Windows NT Domain Models
The single logon principle that is so important in Microsoft networking is enhanced by allowing domains to trust each other’s user base by using trust relationships. However, in a network that contains a large number of domains, it is important to decide on a model to use when establishing trust relationships to make them easy to manage for the particular needs of your environment. Although it would be very easy to create trust relationships among all domains in a large network, that is not the way it’s usually done. Instead, four basic models are often used:
Deciding on which domain model to use depends on many factors, but the basic things to consider are the size of the network (in users) and the organization of the business, along with management and geographical factors.
The Single Domain Model
For a small organization that has a centralized management team for its network, a single domain might be sufficient. In this model, all the user accounts are created in a single domain, along with all the network resources, such as file and print services. There are no interdomain trust relationships to worry about because there is only one domain.
In this model there is only one PDC, but one or more BDCs are typically created for fault-tolerance purposes. If users are located at different sites geographically, you can use this model and put a BDC at each site to reduce network traffic associated with logons, allowing users to be validated by the local BDC. Having a BDC at each site also enables users to continue working if the network link between them and the site that has the PDC goes down.
The Master Domain Model
In a large enterprise it might be desirable to have one central database that contains all the user accounts, while maintaining other departmentalized databases that hold security information about resources in the network. In the master domain model one domain is designated to be the master domain, and all user accounts are created in this domain. Additional resource domains are then created, which do not have to contain any user accounts other than those used for the local administrators to manage resources. Because of the concept of trust relationships, you don’t even have to create accounts for these administrators in their own domains. By using global and local groups, it is possible to give a user account from the master domain the capability to administer another domain by placing that user account in a special Domain Admins user group.
In the resource domains, file and print shares are created and can be managed locally in the resource domain by the domain’s administrators. User accounts can be managed from a central location—by administrators in the master domain. In this model each resource domain has a one-way trust relationship with the master domain whereby it trusts the users in the master domain.
This type of domain model is ideal if you need a central place to manage user accounts but want to let local administrators take responsibility for managing resources in their area of the network. In a large company you might want the personnel or human resources department to be responsible for creating accounts for new employees and deleting accounts when users leave the company. The accounting department then can take charge of managing printers and other resources in their own domain, while those in charge of the warehouse can similarly be responsible for granting access to resources in their domain.
The Multiple Master Domain Model
The multiple master domain model is similar to the master domain model, but in this case there can be more than one master domain. Resource management is still decentralized by allowing resource domain administrators to control local resources, but instead of one master domain to hold all user accounts, there are several.
This model is the most scalable domain mode because you can just add another master domain if you need to add more users when the existing master domains become highly populated, or when a new geographical area is brought into the company. In fact, if you have a large network that already has more than 40,000 user accounts and you want some degree of centralized user administration, then the multiple master domain model is the best method to use. It provides for local administration of resources but also allows you to separate users into large administrative groups for management purposes.
In an enterprise that has a global network, this model can be used to allow large divisions of a company to control users located in their area. User account management is still centralized, but into several large groups that each division manages. If trust relationships are set up correctly, a user still needs only one logon to be granted access to resources that exist anywhere throughout a worldwide global network.
Another reason you might choose the multiple master domain model over the master domain model is to minimize network replication traffic. Remember that updates to the SAM are made to the database residing on the PDC, and are then sent to BDCs during the replication process. If you have a user base that experiences frequent changes, replication traffic on a global scale can consume valuable network bandwidth. By having several master domains, one for each location, you reduce the bandwidth consumption because replication occurs only within each domain.
The Complete Trust Model
This domain model provides for decentralized user account management and decentralized resource management. Each domain in the network has a two-way trust relationship with every other domain in the network. Administrators can still manage their own local resources but also can manage their own user database. This method requires good communication skills among domain administrators to make sure that users are properly granted access to the resources in other domains.
Although this model has the greatest chance of causing confusion when one is trying to troubleshoot logon or resource access problems, it can be a good method to choose under some circumstances. For example, in the highly competitive business environment of the past decade, in which growth is achieved by acquisition, this model can be used to quickly join networks when companies merge. This assumes, of course, that both business entities are using a Microsoft Windows NT network.
Possibly related posts: (automatically generated)
Windows NT Domain Models
- What Is a Domain Tree? What Is a Forest?
- The Active Directory and Dynamic DNS continue...
- What Is a Domain Tree? What Is a Forest? continue...
- Windows NT Domain Controllers and Member Servers
- Installing Active Directory on a Windows Server 2003 Computer
- What Role Will Your Server Perform?
- What Role Will Your Server Perform?
- Inter-domain Trust Relationships
- Installing DNS on a Windows Server
- Primary, Secondary, and Caching-Only Name Servers
- April 20th
Google Ad Words ads connect you with new customers at the precise moment when they’ re looking for your products or services. … Unix Hosting
In this situation, the forums appear to have separate content thereby making them separate forums in the eyes of the license agreement. … Dependent Content
Unique content also gets maximum bookmarks, and visitors return to your website repeatedly for more interesting information. … Basic Web Hosting
If you install the Rodman server on that computer, you can connect to the Internet from the other computers on your LAN by using that computer as an intermediate host. … Radmin Cs
The director of business development at Easily, Jonathan Robinson, ” Email is an extension of a company’s online presence, so it is unsurprising to find the consumers expect a professional business website to be complimented by domain name specific email addresses."… … Domain Name Industry Today
” Out of all the places that I have ordered business cards from, the ones I ordered through you are the best. … Free Business Cards