Introducing Domains

General Information

NT Domains are not the same thing as Internet Domains. An NT domain is an organizational grouping containing NT resources and is established for the security of these resources. This can be contrasted with an Internet Domain which is basicly just a naming convention.

An NT domain gives administrators a single point to manage a large number of computer resources.

Computers running Microsoft Windows NT Workstation as their operating system can join an existing domain. Other clients running Windows 95, Windows for Workgroups, Windows 3.x, and MS-DOS also can participate in an existing domain.

Server Role

The servers that participate in Microsoft NT domains can be configured as domain controllers or as servers. The difference is that a domain controller has the capability to authenticate logons and can participate in other tasks that involve security, whereas a server is there purely to offer resources.

When implementing a domain structure with NT 4.0, one server must be configured as the primary domain controller (PDC). This server will be the central repository of administrative information. Other domain controllers, known as backup domain controllers (BDCs), also will handle logon authentication and replicate administrative information between themselves and the primary domain controller.

Microsoft Windows NT Server gives you three choices for the role of the server:

When you are creating a new Microsoft Windows NT Server network, the first server you install should be the primary domain controller. You cannot create a backup domain controller without already establishing a PDC. You can create a server without having a PDC, but this scenario will not establish a Windows NT domain.

Trust Relationships

A Microsoft Windows NT Server network can include multiple domains that may or may not have a relationship with each other.

To allow one domain to access resources on another domain, you must establish a trust relationship. Trust relationships also can allow for centralized administration of networks that go beyond a single domain.

Trusts are a one-way relationship, although you can create two trusts that have two domains that trust each other.

Trusts relationships can not be daisy chained from one server to a second and then from the second to the third.

Domains Versus Workgroups

An alternative to defining a domain is using a function of Microsoft networking, which is known as workgroups.

Any computer that is running the Microsoft networking client software, but is not defined as part of a domain is automatically part of a workgroup. If you implement an NT server as a Stand-Alone Server, it is then part of a workgroup.

A workgroup can include one or more computers. Computers that do not participate in a domain, and are therefore part of a workgroup and are responsible for their own security and administration.

Workgroup computing is a good alternative for a small number of computers that do not want to utilize centralized administration, but do want to include a computer running Microsoft Windows NT Server because of some of the services that an NT server can offer, such as Dynamic Host Configuration Protocol (DHCP), or Remote Access Services (RAS).