MS Domain Models
By Joshua Erdman
Microsoft has come a long way in domain models. This usually follows the same Microsoft pattern, from simple to complex flexibility, and then re-simplified again.
Let's first get a few definitions:
Domain - "A container object in which computers and users are a member. Making security access universal to all objects within the domain." In other words, a single domain account's security is defined on all the computers and resources within a domain. This does not necessarily mean I have access to these resources unless the correct permissions are applied.
Schema - "The template of attributes of an object." For example a user account's schema could be made up of: username, password, department, and e-mail.
Microsoft NT Domain
The original Microsoft domain was simple and straightforward. These domains only contained user accounts and computers. The schema for these 2 objects were fixed. As a matter of fact the word schema was not even used. The computer and user objects had few description entries and the ability to filter users and computers was non-existent. Groups were limited to membership of only within the domain and could not traverse other trusted domains universally.
Domain Controllers (DCs) kept all the account and computer membership information and would replicate periodically between each other. It made sense to locate a domain controller at each site for companies that had remote offices. Unfortunately there was no way to signify when DCs could replicate and usually a typical remote office's connection to the main office was slow to begin with.
Another problem was the method of Name Resolution for each computer. Recall that all computers communicate with addresses not computer names. So there must be a method to resolve a computer name to its address (similar to a phone book). Microsoft's implementation was WINS (or Windows Internet Name Service). This was poorly implemented and really had nothing to do with the Internet at all. Now the typical company had to manage two separate Name Servers. WINS servers so the computers could communicate throughout the domain and DNS for Internet access.
Microsoft Active Directory
Then came Microsoft Active Directory in Windows 2000 Server. This first was introduced with a lot of hype and very little factual information of what Active Directory actually was. As soon as I got the chance to create a test environment (and by reading several books) did the full flexibility and capability of Active Directory become known to me. It is by far a superior method of managing administrating objects despite it's added complexity.
Active Directory used a real schema for each object. This allowed attributes to the template of each object to be appended to as the network and its capabilities grew. For example, when an Exchange Server 2000 is added to a Domain, the user schema is modified for user mailbox size restrictions and assigned e-mail addresses.
AD allows more flexibility and granularity for applying policies to users and computers via group policy. Departments could be declared making it much easier to prevent users from logging on to other department computers. It also made administration easier in that a department administrator could be declared, who could create users and add computers to a domain within their department without having administrative access the the whole domain.
A geographical topology could be created within Active Directory as well. This allowed administrators to create a 'site' for remote offices and declare AD replication schedules and bandwidth costs.
Finally it did away with the reliance of WINS in the implementations of Windows 2000 Professional and Windows XP Pro clients, they would use DNS instead when participating on a Windows Active Directory network.
AD Changes in Windows 2003
In Windows 2003 new tools have been created to make it easier to mange directory replication across multiple sites and group policy. It also changes several of the default settings to enhance security and includes all the security fixes discovered in Windows 2000 during the Microsoft Security Initiative.
Article last reviewed: 12/30/2005