Workgroup and Domain - Introduction

Computers connected on a network can be part of a workgroup or a domain so that all the computers connected can communicate with each other. The main difference between the two is how resources are managed. Administrators should basically know the appropriate grouping of computers when implementing an infrastructure plan in order to effectively setup a working network environment.

1. Workgroup

Workgroup is the logical way to group computers on a network wherein members of the group are considered peers, and each computer maintains its own security policies and resources like printers and shared folders. It is used on home network or small businesses that have more or less 25 computers. Advantages of using a workgroup Design and implementation is simple Works well for a small number of computers and does not require a Windows server No computer has control over another computer Each computer has a set of local user accounts Disadvantages of using a workgroup Difficult to manage because resource administration is not centralized Administrative tasks are redundant because security policies and user accounts need to be created on each computer No global grouping of resources Computers must be on the same local network in order to communicate with each other.

2. Domain

Domain is a group of networked computers that share the same a common security policy and database. It is usually used on medium and enterprise businesses that have a hundred or even a thousand number of computers. Domain is also referred to as client/server environment, wherein, clients are the workstations that are connected to a server. This server controls the security and permissions for all the clients on a domain. Advantages of using a domain Centralized account administration, security policies and permissions Users can logon to any computer on a domain without needing an account on that particular computer. With this, access to resources can be done by just a single log-on. Computers can be connected to each other on different local networks. Disadvantages of using a domain Requires at least one Windows server that serves as the domain controller. Some applications require a domain environment Requires more planning and configurations

Workgroup works well on small networked computers because it has no server and need a little planning. With this, the small network can be up and running to share resources among the members of the workgroup. But as the network grows in size, workgroup setup may not be suitable and it means more workload on the administrative tasks.

For Example
For example, there is a new user added to the network. A user account must be created on each computer that the new user will access. If the network has 25 computers, with 2 printers and 3 file servers, then each of the 25 users would need at least 5 accounts just to print to the 2 printers and access to the 3 file servers. Domain is more suitable to a network that grows in size. This is because there is at least one server that acts as the domain controller, where user accounts, security policies, permissions and other resources reside. With this, administrators can take advantage of less administrative tasks.

Difference between a Workgroup and Domain Workgroup

1 No Centralized Administration: All computers are peers; no computer has control over another computer.

Domain
Centralized Administration: One or more computers are servers. Network administrators use servers to control the security and permissions for all computers on the domain. This makes it easy to make changes because the changes are automatically made to all computers. Server & Clients Based.

No Server & Client Matter. Each computer reacts like a Client as well as Server Each computer has a set of user accounts. To use any computer in the workgroup, you must have an account on that computer.

If you have a user account on the domain, you can log on to any computer on the domain without needing an account on that computer.

Workgroups are used when there are only a few computers in the same location that needs to be connected.
There are typically no more than ten to twenty computers.

Domains, on the other hand, is meant for large scale deployments where there are dozens of computers connected to the network like in medium and big businesses.
There can be hundreds or thousands of computers. Computers on workplace networks are usually part of a domain. While domains are harder and takes longer to implement. The computers can be on different local networks. Security: Security of Data, User & Groups

5 6 7 8 9

Computers on home networks are usually part of a workgroup

Workgroups are easy to implement. All computers must be on the same local network or subnet. Security: Not much security for Data,

User & Groups. (Depends on Configuration)

Domain Controller
On Windows Server Systems, a domain controller (DC) is a server that responds to security authentication requests (logging in, checking permissions, etc.) within the Windows Server domain. A domain is a concept introduced in Windows NT whereby a user may be granted access to a number of computer resources with the use of a single username and password combination. Domain Controller is a perception and approved access to many computer resources with the use of only single password and user name. Domain Controllers are used for security authentication request such as permission checking, logging in etc. Windows NT employs the thought of a domain to supervise access to a set of network possessions such as different type of applications, and printers. The user only log into the domain to get access to dissimilar resources which may be situated on different servers in a network. on any windows server system a domain controller is a server that act in response to security because domain controller are the central to the security and secured a network highly including all devices. PDC and BDC are tasks that can be conveyed to a server in a network that make use of the operating system of Windows NT. A domain controller performs the following task

The domain controller is the custodian of the system and that the safety of all the systems in the domain depends upon sheltering the Domain Controller glowing. The security of the network is reliant on physically securing and cautiously sustaining the domain controller. Secure the Domain Controller according to the commendation by Microsoft for a domain controller. The functionality of domain controller is unsuited with some other functions such as mail client, ftp server, web server, mail server etc which may cause to increase the menace of negotiation to an improper level. Strictly confine the access to the Domain Controller from the Internet and the superfluous component of a network.

A domain controller (DC) is a server that responds to security authentication requests within a Windows Server domain. It is a server on a Microsoft Windows or Windows NT network that is responsible for allowing host access to Windows domain resources. A domain controller is the centrepiece of the Windows Active Directory service. It authenticates users, stores user account information and enforces security policy for a Windows domain.

Windows NT Primary and Backup Domain Controller In older versions of Windows such as Windows NT server, one domain controller per domain was configured as the Primary Domain Controller (PDC); all other domain controllers were Backup Domain Controllers (BDC).

Primary Domain Controller (PDC) Read/Write copy of Security Accounts Manager (SAM) Primary Domain Controller the one that seeds the domain SAM.

In Windows NT and 2000 networking, this machine is the main machine that responds to security authentication requests, such as logging in, within its domain. The PDC may be backed by one or more backup domain controllers that can also handle security authentication. Backup Domain Controller (BDC) Read only replica copy of SAM Backup Domain Controller one that obtains a copy of the domain SAM.

A BDC could authenticate the users in a domain, but all updates to the domain (new users, changed passwords, group membership, etc.) could only be made via the PDC, which would then propagate these changes to all BDCs in the domain. If the PDC was unavailable (or unable to communicate with the user requesting the change), the update would fail. If the PDC was permanently unavailable (e.g. if the machine failed), an existing BDC could be promoted to be a PDC. Because of the critical nature of the PDC, best practices dictated that the PDC should be dedicated solely to domain services, and not used for file/print/application services that could slow down or crash the system. Some network administrators took the additional step of having a dedicated BDC online for the express purpose of being available for promotion if the PDC failed. In Windows NT domain controller for each domain configured as the primary domain controller and all other was backup domain controllers which substantiate the users in a domain, and all domains could only be made through primary domain controller, which would then broadcast these modifications to all Backup Domain Controllers in the domain. If the primary domain controller is incapable to communicate with the user appealing the change then update would not succeed. If the primary domain controller eternally not obtainable a presented backup domain controller could be supported to primary domain controller.

Basics of Domain Control

Over the years, public perceptions of what domain control really is has taken on an almost mystical nature. Before we branch into a brief overview of domain control, there are three basic types of domain controllers.

Domain Controller Types

NT4 style Primary Domain Controller NT4 style Backup Domain Controller ADS Domain Controller

The Primary Domain Controller or PDC plays an important role in MS Windows NT4. In Windows 200x domain control architecture, this role is held by domain controllers. Folklore dictates that because of its role in the MS Windows network, the domain controller should be the most powerful and most capable machine in the network. As strange as it may seem to say this here, good overall network performance dictates that the entire infrastructure needs to be balanced. It is advisable to invest more in standalone (domain member) servers than in the domain controllers. In the case of MS Windows NT4-style domains, it is the PDC that initiates a new domain control database. This forms a part of the Windows registry called the Security Account Manager (SAM). It plays a key part in NT4-type domain user authentication and in synchronization of the domain authentication database with BDCs. With MS Windows 200x Server-based Active Directory domains, one domain controller initiates a potential hierarchy of domain controllers, each with its own area of delegated control. The master domain controller has the ability to override any downstream controller, but a downline controller has control only over its downline. With Samba-3, this functionality can be implemented using an LDAP-based user and machine account backend. New to Samba-3 is the ability to use a backend database that holds the same type of data as the NT4-style SAM database (one of the registry files)[1] The Backup Domain Controller or BDC plays a key role in servicing network authentication requests. The BDC is biased to answer logon requests in preference to the PDC. On a network segment that has a BDC and a PDC, the BDC will most likely service network logon requests. The PDC will answer network logon requests when the BDC is too busy (high load). When a user logs onto a Windows domain member client the workstation will query the network to locate the nearest network logon server. Where a WINS server is used, this is done via a query to the WINS server. If a netlogon server can not be found from the WINS query, or in the absence of a WINS server, the workstation will perform a NetBIOS name lookup via a mailslot broadcast over the UDP broadcast protocol. This means that the netlogon server that the windows client will use is influenced by a number of variables, thus there is no simple determinant of whether a PDC or a BDC will serve a particular logon authentication request. A Windows NT4 BDC can be promoted to a PDC. If the PDC is online at the time that a BDC is promoted to PDC, the previous PDC is automatically demoted to a

BDC. With Samba-3, this is not an automatic operation; the PDC and BDC must be manually configured, and other appropriate changes also need to be made. With MS Windows NT4, a decision is made at installation to determine what type of machine the server will be. It is possible to promote a BDC to a PDC, and vice versa. The only method Microsoft provide to convert a Windows NT4 domain controller to a domain member server or a standalone server is to reinstall it. The install time choices offered are: .

Configuring the domain or workgroup settings

Use the Domain/Workgroup page to configure the managed system as a member of a domain or workgroup. If the system is a domain member, you also can use this page to give a user account permission to join the domain. To configure the domain or workgroup settings, complete the following steps:
1. On the Network Configuration page, click the Domain/Workgroup tab. 2. On the Domain/Workgroup page, type the computer name of the affected managed system. Note: Only the Computer name field is valid for managed systems running Linux or IBM i operating systems. 3. Specify whether you want the specified system to be a member of a domain or a workgroup and type the domain name or workgroup name in the associated field. 4. If you selected Domain, specify a user account permission to join the domain by providing the user name and password of the account. 5. When you are finished editing the settings, click Save. If you are updating the configuration in real time, click Deploy. To discard any changes you have made, click Cancel. To reset the settings to the previously saved values, click Reset and then click Save to save the restored settings.

Windows NT 4.0
To configure Windows NT for domain logons, log in to the computer as Administrator or another user in the Administrators group, open the Control Panel, and double-click the Network icon, click on the Network Identification tab. Click the Change... button, and you should see the dialog box shown in Figure below. In this dialog box, you can choose to have the Windows NT client become a member of the domain by clicking the checkbox marked Domain: in the Member of box. Then type in the name of the domain to which you wish the client to log on; it should be the same as the one you specified using the workgroup parameter in the Samba configuration file. Click the checkbox marked Create a Computer Account in the Domain, and fill in "root" for the text area labelled User Name:. In the Password: text area, fill in the root password you gave smbpasswd for creating computer accounts.

Figure: Configuring a Windows NT client for domain logons

Built-In Global Groups

Three global groups are built in:

Domain Admins --- The Domain Admins built-in group initially contains the Administrator account. When you create accounts for the administrators of your domain, you should add these accounts to the Domain Admins global group, which is already a member of the Administrators local group. Domain Users --- The Domain Users built-in group initially contains the Administrator account. Administrators and Account Operators can modify these groups. Every user account you subsequently add to this domain is put automatically in the Domain Users global group. Domain Guests --- The Domain Guests built-in group initially contains the Guest account. Administrators and Account Operators can modify the Domain Guests built-in group.

Table 4-5 lists the types of built-in global groups, their initial contents, and who can modify them.
Table 4-5 Built-In Global Groups Global Group Domain Admins Domain Users Domain Guests Initial Contents Who Can Modify

Administrato Administrators r Administrato Administrators, Account r Operators Guest Administrators, Account Operators

The following sections further explain the built-in global groups and how to use them.

HP Advanced Server for OpenVMS Concepts and Planning Guide

Previous Contents Index

4.7.1.1 Administrators
The Administrators local group is the most powerful group in the domain. Members of this group have more control over the domain than do any other users. They manage the overall configuration of the domain and the domain's servers. The built-in Administrator user account is a member of the Administrators local group and cannot be removed. By default, the Domain Admins global group is a member of this local group, but it can be removed. In the Advanced Server, the user right "Access this computer from the Network" cannot be revoked from the Administrators local group. Unlike administrators in LAN Manager servers, Advanced Server administrators do not automatically have access to every file in the domain. If a file's permissions do not grant access, the administrator cannot access the file. If needed, an administrator can take ownership of a file and thus have access to it. But if the administrator does so, this event is recorded in the security log (if auditing of files is turned on) and the administrator cannot give ownership back to the original owner. For more information about ownership of files and directories, see Chapter 6, Managing Network Shares, in this guide.

4.7.1.2 Server Operators

Members of the built-in Server Operators local group have many of the same abilities as built-in Administrators; however, they cannot manage security on the server. Specifically, Server Operators can share and stop sharing a server's files and printers, and they can start, stop, pause, and continue selected services.

4.7.1.3 Account Operators

Members of the built-in Account Operators local group can manage the server's user and group accounts. An Account Operator can create, delete, and modify most user accounts, global groups, and local groups. However, the Account Operators cannot modify the user accounts of Administrators, nor can they modify the Administrators, Server Operators, Account Operators, Print Operators, or Backup Operators local groups. They also cannot assign user rights.

4.7.1.4 Print Operators

Members of the built-in Print Operators local group can manage shared printers. If you want a domain's Print Operators to administer printers managed by Windows NT workstation computers in the domain, as well as printers managed by the domain's servers, you must perform the following steps:
1. Create a Domain Print Operators global group in the domain. Make this global group a member of the domain's Print Operators local group. 2. Add the user account of each print operator to the Domain Print Operators group.

3. On each workstation that manages printers, place the Domain Print Operators global group in the workstation's Power Users local group.

4.7.1.5 Backup Operators

Members of the built-in Backup Operators local group have specific rights on any Windows NT Server in the domain, but no specific rights on Advanced Server.

4.7.1.6 Users
Membership in the Users local group provides the abilities most users need to perform normal tasks. By default, the Domain Users global group is a member of the Users built-in local group, but it can be removed.

4.7.1.7 Guests
Differences between the rights granted to the Guests built-in local group and to the Users local group are minimal; both groups have the right to access the server over the network. For information on the built-in Guest account, see Section 3.4.2, Guest Account.

4.7.1.8 Using the Operators Local Groups

As an example of how to use operators local groups, consider a medium-sized department that is deciding how to assign its technical staff to the various administrator and operator groups. At least one user must be an administrator. Members of the Administrators group have several unique abilities. These include taking ownership of files and managing auditing. Because of their unique abilities, members of the Administrators group are responsible for planning and maintaining network security for the department. They also can be allowed to administer Windows NT workstation computers. If there is someone in the group who is responsible for helping new employees get started, it may be wise to make this person a member of the Account Operators group. This account operator then can create domain accounts for new employees and place these accounts in the appropriate groups. If the domain's Administrators group has only a few members, you should assign at least one additional person to the Server Operators group. The basic function of the Server Operators group is to keep the domain servers running. This goal is reflected in their abilities to share directories and printers on servers. If possible, at least one member of either the Administrators or Server Operators group should be present at all hours during which people are using the network. If the ability to print documents quickly is important to your group, you should add several people to the Print Operators group to ensure that printer problems can be addressed quickly.

4.7.1.9 Setting Up a Universal Operators Group

If your network has multiple domains, each containing computers with shared printers, and you have a single group of Print Operators who need the ability to administer printers in all domains, use a universal operators group (a combination of global groups and local groups) to set this up. By doing so, you ensure that your Print Operators group is easy to maintain as your network evolves, as print operators come and go, and as new computers or domains are added.

Follow these steps to establish a universal operators group:

1. In each domain where accounts of Print Operators are located, create a global group called Domain PrintOps and make all of the Print Operators in the domain members of this group. 2. In each domain where printers are to be administered, modify the Print Operators local group by adding the Domain PrintOps global groups to it. Be sure to make this change to the Print Operators local group in every domain.

After you complete these steps, every Print Operator has the ability to administer all printers. If you also need to administer printers on Windows NT workstation computers, you will need to go a step further, because a domain's local groups (such as Print Operators) cannot be used by Windows NT workstation computers --- even Windows NT workstation computers participating in that domain. To each Windows NT workstation computer with printers to administer, add all of the Domain PrintOps global groups to the workstation's Power Users local group.

built-in local group

A Microsoft Windows NT local group created during installation that has pre-assigned rights and permissions. Built-in local groups are used to simplify the administrative task of assigning users and groups rights to perform system tasks and permissions to access network resources. There are nine different built-in local groups on computers running Windows NT:
1. Users:

Contains the Domain Users global group and is used to assign rights and permissions to all ordinary users.
2. Administrators:

Contains the Domain Admins global group and the Administrator account created during setup.
3. Guests:

Contains the Domain Guests global group.

4. Power Users:

Members have the right to share folders and printers.

5. Replicator:

This group is used exclusively by the Directory Replicator Service.

6. Backup Operators:

Members have the right to back up and restore servers.

7. Account Operators:

Members have the right to administer accounts.

8. Server Operators:

Members have the right to administer servers.

9. Print Operators:

Members have the right to administer printers.

The following table shows which of these groups exist within the domain directory database on Windows NT domain controllers and which exist within the local directory database on Windows NT member servers and workstations:
Built-In Local Groups of Windows NT
Built-In Local Group Users Administrators Guests Power Users Replicator Windows NT Domain Controller Y Y Y N Y Windows NT Member Windows NT Server Workstation Y Y Y Y Y Y Y Y Y Y

Built-In Local Group

Windows NT Domain Controller

Windows NT Member Windows NT Server Workstation

Backup Operators Account Operators

N N N

N N N

Server Operators Y Print Operators Y

built-in global group

Global groups in Microsoft Windows NT that are created during installation to organize common groups of users for administrative purposes. These built-in global groups are created within the Security Accounts Manager (SAM) database of the primary domain controller (PDC). Three built-in global groups exist: 1. Domain Admins: Initially, this group contains only the Administrator account that was created during setup. Only people with administrative responsibilities should be assigned to this group. 2. Domain Guests: This group contains the Guest account and is designed for organizing temporary users of network resources and granting them access. 3. Domain Users: When a new user account is created, it is automatically added to this group. The function of this group is to collect all ordinary users for the purpose of assigning them permissions to resources on the network.

Lists the types of built-in global groups, their initial contents, and who can modify them.
Table 4-5 Built-In Global Groups Global Group Domain Admins Domain Users Domain Guests Initial Contents Who Can Modify

Administrato Administrators r Administrato Administrators, Account r Operators Guest Administrators, Account Operators