Windows NT 4 Domain Models

Admin Tip #307: Windows NT 4 Domain Models

Hits: Failed to execute CGI : Win32 Error Code = 3

Understanding NT domains and trusts are important skills for any NT administrator. Books could be, and have been written on the topic. For starters:

Single Domain model: there is one domain with accounts and resources. The advantages:

Works best for small organizations
Centralized management of users and resources
No trusts involved

The least complex structure. One security boundary with no internal divisions. The disadvanages are performances issues as the domain grows and lack of internal security divisions (for units or departments) to reflect entities in a growing enterprise. The SAM can manage up to about 40,000 accounts. As the number of accounts grows, the power of the domain controllers needs to increase - but with modern inexpensive pentium-based PCs, this is not particulary important. You will see some penalty in browsing as the number of members in the domain increases. The maximum size of the SAM is approximately 40MB and this is a real limitation for this model. User account, group definitions, and PC accounts all add to the cumulative size.

Single Master Domain model : there is one account domain and multiple resource domains with each resource domain trusting the account (user) domain. The advantages of the single master domain are:

Good solution for moderately sized networks
Departmental control of resources based on resource domains (departmental, unit, ...)
Centralized user account management
Global groups are defined centrally in account domain

Basically, the accounts are centralized under one administrative unit and the resources are decentralized. This fits the departmental political model of resource ownership. For the model to work well, the account domain admins must create the appropriate global groups needed to manage the security of resources in the resource domains and the resource admins should manage security by assigning permissions to groups, not individuals. Resource domain admins can assign permissions to global groups once and thats the end of their permissions management task. Its set once and forget it. When permissions need to be added or removed, one does not search through many resources to add or remove that persons access, one simply adds or removes that person's account from the group (or groups) in the account domain. The one change in group membership results in permission changes in many resource permissions. The single master domain model has a single account domain with the 40MB SAM and approximately 40,000 account limitation.

The number of trusts:

 T  =  R

that is, the number of trusts is equal to the number of resource domains, one trust per resource domain where the resource domain trusts the account domain.

Multiple Master Domain model: an extension of the single master domain model. Most appropriate for divisions separated geographically and when one must scale beyond the number of accounts supported in a single account domain. You have multiple single master domains linked together by two way trusts. Each account domain trusts every other account domain. Each resource domain trusts each account domain. The advantages are:

Good solution for very large organizations
Scaleable to accommodate any number of users - just add more account domains
Resources are locally and logically grouped
Departmental-focused management of resources
Any master domain could administer all user accounts or not if wished

The disadvantage of the multiple master domain is complexity: there are multiple account domains, the number of global groups needed multipled by at least the number of account domains and the number of trusts explodes.

The number of trusts :

 T  =  M * (M - 1) + R * M

where M is number of account masters and R is the number of resource domains. Actually this is the maximum number of trusts. You generally can not avoid the

 M * M-1

trusts between account domains. One has the

 R * M

trusts only if all resource domains have users needing access in all account domains.

Complete Trust Domain model: a mesh model is a set of single domains with trusts between each domain. Appropriate for early phase of consolidation between small organizations with existing single domains or politically sensitive departmentally organized enterprises with control issues over accounts and resources. The advantages are:

Useful for organizations with no MIS department
Scaleable for any number of users
Each department (entity with a domain) has Full Control over its users and resources
Users and resources are located within the same domain

The disadvantages reflect the other side of the coin:

No centralized management
Many trust relationships to manage
Administrators must trust each other to properly manage users, groups, and resources

That is there is a lot of trust required in many senses. It is a decentralized, high overhead environment.

The number of trusts :

 T  =  D * ( D - 1)

where D is number of domains.

One sees the term two-way trusts. There are no two way trusts. When domainA trusts domainB

 domainA --> domainB

domainA is the trusting domain and domainB is the trusted domain. The relationship is that users in B may be permitted to access resources in A. The resources are in the trusting domain and the users are in the trusted domain. If one needs it to work both way, you need to create another trust going the other way

 domainA <-- domainB

domainB is the trusting domain and domainA is the trusted domain. To create a "two-way" trust, you have to create the two one-way trusts. I use the memory aid that the accounts include an account for Ed and that resources are thINGs. Thus the trustED domain, the domain with accounts, is the trustED domain and the trustING domain, the domain with thINGs (resources), is the trustING domain. There is no transitivity in trust relationships: if domainA trusts domainB and domainB trusts domainC, this does not mean that domainA also trusts domainC.

To summarize:

Domain Model	Max Users	Account Management	Resource Management	Trusts
Single	40000	Centralized	Centralized	0
Master	40000	Centralized	Decentralized	R
Multiple Master	unlimited	Centralized in Account Domains	Decentralized	M * (M - 1) + R * M
Complete Trust Mesh	unlimited	Decentralized	Decentralized	D * ( D - 1)

User Manager for Domains is the tool used to create/delete trusts. To create a trust between domainA and domainB, where domainA is the account domain:

domain admin of the account domainA starts User Manager for Domains. In the Trust Relationships window, click the Add button next to the display area labeled "Trusting Domains." Type the name of the trusting domain (domainB). User Manager will request a password for the trusting domain.
domain admin of the resource domainB starts User Manager for Domains. In the Trust Relationships window, click the Add button next to the display area labeled "Trusted Domains." Type the name of the trusted domain (domainA). You will be prompted to enter the password required for the trusting domain to communicated to the trusted domain. The domain admin of the trusted domain would need to give you this password. The trusting domain will create an account which uses this password to communicate with the trusted domain.

Chapters 4 and 5 discuss basic domain construction and how trust relationships are used.

Chapters 5, 6, and 7 provide extensive coverage of the Windows NT domain models.

Resource kit contains lots of good information on domain planning.

Good coverage of trust relationships. Originally designed to train NT 3.x admins on topics and concepts needed to upgrade to NT 4. Although old, the training content is still correct.

The Windows NT Server 4 manual, Concepts And Planning Manual, contains useful domain model discussions in Chapter 1.