Windows NT Server includes directory services that provide single network logon, single point of administration, and replication functions. These services simplify the management and use of a Windows NT Server-based network.
Windows NT Server Directory Services are based upon the configuration and use of Windows NT Server domains. Domains are logical groupings of multiple Windows NT Server-based computers that allow them to be managed and used as a single unit. They are the building blocks of Windows NT Server's Directory Services. Using domains, administrators create one user account for each user. That account includes user information, group memberships, and security policy information and is the central point of user administration. Users then log on once to the domain, not to the individual servers in the domain.
A domain model is a grouping of one or more domains, with administration and communications links between the domains (called trust relationships), arranged for the purpose of user and resource management.
Once logged on, users can access all the resources they have rights to access including files, directories, servers, applications, and printers. Windows NT Server Directory Services allow the administrator to maintain one user account for each user regardless of the number of servers in the distributed system. Users log on only once to gain access to all the different files, printers, and other network resources they need to use.
As the name implies, this configuration consists of one domain. There is one primary domain controller with potentially multiple backup domain controllers.
Single Domain Model
In a single domain network, network administrators can always administer all network servers, because the ability to administer servers is at the domain level.
The single domain model is an appropriate choice for organizations that require both centralized management of user accounts and the simplest domain model for ease of administration.
Windows NT Server domain models are extensible and flexible. The single domain model is the building block; trust relationships between domains allow network designers to implement the most appropriate design for their enterprise.
A trust relationship is an administration and communications link between two Windows NT Server domains. Domains use established trust relationships to share account information and validate the rights and permissions of users and global groups residing in the trusted domain. A user has only one user account in one domain yet can access all servers on the network.
Trust relationships are simple to initiate and administer with Windows NT Server User Manager for Domains. Windows NT Server domain models make use of trust relationships to facilitate:
A One-way Trust Relationship: Production trusts Sales. Sales can access resources and accounts in the Production domain.
The "trusting" domain allows the remote user accounts and global groups in the "trusted" domain to use the resources of the trusting domain. Consider, for example, giving your neighbor a house key: you are "trusting" of your neighbor; your neighbor is the "trusted" one.
In a two domain example, where one is an account domain and the other is a resource domain, the only way that a one-way trust relationship makes sense is that the account domain is the trusted domain, and its users can use the resources in the resource domain (which is the trusting domain).
A two-way trust is two one-way trusts; both domains trust each other equally. This allows users to log on from either domain to the domain that contains their account. Using this implementation, each domain can have both accounts and resources, and remote user accounts and global groups may be used from either domain to grant rights and permissions to resources in either domain. In other words, both domains are trusted domains.
Two-way Trust Relationships
Depending on the goals of a domain model, one-way and two-way trust relationships can be used.
A domain can make use of up to 128 incoming trust relationships and an unlimited number of outgoing trust relationships.
Trust relationships are easily established and maintained with the User Manager for Domains administrative tool. Trust relationships are not transitive. If Domain A trusts Domain B, and Domain B trusts Domain C, Domain A does not automatically trust Domain C. This is so that administrators can explicitly control access to each domain.
The single master domain model is comprised of several domains, one of which acts as the central administrative unit for user accounts. All user and machine accounts are defined in this "master" domain and all users log on to their accounts in the master domain. Resources, such as printers and file servers, are located in the other domains. Each resource domain establishes a one-way trust with the master (account) domain, enabling users with accounts in the master domain to use resources in all the other domains. The network administrator can manage the entire multi-domain network, as well as its users and resources, by managing only a single domain.
The master account domain is also referred to as a first-tier domain; resource domains are also referred to as second-tier domains.
Single Master Domain Model
The benefit of the single master domain model is in its flexibility of administration. For example, in a network requiring four domains, it might at first seem most obvious to create four separate user account databases, one for each domain. By putting all user accounts in a single database on one of the domains and then implementing one-way trust relationships between these domains, you can consolidate administration of user and machine accounts. You can also administer all resources or delegate these to local administrators. And users have only one logon name and one password to get access to resources in any of the domains.
This model balances the requirements for account security with the need for readily available resources on the network, because users are given permission to resources based on their master domain logon identity.
The single master domain model is particularly suited for:
With the multiple master domain model, there are two or more single master domains. Like the single master domain model, the master domains serve as account domains, with every user and machine account created and maintained on one of these master domains. A company's MIS groups can centrally manage these master domains. As with the single master domain model, the other domains on the network are called resource domains; they don't store or manage user accounts but do provide resources such as shared file servers and printers to the network.
In this model, every master domain is connected to every other master domain by a two-way trust relationship. Each resource domain trusts every master domain with a one-way trust relationship. The resource domains can trust other resource domains, but are not required to do so. Because every user account exists in one of the master domains, and since each resource domain trusts every master domain, every user account can be used on any of the master domains.
In this example, there is one machine account for each user account. Therefore, each master domain can contain as many as 26,000 user accounts. Users log on to the domain that contains their account. Each master domain contains one PDC and at least one BDC per 2000 user accounts to validate user logons and provide fault tolerance. The multiple master domain model incorporates all the features of a single master domain, and in addition accommodates: