Domains provide a centralized method of administering groups of workstations and servers, thus simplifying the administrator's management tasks. But if an environment requires multiple domains, a user needing access to a broad range of resources would require a separate user account in each domain. This would also force the user to log on separately into each domain where the required resources existed. All of these additional user accounts would greatly add to the complexity of the administrator's job of maintaining appropriate user access and privileges. Windows NT Server has resolved this problem with "trust relationships."
Trust relationships are an administration and communications link between two domains. A trust relationship between two domains enables user accounts and global groups to be used in a domain other than the domain where these accounts are actually defined. Domains use established trust relationships to share account information and validate the rights and permissions of users and global groups residing in the trusted domain. Trusts therefore simplify administration by combining two or more domains into a single administrative unit.
The design of the trust relationships between domains should be planned before the deployment of Microsoft Windows NT Server to ensure that it is done correctly the first time. There are four domain models that can be implemented as is or modified to suit specific needs. The first is the single domain model; here, there is only one domain with no other domains and so no trust relationships. The size of such a domain should be kept relatively small, in hundreds of workstations, for example.
The next deployment strategy is called the master domain model. Here, a single domain is trusted by all other domains in the enterprise. Users and groups are created on the master domain and permissions are granted in the smaller domains. This strategy works best in an environment with a strong centralized security or operations group. It should, however, be limited to about 15,000 users and groups in the enterprise for performance and capacity reasons.
For more than 15,000 users, the multiple master domain model can be created. With this model, there are multiple master domains trusting each other. Departmental domains have a trusting relationship with each of the master domains.
The final strategy is the complete trust model. Here there are no centralized master domains, and each departmental domain has a two-way trust relationship with each of the other domains. This works well when no centralized authority exists in the enterprise. The number of relationships can grow very quickly, however—20 domains requires 380 trust relationships.
The correct strategy for your environment greatly depends on the number of computers and users, geographic layout of the computers, and the internal infrastructure available to support it. The key is to plan your strategy.