NetworkClue.com
NetworkClue Home PageHome Contact UsContact ConsultingConsult
Bulletin Board
Internet Services covers Secrets to hosting websites, Hosting your own web server, and using DNS Servers.Operating Systems leads you through the decision of Linux vs. Windows, ideal installations and setups to create an efficient and redundant environment for your business, and great features to make management easier.Routing & Firewalls contains articles that will allow you to take control of your router. Learn how to protect your company with access lists and advanced firewall techniques.Hardware answers the common questions about Switches vs. Hubs, recommends SysAdmin Tools, and recommendations for adequate power protection.Utilities will cover fighting spam, using Anti-Virus programs effectively and the must haves for every administrator's software toolbox.

Linux
Windows
-About Windows XP
-Licensing
-Unattended Installations
-Win XP/2000 Commands
-Learning DOS
-Active Directory & Domains
-Migrating from NT to 2003
Bulletin Board

MS Domain Models

By Joshua Erdman
Digital Foundation, inc.

Microsoft has come a long way in domain models.  This usually follows the same Microsoft pattern, from simple to complex flexibility, and then re-simplified again.

Let's first get a few definitions:

Domain - "A container object in which computers and users are a member.  Making security access universal to all objects within the domain." In other words, a single domain account's security is defined on all the computers and resources within a domain.  This does not necessarily mean I have access to these resources unless the correct permissions are applied.

Schema - "The template of attributes of an object."  For example a user account's schema could be made up of: username, password, department, and e-mail.

Microsoft NT Domain

The original Microsoft domain was simple and straightforward. These domains only contained user accounts and computers.  The schema for these 2 objects were fixed.  As a matter of fact the word schema was not even used.  The computer and user objects had few description entries and the ability to filter users and computers was non-existent. Groups were limited to membership of only within the domain and could not traverse other trusted domains universally.

Domain Controllers (DCs) kept all the account and computer membership information and would replicate periodically between each other.  It made sense to locate a domain controller at each site for companies that had remote offices.  Unfortunately there was no way to signify when DCs could replicate and usually a typical remote office's connection to the main office was slow to begin with.

Another problem was the method of Name Resolution for each computer.  Recall that all computers communicate with addresses not computer names.  So there must be a method to resolve a computer name to its address (similar to a phone book).  Microsoft's implementation was WINS (or Windows Internet Name Service).  This was poorly implemented and really had nothing to do with the Internet at all.  Now the typical company had to manage two separate Name Servers.  WINS servers so the computers could communicate throughout the domain and DNS for Internet access.

Microsoft Active Directory

Then came Microsoft Active Directory in Windows 2000 Server.  This first was introduced with a lot of hype and very little factual information of what Active Directory actually was.  As soon as I got the chance to create a test environment (and by reading several books) did the full flexibility and capability of Active Directory become known to me. It is by far a superior method of managing administrating objects despite it's added complexity.

Active Directory used a real schema for each object.  This allowed attributes to the template of each object to be appended to as the network and its capabilities grew.  For example, when an Exchange Server 2000 is added to a Domain, the user schema is modified for user mailbox size restrictions and assigned e-mail addresses.

AD allows more flexibility and granularity for applying policies to users and computers via group policy.  Departments could be declared making it much easier to prevent users from logging on to other department computers.  It also made administration easier in that a department administrator could be declared, who could create users and add computers to a domain within their department without having administrative access the the whole domain.

A geographical topology could be created within Active Directory as well. This allowed administrators to create a 'site' for remote offices and declare AD replication schedules and bandwidth costs.

Finally it did away with the reliance of WINS in the implementations of Windows 2000 Professional and Windows XP Pro clients, they would use DNS instead when participating on a Windows Active Directory network.

AD Changes in Windows 2003

In Windows 2003 new tools have been created to make it easier to mange directory replication across multiple sites and group policy.  It also changes several of the default settings to enhance security and includes all the security fixes discovered in Windows 2000 during the Microsoft Security Initiative.

References:
For those of you that read this article, I am providing a sneak peak at my next article: Windows 2000/2003 Server. This article goes over all the features and benefits and is the opening to very technical articles to help us administrate active directory networks.

Article last reviewed: 12/30/2005


del.icio.us

Created by: Digital Foundation, inc.

Copyright © 2002-2005 Digital Foundation, inc.   www.networkclue.com

All content of the NetworkClue website is copyrighted. Articles, notes, outlines, and all other materials may not be stored on the Internet or sold or placed by themselves or with other material in any electronic or printed format in whole or part. However materials may be referenced by links to the site.

 

Related Articles:
Windows 2000/2003
   Server
Windows NT to 2003
   Migration
Windows 2000/XP
   Commands