Domains, Trust Relationships, and Groups

Windows NT Server provides several ways to perform basic administrative tasks that can help simplify network administration. Although domains, trust relationships, and group functions can be useful tools for NT network administration, they can also be hard to understand and implement. To get you started, let's discuss the concepts underlying these tools. (For more information on these topics, see "Domains and Workgroups," Windows NT Magazine, April 1996.)

In Windows NT Server, domains let you centralize administration of accounts, resources, and security. Instead of each workstation managing its own accounts and resources, domain controllers let you have these administrative functions in one place. A domain can consist of a Primary Domain Controller (PDC), Backup Domain Controllers (BDCs), servers, and workstations.

A PDC is an NT server that stores administrative information for user accounts, server resources, and security in an accounts database. With the right password, administrators can manage this accounts database from anywhere on the network. To keep the accounts database from becoming a single point of failure, the PDC replicates its accounts database to other servers in the domain known as BDCs. The PDC authenticates users who log in to the domain. If the PDC fails, users can still log on through one of the BDCs.

Some servers in a domain are neither PDCs or BDCs. They don't authenticate users to the network. Instead, they run large, complex applications, such as SQL Server or Remote Access Service (RAS), and provide file and print service.

Workstations are the last component of a domain. Typically, they belong to a local workgroup or they participate in the domain environment.

Trust Relationships
If you have more than one domain, you can centralize administrative tasks by forming a trust relationship among domains. Trust relationships (or trusts) link two or more domains into one administrative unit. One domain, called the trusted domain, controls accounts while another domain, called the trusting domain, accesses account information from the trusted domain. For example, Domain A and Domain B form a trust to function as one administrative unit. As long as Domain B trusts Domain A, users with accounts in Domain A can access resources in Domain B without requiring additional user accounts in Domain B.

An administrator can create a group, assign user accounts to that group, and then assign specific access and security rights for that group, instead of performing these assignments for each user account. For example, if the sales department needs to access a specific directory on an NT 3.51 server, the administrator can create a sales group and assign that group the proper access and security rights. Although you don't have to create and use groups, they can simplify an administrator's life, particularly in large, complex organizations.

The two types of groups NT allows are local and global. Local groups operate only within their original domain. Global groups go beyond their home domains and require trust relationships among domains to operate. When you create a global group, it's best to precede the group name with the word "domain" so you can easily spot global groups.

NT includes built-in groups for certain administrative and operational tasks on a network. Administrators can use such a built-in group to assign tasks to individuals without giving them complete administrator-level access to the system. For example, NT includes a built-in Server Operator group that can lock a server, override a server lock, back up a server, or shut down and restore a server. However, that same group can't add user accounts; that function is built into the Account Operators group.

Here's a list of NT Server's built-in local groups and some of their functions:

Administrators: Members of this group have the most rights. Users in this group can add, delete, or modify user accounts, local groups, and global groups; share resources; and install system files. Administrators need to be selective when adding members to this group.

Backup Operators: Members of this group can back up and restore files.

Server Operators: Members of this group can lock a server, override a server lock, back up and restore files, and shut down a server.

Account Operators: Members of this group can manage the server's group and user accounts. For example, they can add, delete, and modify user accounts and do the same for global and local groups. However, this group can't modify built-in operator accounts or the administrator account (this function is reserved for members of the administrator's group).

Print Operators: Members of this group can start and stop shared printer resources.

Users: Most network users are in this category. Members of this group can access resources through the network.

Guests: This group typically provides limited access to network visitors.

Replicator: Members of this group can replicate files on the network.

For a more detailed explanation of these groups, refer to Chapter 3 of Microsoft's Concept and Planning Guide, which you get with the NT 3.51 documentation set.

In addition to using these built-in groups, administrators can create groups. Because the group that users belong to will determine most users' capabilities, creating new groups can greatly reduce the number of individual definitions and the amount of tweaking you need when you set up new user accounts.

NT automatically creates three built-in global groups: domain administrators, domain users, and domain guests. Global groups have the same rights as built-in local groups, except on a domain basis.

Let's look at an example of the power of global groups. Suppose you have several domains and you hire a person named Kate to back up all servers in all domains. You can go to each server in each domain and assign Kate's user account as a member of each Backup Operators local group. Then she has the proper rights to back up all the servers.

However, if you promote Kate and another individual takes on that task, you'd have to go back to each server, delete Kate's user account from the Backup Operators group, and then add the new user's account information.

Instead, you can create a global group called Domain Backup and assign Kate to that group. Then, for each local Backup Operators group, you assign the Domain Backup group as a member. When you need to change the user who has this task, you need to make that change only once in the global group.

Because the global group relies on the trusts among domains, you need to make sure you've set up the proper trusts. Use global domains carefully and cautiously and test them thoroughly before you add them to your network.

Domain Models
The NT environment supports four domain models: single domain, master domain, multiple-master domain, and complete trust domain. Most organizations use the single domain model. However, as more organizations connect their networks to the Internet, some separate their LAN and WAN into one domain and their Internet connections into another. See the sidebar, "Selecting the Domain Model for You," for a summary of domain models and why (or when) to select a particular domain model for your organization.

For a well-run NT Server network, understanding domains and the trust relationships they can support is essential. For more information on domains, trusts, and groups, see the Microsoft Windows NT Training: The Domain Environment video that ships with the Windows NT Server 3.51 training kit.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.