NT domains. Aka Windows domains. Used by networks administered by a Windows NT Server.

  • In a NT domain, computers are identified by both IP address and NetBIOS name. The type of name resolution servers required are DNS and WINS (Windows Internet Name Service). WINS translates between NetBIOS and DNS names.
  • The flat name spaces of NetBIOS are mapped with the hierarchical namespaces of DNS domains.

An NT domain is a logical grouping of networked computers that share a common set of security databases (aka the account database). The accounts (users, groups, and computers) in a domain may be in various physical locations and may be connected in any number of ways.

The purpose of an NT domain is to enable the following:

  • Centralized network administration. This also frees up other servers on the network from having to do network security processing.
  • Single logon. When a user logs in to a domain, that authenticated security information can be reused to allow the user to access multiple resources on the network.
  • Resource owner controlled access. The owner of a resource controls access to the resource.

For my purposes, there are three kinds of computers in a network:

  • Domain computers (aka domain accounts). EG:
    • An NT server acting as a DC (Domain Controller). For a domain, there will be one PDC (Primary Domain Controller) and possibly one or more BDCs (Backup Domain Controllers). A PDC replicates a copy of the security databases for the whole domain to the BDCs for fault tolerance.
  • Non-DC computers with local security databases (aka workstation accounts). EG:
    • An NT server not acting as a DC (aka member server or stand alone server).
    • An NT workstation.
  • Non-DC computers without local security databases. EG:
    • A Windows 95 workstation.

A computer in a network is part of one of the following:

  • An NT domain, a client-server environment, where a DC acts as a security server for the "clients" (all the other computers that access resources on the domain).
  • A workgroup, a peer-to-peer environment, where each computer manages security as well as it can.

Note: This article pertains to network accounts. Non-networked machines can ask you to log on but that's just for that machine only. Logins like that are usually used to maintain preferences of each user of that machine. This includes preferences like Desktop appearance, Desktop contents, etc. If you don't care about these preferences, you can always just cancel out of such logins. Here is where each user has his or her own folder:

  • In Windows 95/98, in \WINDOWS\Profiles.
  • In Windows NT, in \WINNT\Profiles.
  • In Windows 2000 Professional, in \Documents and Settings.

The security databases are administered with the User Manager in NT Workstation and User Manager for Domains in NT Server. There are two databases that compromise the security databases:

  • A directory database (aka SAM (Security Accounts Manager)), which manages security accounts.
  • A security policy database, which handles other security overhead.

Each set of security databases simultaneously services two "domains":

  • Built-in "domain". The name of this domain is BUILTIN. This is only applies to the local system. This has the default built-in accounts. Accounts here apply to the local system, including local groups but not global groups.
  • Account "domain".
    • For DCs, the name of this domain is the name of the domain, eg \\\DOMAIN1. Accounts here apply to the entire domain, including local and global groups. This has most of the accounts.
    • For non-DCs, the name of this domain is the name of the computer, eg \\COMP1. Accounts here apply to the local system, including local groups but not global groups.

The local security databases for a particular machine can be accessed remotely (by users who are members of the local Administrators group of that machine) by using User Manager for Domains, User menu, Select Domain option, and selecting the machine instead of the domain, eg choose domain COMP1, instead of domain DOMAIN1. When physically accessing a machine, it is simply a matter of logging onto the machine instead of the domain.



GeorgeHernandez.comSome rights reserved