Windows NT Server Directory Services and the Windows NT Server multiple domain structure provide the capability and scalability to accommodate any organization. This capability is provided with the Windows NT Server product; no special add-on products are needed.
The three domain models — single domain, single master domain, and multiple master domain — combined with trust relationships, allow for the flexibility needed for different organizations. Specifically, you can accommodate:
In addition, expansion is easy. Offices can start out with separate domains and can link to each other later or can be added to existing domains.
There are many ways to implement your domain model. The following examples illustrate just some of the flexibility of domains.
Consider a corporation with fairly independent lines of business, perhaps a consulting business, a real estate business, and a retail sales business. Each division has its own marketing, sales, and data processing groups. However, at the center of the firm is a small group focused on functional services, such as accounting, finance, and human resources. For the most part, users in a division only need access to resources in that division (very much like a master domain scenario); however, there are instances, particularly in the central division, in which an employee will need access to resources in another division; thus the need to link the master domains together.
Multiple Master Domain: Multiple Independent Lines of Business
A multiple master domain was selected over a single master domain model because of the lack of a data processing staff in the central division. The domain model, then, can be constructed to acknowledge the data processing autonomy of divisions as it exists.
This example is of a very large firm with approximately 100,000 employees in multiple locations. By using master domains, the number of users per master domain can go up to at least 26,000. To accommodate this scenario, the company can create a minimum of four master domains with approximately 25,000 user accounts and machine accounts each. If there are significantly fewer machine accounts, three master domains with a maximum of 40,000 user accounts each can be created.
Multiple Master Domain for a 100,000-User Organization
The domain a user is defined in could be based on any grouping or sequencing such as alphabetical, divisional, departmental, or physical location. Which domain a user is defined in is unimportant since a trust relationship exists between each resource domain and each of the master domains.
In a branch office scenario, a single domain or single master domain can be employed in most situations. Assuming that the branch office is linked to the PDC by means of a communications link or modem, a BDC would be the onsite server. The BDC handles local authentication as well as local file and print services. A second BDC can be added for fault tolerance.
Branch Office: A single domain provides connectivity; one on-site BDC per branch is required.
In the multiple master domain model, all master domains are linked to each other by trust relationships so that users in all domains can access resources in any domain. However, in many organizations some departments have confidential information, such as financial records or human resources files. In this case, most of the organization can be served by a single master domain. Finance and HR have their own domains. They are trusted by the master MIS domain, but they do not trust other domains. This means that Finance and HR can access MIS resources, but their resources remain secure.
Secure Domains: Finance and HR domains can access resources in the rest of the organization, but other users cannot access their resources.