Windows NT Server stores user accounts and security policies in a flat database, or domain. If you want to centrally manage multiple Windows NT servers, you use one of the following domain models:
SINGLE DOMAIN MODEL
The single domain model, as its name implies, means that only one domain exists on the network. You designate one Windows NT server as the primary domain controller (PDC), which maintains one domain database for all of the servers in the domain. This PDC responds to all login requests and authenticates all users. To provide replication, you can configure other Windows NT servers in the domain as backup domain controllers (BDCs).
The single domain model works well if you need to store fewer than 10,000 users and resources in the domain and if your company has only one office. If the domain includes more users and resources and if this domain spans more than one location, you should use another domain model. You should also use another domain model if you want to set up workgroup administrators with administration rights only to a specific set of resources. With the single domain model, you cannot create multiple domains for different departments in your company. Users with administration rights have access to all user accounts in the domain.
MASTER DOMAIN MODEL
The master domain model also works well for networks that have fewer than 10,000 users and resources. However, this model also has some limitations. With the master domain model, you can create more than one domain, but you must configure one Windows NT server as the master domain controller, which provides central management for all other domains. This master domain controller has absolute control over these domains. In other words, the master domain controller is trusted by all other domains but trusts none of them.
If you use the master domain model, you must define groups for each domain--a task that significantly adds to the amount of time it takes to manage the network. In addition, if this network expands past 10,000 users and resources, performance suffers.
MULTIPLE MASTER DOMAIN MODEL
You can use the multiple master domain model if your company's network contains several domains. You can then designate multiple master domains. These master domains control all user accounts, and because all of the master domains trust each other, only one copy of each user account is needed.
However, managing this model can be difficult. You might have to create local and global groups in several locations, you must manage many trust relationships, and all user accounts reside in the same domain.
With the multiple master domain model, you can configure master domains to provide different functions. For example, one master domain controller could function as a dedicated authentication server. This server would hold all user accounts in a large account domain and authenticate users, allowing these users to access servers in other domains that hold other resources. You could then configure another master domain controller to hold other resources, such as servers and printers.
COMPLETE TRUST RELATIONSHIP MODEL
In the complete trust relationship model, every domain trusts all other domains. Although this model is simple to understand, it is difficult to manage. With the complete trust relationship model, each domain administrator trusts the other domain administrators implicitly and grants them rights to create, delete, and modify accounts in his or her domain.
Trusting other domain administrators is not the biggest hurdle, however: Before you can grant a user rights to access resources in other domains, you must establish a trust relationship between the domain in which the user's account resides and every other domain the user must access to use these resources. In addition, trust relationships are one way: For example, if the Boston domain trusted the New York domain, the New York domain would not automatically trust the Boston domain. To create a two-way trust relationship, you must set up two one-way trust relationships.
Trust relationships are also not transitive. For example, if your company's network contained three domains--the Seattle domain, the Boston domain, and the New York domain--and you wanted to use a complete trust relationship model, you would need to create the following trust relationships:
The more domains you create and the more users and resources you add to these domains, the more trust relationships you must create and manage. You can use the following formula to determine the number of trust relationships required to manage the domains on your company's network:
(number of servers x number of servers) - number of servers = number of trust relationships
For example, if your company had 30 Windows NT servers, you would need to create 870 trust relationships:
(30 x 30) - 30 = 870
LESS IS MORE
Regardless of which domain model you use, domains can be difficult to manage. With NDS for NT, you can eliminate trust relationships and simply manage the domains on your company's network through NDS.