Master-user account domains contain all user accounts for the worldwide domain structure. Master-account-domain names represent the user's geographic location, to assist in distribution of BDCs.
Figure 2.12 Microsoft worldwide domain model
The Microsoft network acknowledges two categories of administration. ITG is solely responsible for administration of some domains. Other domains are jointly administered by ITG and specific user groups, such as developers, sites, and others. Domain-administration permissions can be given to a group of users within their second-tier domain. ITG retains the option of allowing any of the departmental-server domains to have both their own domain administrators and ITG administration.
ITG provides master-account domains (first-tier), which are used by a specific set of sites. The name and size of these master-account domains are determined by geographic limitations, network topology, and the number of accounts to be supported. The PDC for the Redmond, NorthAmerica, and SouthAmerica master-account domains are located in Redmond. Others are located near the constituent users, where local data centers provide administrator resources. A BDC for the master-account domain is located at each remote site, for authentication of accounts at that site.
The European master account domain PDCs are in England, with a BDC for each European master account domain at each respective site.
Worldwide, a BDC for the global master account domain is also located at each network hub site.
Microsoft maintains two domains that, for security, have restricted access to and from the other domains. The groups using these special domains are the Microsoft Human Resources group and vendors who do business with Microsoft.
The Human Resources department maintains a secure network because of the confidential nature of its information. The HR master domain is isolated from the other domains on the network and is separately wired, so that it is not physically connected to the other network.
Vendors use the servers in the second restricted domain as a drop-off point. Microsoft employees can access the domain through a one-way trust relationship, but vendors are restricted to the vendor domain.
On the Microsoft corporate network, TCP/IP is used by Windows NT Server to forward authentication requests between domain controllers across a WAN. Every server in the master account domain can process logon requests from the domain user accounts.
Every server in the corporate domain runs TCP/IP. Adding Dynamic Host Configuration Protocol (DHCP) to the Microsoft network has significantly reduced administrative overhead for WAN management because individual machine TCP/IP addresses are configured automatically by DHCP.
Microsoft devised a naming convention for the corporate-domain structure to provide a consistent, worldwide interface to its users. The naming convention for second-tier domains is based on geographic location (USA-Atlanta), business (ITG-Networks), or development group (Apps-Word).
The following table shows some of the current domains. The rule is to use {division}-{department}. Another factor in establishing the domain name is to encompass the largest practical group.
Site domains are determined by {country code}-{city name}. Every site is permitted one resource domain in the corporate domain model.
Table 2.11 Microsoft first-tier and second-tier domain names
Master Account Domains (First-tier):
REDMOND | FAREAST | NORTHERNEUROPE | SOUTHPACIFIC |
AFRICA | MIDDLEEAST | SOUTHAMERICA | |
CENTRALEUROPE | NORTHAMERICA | SOUTHERNEUROPE |
Departmental and Site Resource Domains (Second-tier):
APPS-EXCEL | FRA-PARISEHQ | OPS-FACILITIES | SYS-BUSINESS |
APPS-MULTIMEDIA | GER-BERLIN | OPS-MSPRESS | SYS-HARDWARE |
APPS-POWERPOINT | GER-MUNICH | POL-WARSAW | SYS-MARKETING |
APPS-WORD | ITG-APPS | PSS-BP | SYS-MSDOS-WIN |
AT-RESEARCH | ITG-DEVELOPMENT | PSS-LP | SYS-WINNT |
AUT-VIENNA | ITG-NETWORKS | PSS-RWG | USA-ATLANTA |
FIN-ACCTSVRS | ITG-SQL | SWI-NYON | USA-DENVER |