Implementation

Because every user and global group account in the company exists in one of the master-account domains, and because all domains trust every master-account domain in the company, every user and global group account in the company is functional in all domains.

In all cases, ITG has full administrative permissions on all the domains in the model. All domain controllers can be backed up, restored, and updated with current builds and new system-configuration files.

There are some disadvantages to the multiple master-domain model. The most challenging issue is administration of individualized global groups. Managing global groups becomes impractical unless it can be based on a database, against which data can be compared. In this way, a group would automatically be updated if an individual no longer requires membership in that group. ITG provides global groups (based on department accounts) and updates membership (based on HR records). Other global groups are reviewed by case. Users are added to a master-account domain based on their current geographic location. If a user moves to a different site within Microsoft (such as from Redmond to Northern Europe), the user will be removed from and added to the appropriate master-account domains. When the user account is recreated in another domain, the account SID changes, so account permissions must be reapplied.

Windows for Workgroup systems belong to a second-tier domain to ensure that they have full access to the domain model. They use their account on the master account domain and use the second-tier domain as their workgroup. This allows access to domain servers that are using Windows NT security.

All Windows NT Server-based systems running RAS are located in a second-tier domain. Because there is a trust relationship between all domains in the corporate model, a user can dial into a RAS server anywhere in the model without additional administration.