Tutorial:Windows NT
Managing NT Domains
Once your user base exceeds 40,000, your system will be unable to exist in one domain and you'll
face a choice of how to structure your domains. Until the forthcoming release of Microsoft's ADS
the only viable alternative to NT domains is to use NDS for NT, which actually works rather well.
By Simon Pride
T
he word domain in Windows
credentials be valid, allows the user to
ronments such as Novell's NDS (Net
NT is used in a particular and
log on and use the computer and any
Ware Directory Services) or Sun's
specialised way. The term is
authorised network resources in the
NIS+.
more familiar than it used to be, as it is
domain.
In a Windows NT domain, one sin
often used these days to refer to a par
A domain is therefore nothing more
gle computer in the domain is desig
ticular location on the Internet. For in
than a set of networked computers
nated the Primary Domain Controller
stance, a commercial organisation
which look to one or more Domain
(PDC), and is the ultimate authority
called BigCorp might register and own
Controllers to grant access to shared
for all security information in the do
the Internet domain bigcorp.com.
resources.
main. It is assisted by Backup Domain
The use of domain in Windows
Within the domain, the security da
Controllers (BDC), which may or may
NT administration in versions 4.0 and
tabase (often called the SAM, for Secu
not exist in the domain. The crucial
below has almost nothing to do with
rity Accounts Manager, named after
distinction between a PDC and a BDC
the meaning above, although in Win
the Windows NT process which ad
is that changes to the domain's secu
dows 2000 (formerly Windows NT5)
ministers security) keeps track of
rity model can only be made on a PDC.
the two meanings are very closely re
which users and groups are permitted
This fact underlies much of the ac
lated.
to do what with which resources in the
cepted practice in designing NT net
In NT4 and below it is instead used
domain. Every time a user wishes to
works and will be referred to later in
to refer to a collection of networked
use a resource, the user's permissions
the section on domain planning.
computers that share a common secu
and rights (actually the contents of the
The role of a BDC is to cache the
rity database and security model. Se
user's Access Token, created at the
security model disseminated by the
curity defines a domain; it has no other
time they last logged on) are compared
PDC and to validate logons and re
important attributes. For example, the
with the resource's Access Control List
source usage requests when the BDC
range of TCP/IP addresses of comput
as defined in the SAM on each Domain
is logically nearer to the requestor
ers in an NT domain is irrelevant,
Controller. If the user has the correct
than the PDC. Needless to say, PDCs
whereas in an Internet domain they
permissions the operation proceeds; if
replicate the current security model to
are highly relevant.
not, it is refused.
BDCs on a regular basis, but unlike
In practice, when a user logs on to a
Within the domain there is a sepa
NetWare's NDS there is no bilateral
networked NT computer they will
ration of roles between the servers
replication as there is between servers
usually be doing so in an NT domain.
which maintain the domain, which
holding replicas of the NDS tree. A
When the user presses the Secure At
might not be obvious to readers famil
BDC in NT is similar to a read only
tention Sequence (Control Alt Delete)
iar with similar shared security envi
replica of an NDS partition.
and enters their credentials, the dialog
where they enter their user identifier
and password will contain a third field,
Logon From. This field will normally
At several points in the lifetime of an
contain the name of the NT domain
which the workstation belongs to.
enterprise you may need to rename a
When the user enters a user identi
fier and password, the information is
domain, perhaps to fit in with a
sent (encrypted) over the network to a
computer running Windows NT Serv
departmental name change arising from
er which is working as a Domain Con
troller.
The
Domain
Controller
a split, merger or change of focus.
validates the user credentials against
its security database and, should the
Issue 109 (July/August 1999) page 3
File: T1712.1
PC Network Advisor
Next page >
New! The best sites for quality inkjet printer cartridges and the best sites for cheap inkjet cartridges