Domains and Workgroups

What's the Difference?

When I'm helping someone set up a new Windows NT network, one question Ihear often is: "What exactly is the difference between a workgroupand a domain?" To build a workgroup, you need only PCs running Windows forWorkgroups (WFW), Windows 95, Windows NT Workstation, or a combination. Incontrast, a domain requires that at least one machine run Windows NT Server. Youcan't get around it. (Back in the old days, you could use a LAN Manager server,but that's another story.)

I'm over-simplifying when I say this, but a domain is basically a workgroupwith an extra function--security--added. This definition implies something of anodd marriage, because the workgroup function and the security function aren'tthat closely related. A workgroup's main job is to keep a directory of availableservers on a network. A domain performs that function but adds a database ofsecurity information: Who's allowed to do what on the network. (Again, that's avery simplified explanation.)

Browse Masters
To understand what a workgroup does, consider what a user does whenever heor she logs on to your network. On my network, just about everybody connects toa share called public on a server named orion01. Let's assume for argument'ssake that all the users in my office agreed to map their P (P for public) driveto that share. The mapping command looks like this: netusep:\orion01public.That's a command-line command that you can insert into a login batch script, anAUTOEXEC.BAT file, or the like.

If you've been a network administrator for any time at all, you probablyknow that command, but stay with me for a minute while I pick the command apart.The netusep: says that you want to map P to something, and \orion01public iswhat you want. The name \orion01public is Microsoft's way of saying, "theshare named public on the server named orion01." That string is a UniversalNaming Convention (UNC) address.

The syntax of the command isn't that bizarre, but a real problem ariseswith the \orion01public name. How did I know that the server's name wasorion01, and how did I know what shares were available on it?

Back in 1985, Microsoft started selling its MS-NET product, the great-greatgrandmother of NT Server. Even then, networked PCs needed netusecommands, double backslashes and all. Again, the commands were--and are--crypticbut necessary: To get to a server, you had to know the server and sharenames. At the time, I said to a manager of the MS-NET group that the networkneeded a netscan command or something to make finding the names of servers andshares easy. He replied that this lack of a netscan command wasn't a shortcomingof the network, but rather a positive feature--how many times have we heard thatone? He claimed that this lack assisted in network security: If you don't knowwhat something's called, you probably don't have a right to access it. (Yeah,sure, it's a feature!)

Nowadays, however, you don't need to know server names and share names touse network resources. To find a network resource, you type netview if you're ata DOS workstation, click on Disk/Connect Network Drive... from an NT Workstationor WFW workstation, or open up the Network Neighborhood from a Windows 95workstation. No matter how you do it, you'll see a list of available servers andshares. Where that list comes from explains workgroups.

Microsoft needed some way for a user to quickly get a list of the serverson the network and their shares, something to automatically take a census of theservers and shares. This is clearly a computable kind of problem. Microsoft'sanswer was a kind of name server, or directory server, that the company calls amaster browser, or browse master. (Microsoft uses both terms in its literature.)

Every time a server comes up, it announces itself to a particular machinedesignated as the browse master for the network. (Selecting the browse master isan automatic process.) The browse master keeps a list--the browse list--ofall the servers it's heard from and provides that list to any workstation thatasks for it. Think of the browse master as a client/server tool: It runs theBrowser service, which is the server application, and the workstations runnetview, Network Neighborhood, or whatever, which are the client applications.

Thus, Microsoft networks can easily provide a list of available servers.But just providing a list of active servers wouldn't be of value toorganizations of any appreciable size. Why? Because virtually every WFW, Windows95, and NT Workstation is a server in the sense that it can share data over thenetwork. So every one of those workstations would end up on the browse list. Inother words, sheer size would soon make the browse list for a large companyunmanageable, difficult to browse, and slow to retrieve. That's where workgroupscome in.

A workgroup is a subset of your company's servers, a way to present asmaller number of servers to a workstation. So, for example, salespeople mightbe part of a workgroup called SALES. If they request a browse list, they getonly the servers that are part of the SALES workgroup. Note, however, that it isthe salesperson's PC that is a member of the SALES workgroup. Workgroups have nonotion of a user account, so your machine receives the browse list for theworkgroup it belongs to. The list doesn't care who you are or whatgroups you belong to.

You don't really have to do anything special to create a workgroup. Justput a server in a workgroup, and the workgroup exists. The workgroup will selectits browse master automatically. Then any workstation or server that you putinto the workgroup will get--and perhaps contribute to--the browse list for thatworkgroup.

Domains and PDCs
NT networks expand on the notion of a workgroup by adding security. Groupsof servers recognize a set of users because those users have user accounts. Theaccounts are really just a simple database containing a user's name, password,what groups the user belongs to, what shares he or she is allowed to access, andthe like.

The database resides on an NT server machine. Again, it must be aserver; a workstation can't do this. Just as a master browser heads up aworkgroup, a domain has a boss, a database-holding machine that heads a domainand is called a Primary Domain Controller (PDC). Other NT Servers andWorkstations can choose to join the domain. If they do, the PDC willcreate accounts for them, too, increasing its database to include both machinesand people.

The machine accounts not only include machine names, but also shareinformation--the shares that each machine offers on the network. When anyworkstation attempts to access a share on any server in the domain, the serverwill stop and check with the PDC first before releasing any data. In effect, theserver says, "Hey, PDC, do you know this guy who's requesting my data? Isit safe to give it to him?" Because the PDC holds the database ofpermissions, it can then give the yea or nay to the access request. If thesimple workgroup function provides server and share names, making it a nameserver, the domain function adds a central machine as clearinghouse for securityinformation, making it a security server.

In a few places, this situation becomes confusing. First, logging on toa domain is different from joining a domain. Users log on to domainsfrom any kind of workstation. They can explicitly log on to a domain, in whichcase, their login script runs. Or they implicitly log on to a domain the firsttime they try to access a resource whose access the domain controls. Either way,the PDC checks them out before they get to any domain resources.

Second, only machines may join a domain, and only NT machines--NTWorkstations and NT Servers--at that. By joining a domain, a machine says to itsPDC, "I'll let you determine whether particular users can access my sharedresources." But every domain is also a workgroup, and domain controllersalso act as browse masters.

This situation leads to another source of confusion. A browse master keepsa list of every kind of server, including the Windows 95 and WFW machines thataren't members of the domain but are members of the workgroup. Sosuppose you have a domain named FOLKS. All the NT machines have joined the FOLKSdomain, and the Windows 95 and WFW machines are part of the workgroup namedFOLKS. (Remember, because Windows 95 and WFW don't know what a domain is, theysee FOLKS as a workgroup, even though an NT domain controller is the browsemaster.) The PDC of FOLKS keeps track of the names of all the servers whoseworkgroup name is FOLKS but acts only as a security guard for the NT machines inthe domain named FOLKS.

Separate Functions
Personally, I wish Microsoft had kept the name-service function separatefrom the security-service function. But since it didn't, you need to understandthe difference between workgroups and domains. Maybe Microsoft will separate thetwo in Cairo. Maybe? I can hope.