Domains, Trust Relationships, and Groups

Windows NT Server provides several ways to perform basic administrativetasks that can help simplify network administration. Although domains, trustrelationships, and group functions can be useful tools for NT networkadministration, they can also be hard to understand and implement. To get youstarted, let's discuss the concepts underlying these tools. (For moreinformation on these topics, see "Domains and Workgroups," WindowsNT Magazine, April 1996.)

Domains
In Windows NT Server, domains let you centralize administration of accounts,resources, and security. Instead of each workstation managing its own accountsand resources, domain controllers let you have these administrative functions inone place. A domain can consist of a Primary Domain Controller (PDC), BackupDomain Controllers (BDCs), servers, and workstations.

A PDC is an NT server that stores administrative information for useraccounts, server resources, and security in an accounts database. With the rightpassword, administrators can manage this accounts database from anywhere on thenetwork. To keep the accounts database from becoming a single point of failure,the PDC replicates its accounts database to other servers in the domain known asBDCs. The PDC authenticates users who log in to the domain. If the PDC fails,users can still log on through one of the BDCs.

Some servers in a domain are neither PDCs or BDCs. They don't authenticateusers to the network. Instead, they run large, complex applications, such as SQLServer or Remote Access Service (RAS), and provide file and print service.

Workstations are the last component of a domain. Typically, they belong toa local workgroup or they participate in the domain environment.

Trust Relationships
If you have more than one domain, you can centralize administrative tasks byforming a trust relationship among domains. Trust relationships (or trusts) linktwo or more domains into one administrative unit. One domain, called the trusteddomain, controls accounts while another domain, called the trusting domain,accesses account information from the trusted domain. For example, Domain A andDomain B form a trust to function as one administrative unit. As long as DomainB trusts Domain A, users with accounts in Domain A can access resources inDomain B without requiring additional user accounts in Domain B.

Groups
An administrator can create a group, assign user accounts to that group, andthen assign specific access and security rights for that group, instead ofperforming these assignments for each user account. For example, if the salesdepartment needs to access a specific directory on an NT 3.51 server, theadministrator can create a sales group and assign that group the proper accessand security rights. Although you don't have to create and use groups, they cansimplify an administrator's life, particularly in large, complex organizations.

The two types of groups NT allows are local and global. Local groupsoperate only within their original domain. Global groups go beyond their homedomains and require trust relationships among domains to operate. When youcreate a global group, it's best to precede the group name with the word "domain"so you can easily spot global groups.

NT includes built-in groups for certain administrative and operationaltasks on a network. Administrators can use such a built-in group to assign tasksto individuals without giving them complete administrator-level access to thesystem. For example, NT includes a built-in Server Operator group that can locka server, override a server lock, back up a server, or shut down and restore aserver. However, that same group can't add user accounts; that function is builtinto the Account Operators group.

Here's a list of NT Server's built-in local groups and some of theirfunctions:

Administrators: Members of this group have the most rights. Users inthis group can add, delete, or modify user accounts, local groups, and globalgroups; share resources; and install system files. Administrators need to beselective when adding members to this group.

Backup Operators: Members of this group can back up and restorefiles.

Server Operators: Members of this group can lock a server, overridea server lock, back up and restore files, and shut down a server.

Account Operators: Members of this group can manage the server'sgroup and user accounts. For example, they can add, delete, and modify useraccounts and do the same for global and local groups. However, this group can'tmodify built-in operator accounts or the administrator account (this function isreserved for members of the administrator's group).

Print Operators: Members of this group can start and stop sharedprinter resources.

Users: Most network users are in this category. Members of thisgroup can access resources through the network.

Guests: This group typically provides limited access to networkvisitors.

Replicator: Members of this group can replicate files on thenetwork.

For a more detailed explanation of these groups, refer to Chapter 3 ofMicrosoft's Concept and Planning Guide, which you get with the NT 3.51documentation set.

In addition to using these built-in groups, administrators can creategroups. Because the group that users belong to will determine most users'capabilities, creating new groups can greatly reduce the number of individualdefinitions and the amount of tweaking you need when you set up new useraccounts.

NT automatically creates three built-in global groups: domainadministrators, domain users, and domain guests. Global groups have the samerights as built-in local groups, except on a domain basis.

Let's look at an example of the power of global groups. Suppose you haveseveral domains and you hire a person named Kate to back up all servers in alldomains. You can go to each server in each domain and assign Kate's user accountas a member of each Backup Operators local group. Then she has the proper rightsto back up all the servers.

However, if you promote Kate and another individual takes on that task,you'd have to go back to each server, delete Kate's user account from the BackupOperators group, and then add the new user's account information.

Instead, you can create a global group called Domain Backup and assign Kateto that group. Then, for each local Backup Operators group, you assign theDomain Backup group as a member. When you need to change the user who has thistask, you need to make that change only once in the global group.

Because the global group relies on the trusts among domains, you need tomake sure you've set up the proper trusts. Use global domains carefully andcautiously and test them thoroughly before you add them to your network.

Domain Models
The NT environment supports four domain models: single domain, masterdomain, multiple-master domain, and complete trust domain. Most organizationsuse the single domain model. However, as more organizations connect theirnetworks to the Internet, some separate their LAN and WAN into one domain andtheir Internet connections into another. See the sidebar, "Selecting theDomain Model for You," for a summary of domain models and why (or when) toselect a particular domain model for your organization.

For a well-run NT Server network, understanding domains and the trustrelationships they can support is essential. For more information on domains,trusts, and groups, see the Microsoft Windows NT Training: The DomainEnvironment video that ships with the Windows NT Server 3.51 training kit.