As we have established, traditional peer-to-peer networks are not appropriate for more than a small number (perhaps 10) of hosts. In addition, it is mandatory in a business environment to maintain centralized control of the network imagine how annoyed corporate users would become if they had to spend an hour a day typing different usernames and passwords just to do their job. To address this, the domain design was created. When the term domain is used, most people automatically think of Microsoft Windows Networking domains, discussed in this section. Windows domains should not be confused with DNS domains, which will be covered shortly. Microsoft were also not the inventors of the domain principle UNIX has employed Kerberos realms for many years to achieve the same result.
To resolve the issue of centralized control in peer-to-peer networks, Microsoft created the Windows Domain model. To create a domain, a minimum of one machine running one of Microsofts server operating systems configured as a domain controller is required. A domain controller is responsible for the centralized management of security and access control within a Windows network. The exact detail of how this operates differs massively between Windows NT, and Windows 2000/2003207. Under Windows NT, one server would be designated the Primary Domain Controller, or PDC. This machine would be solely responsible for maintaining and updating the security database (user account details) for the domain it controlled. Other domain controllers can be deployed in a mode known as Backup Domain Controller, or BDC. Servers in this mode are allowed to authenticate users, but are not allowed to make modifications to the security database. This meant that whilst a domain can be made resilient (in other words, still able to provide user authentication services), if the PDC was lost there would be a period where no updates of the domain security database could be made.
In contrast, Windows 2000 and 2003 employ a multimaster configuration for domains. This model has removed the distinction between a PDC and a BDC as all domain controllers, now simply called DCs, can read and write to the domain security database at any time. It is now possible to lose one domain controller from the domain without affecting normal operations, providing your capacity planning have been done correctly!
The benefit of a Windows domain is immediately apparent to anyone who has used it. Instead of requiring multiple usernames and passwords for different resources in a peer-to-peer configuration, one single username and password is all that is required to gain access to every service available. A domain can be thought of as a security boundary, as everything within it can be centrally controlled and accessed with one set of credentials4.
207. There are many differences between the operational modes of Windows NT and Windows 2000/2003; however, these are beyond the scope of this book and the CompTIA objectives.
Home - Table Of Contents - Contact Us
CertiGuide to A+ (A+ 4 Real) (http://www.CertiGuide.com/apfr/) on CertiGuide.com
Version 1.0 - Version Date: March 29, 2005
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2005 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.