , The networking range is usually within thousands of meters . In the LAN , File management can be realized 、 Application software sharing 、 Printer sharing 、 Schedule of the working group 、 E-mail and fax communication services, etc . The intranet is closed , It can be composed of two computers in the office , It can also be composed of a large number of computers in a company .

1.1 Basic knowledge of Intranet penetration

1.1.1 Working group

In order to solve the local area network composed of thousands of computers connected together , Management confusion , With ** Working group (Work Group)** Concept .

for example ：

There are technology department and administration department , Want to access the resources of a department , Just click the workgroup name on the network .

Join the workgroup method ：

If the workgroup does not exist in the network , Then a new （ Restart and take effect ）. If you quit the workgroup , Just modify the workgroup name .

After completion , Others can access shared resources .

The working group has no role of centralized management , All the computers in the working group are peer-to-peer （ There's no difference between a server and a client ）.

1.1.2 Domain

Application scenarios ： Realize batch password change of multiple computers

** Domain （Domain）** It's a collection of computers with security boundaries （ Safe boundary means , Users in one domain cannot access resources in another domain ）, It can be seen as an upgraded Working Group , You must log in as a legal person （ You can also add user permissions to resources ）.

** domain controller （Domain Controller,DC）** It is a computer similar to the management server in the domain . Computers in the domain access each other , Must be audited by the domain controller .

There is an account with this domain in the domain controller 、 password 、 A database of information such as computers belonging to this domain .

There are generally the following environments in the domain ：

1. Single domain

Application scenarios ： Generally used for small companies with fixed geographical location

At least two servers in a domain , One action DC, Another one as a backup DC.

Activity destination database （ Including the user's account information ） Is stored in the DC Medium , If there is no backup DC, One but DC Paralyzed , Other users in the domain cannot log in to the domain .

2. Parent domain and child domain

The first domain becomes the parent domain , The domain of each segment becomes a sub domain of the domain .

for example ： Branches establish sub domains to transmit information internally

3. Domain tree Tree

A domain tree is a collection of trust relationships .

4. Domain forest Forest

Domain forest （Forest） It refers to a set composed of multiple domain trees by establishing trust relationships .

5 Domain name server

Domain name server （Domain Name Server,DNS） It refers to the domain name （Domain Name） And the corresponding IP Address （IP Address） Conversion server .

We can see from the introduction of domain tree , Domain name and DNS Domain name Chi Chang is similar

1.1.3 Active directory

Active directory （Active Directory,AD） It refers to the components that provide directory services in the domain environment .

That is, unified management

It has the following functions ：

1、 Centralized account management

2、 Software centralized management

3、 Centralized management of the environment

4、 Enhance security

5、 More reliable

Active directory is the basic platform for unified management provided by Microsoft ,ISA、Exchange、SMS All rely on this platform .

1.1.5 Division of security domain

The purpose of dividing a security domain is to divide a group of computers with the same security level into the same network segment . When attacking , The threat can be isolated as much as possible , So as to reduce the impact on computers in the domain .

The dotted box indicates a security domain （ It is also the boundary of the internal network , Generally divided into DMZ And the Internet ）, Isolation is realized through different ports of hardware firewall .

DMZ It's called the isolation zone , In order to solve the problem that the external network cannot access the internal network server after installing the firewall .

Can be in DMZ Put the server facilities that must be exposed ：Web The server 、FTP The server etc.

1.1.6 Classification of computers in the domain

1 domain controller

Used to manage all network access , Including login server 、 Access shared directories and resources .

Store all account policy information in the domain , Including security policies 、 User authentication information And account information .

2 Member servers

Refers to the installation of the server operating system and joining the domain 、 But computers that do not have an active directory installed .

It mainly provides network resources .

Type a ：

File server 、 application server 、 database server 、Web The server 、 Mail server 、 Protective wall 、 Remote access server 、 Print server

3 The client

Computers in the domain have other operating systems installed .

You can use the account in the domain to log in to the domain .

4 Stand alone server

It has nothing to do with the domain . Neither join the domain , Do not install Active Directory .

1.17 Interpretation of domain permissions

Group （Group） Is a collection of user accounts . By assigning permissions to a group of users , You don't have to assign permissions to each user .

1 Domain local group

It is mainly used to grant access to resources in the local domain .

2 Global Group

Single domain users access multi domain resources （ Must be a user in the same domain ）, You can only condition users and global groups in the rain of this global group , You can assign permissions to any domain in the domain forest . Global groups can be set in other groups .

3 General group

Members of the universal group come from user accounts of any domain in the domain forest 、 Security groups and other common groups , You can assign permissions to any domain in the domain forest , Can be nested in other groups , It is very suitable for cross domain access in domain forest .

Where is it stored in the poly catalog (GC) in .

4 A-G-DL-P Strategy

Adding a user account to a global group , Add global group to local group , Then assign resource permissions to the local group .

A： The user account （Account）

G： Global Group （Global Group）

U： General group （Universal Group）

DL： Domain local group （Domain Loacal Group）

P： Resource permissions （Permission, The license ）