Back docs > winnt > NT in the enterprise
     
   
   




Windows NT Domain Models:


       Single Domain

      Master Domain



Multimaster Domain
Complete Trust Domain

 

Single Domain:

- Small organizations
- No Trust relationships
- Centralized Management of users, groups and resources
- As the domain grows, performance can take a hit. i.e. adding
  more and more users, groups, servers, etc.


Master Domain:

- Moderate to large networks
- All users and groups are added and managed in the Master
  or Users Domain.
- Dept. control of Resource domains
- Local groups must be defined in each resource domain to add users
  from the Master domain.
- Trust relationships must be set up between the Resource and Master domains.


MultiMaster Domain:

- Large to very large organizations
- All users and groups are added and managed in the Master or Users
  Domain.
- Dept. control of Resource domains
- Local groups must be defined in each resource domain to add users
  from the Master domain.
- One way Trust relationships must be set up between the Resource and
  Master domains, and 2 way trusts must be set up between the Master domains.
- Use the formula T = M(M+1) + RM to calculate the number of trust relationships required.
  In a network with 2 Master domains and 4 Resource domains it would be:
  T = 2(2-1) + 4*2
  2+8 = 10 Trust relationships


Complete Trust Domain:

- Can be used by organizations of any size
- Decentralized management
- Provides universal access to all resources.
- 2 way Trust relationships must be set up between all domains which
  can get out of hand very quickly.
- This is not a recommended Domain model beause of the hellish Trust relationships
  that are created in a network with numerous domains.
- Use the formula T= N(N-1) to calculate the number of trust relationships required.
  In a network with 4 domains it would be:
  T = 4(4-1)
  3*4 = 12 Trust relationships


Things to consider:

- A maximum of 10,000 users per domain.

- Local groups can contain Global groups and Users from their own domain
  and trusted domains, but Global groups can only contain users from their own domain.

- If you login to a Trusting domain instead of your own domain, you will only have
  access to objects that the Domain Guests group from your own domain has access
  to, in both domains. That's why you should always login to your own domain and
  not a Trusting domain.

- When setting up a Trust, start with the Trusted domain first, then go to the Trusting
   domain and set up the trust from there.


- In the above picture, Domain A trusts Domain B's users.
  Domain A is the Trusting Domain, Domain B is the Trusted Domain.

  Domain B would initiate the Trust relationship, then Domain A
  would set up it's Trust in User Manager for Domains, Policies, Trust Relationships.

- Once a Trust Relationship is set up, you have to assign NTFS and Share
  permisisons in the Trusting domain for users in the Trusted domain.
  Just because a Trust is set up doesn't mean users automatically have
  Access to resources.

- The best way to give users access to resources in the Trusting domain is
  to create a Global group in the Trusted domain, add users to the group,
  then add that Global group to a Local group in the Trusting domain.


    Top

b/johnson:01