Professional Documents
Culture Documents
Computers connected on a network can be part of a workgroup or a domain so that all the computers connected can communicate with each other. The main difference between the two is how resources are managed. Administrators should basically know the appropriate grouping of computers when implementing an infrastructure plan in order to effectively setup a working network environment.
1. Workgroup
Workgroup is the logical way to group computers on a network wherein members of the group are considered peers, and each computer maintains its own security policies and resources like printers and shared folders. It is used on home network or small businesses that have more or less 25 computers. Advantages of using a workgroup Design and implementation is simple Works well for a small number of computers and does not require a Windows server No computer has control over another computer Each computer has a set of local user accounts Disadvantages of using a workgroup Difficult to manage because resource administration is not centralized Administrative tasks are redundant because security policies and user accounts need to be created on each computer No global grouping of resources Computers must be on the same local network in order to communicate with each other.
2. Domain
Domain is a group of networked computers that share the same a common security policy and database. It is usually used on medium and enterprise businesses that have a hundred or even a thousand number of computers. Domain is also referred to as client/server environment, wherein, clients are the workstations that are connected to a server. This server controls the security and permissions for all the clients on a domain. Advantages of using a domain Centralized account administration, security policies and permissions Users can logon to any computer on a domain without needing an account on that particular computer. With this, access to resources can be done by just a single log-on. Computers can be connected to each other on different local networks. Disadvantages of using a domain Requires at least one Windows server that serves as the domain controller. Some applications require a domain environment Requires more planning and configurations
Workgroup works well on small networked computers because it has no server and need a little planning. With this, the small network can be up and running to share resources among the members of the workgroup. But as the network grows in size, workgroup setup may not be suitable and it means more workload on the administrative tasks.
For Example
For example, there is a new user added to the network. A user account must be created on each computer that the new user will access. If the network has 25 computers, with 2 printers and 3 file servers, then each of the 25 users would need at least 5 accounts just to print to the 2 printers and access to the 3 file servers. Domain is more suitable to a network that grows in size. This is because there is at least one server that acts as the domain controller, where user accounts, security policies, permissions and other resources reside. With this, administrators can take advantage of less administrative tasks.
Domain
Centralized Administration: One or more computers are servers. Network administrators use servers to control the security and permissions for all computers on the domain. This makes it easy to make changes because the changes are automatically made to all computers. Server & Clients Based.
No Server & Client Matter. Each computer reacts like a Client as well as Server Each computer has a set of user accounts. To use any computer in the workgroup, you must have an account on that computer.
If you have a user account on the domain, you can log on to any computer on the domain without needing an account on that computer.
Workgroups are used when there are only a few computers in the same location that needs to be connected.
There are typically no more than ten to twenty computers.
Domains, on the other hand, is meant for large scale deployments where there are dozens of computers connected to the network like in medium and big businesses.
There can be hundreds or thousands of computers. Computers on workplace networks are usually part of a domain. While domains are harder and takes longer to implement. The computers can be on different local networks. Security: Security of Data, User & Groups
5 6 7 8 9
Domain Controller
On Windows Server Systems, a domain controller (DC) is a server that responds to security authentication requests (logging in, checking permissions, etc.) within the Windows Server domain. A domain is a concept introduced in Windows NT whereby a user may be granted access to a number of computer resources with the use of a single username and password combination. Domain Controller is a perception and approved access to many computer resources with the use of only single password and user name. Domain Controllers are used for security authentication request such as permission checking, logging in etc. Windows NT employs the thought of a domain to supervise access to a set of network possessions such as different type of applications, and printers. The user only log into the domain to get access to dissimilar resources which may be situated on different servers in a network. on any windows server system a domain controller is a server that act in response to security because domain controller are the central to the security and secured a network highly including all devices. PDC and BDC are tasks that can be conveyed to a server in a network that make use of the operating system of Windows NT. A domain controller performs the following task
The domain controller is the custodian of the system and that the safety of all the systems in the domain depends upon sheltering the Domain Controller glowing. The security of the network is reliant on physically securing and cautiously sustaining the domain controller. Secure the Domain Controller according to the commendation by Microsoft for a domain controller. The functionality of domain controller is unsuited with some other functions such as mail client, ftp server, web server, mail server etc which may cause to increase the menace of negotiation to an improper level. Strictly confine the access to the Domain Controller from the Internet and the superfluous component of a network.
A domain controller (DC) is a server that responds to security authentication requests within a Windows Server domain. It is a server on a Microsoft Windows or Windows NT network that is responsible for allowing host access to Windows domain resources. A domain controller is the centrepiece of the Windows Active Directory service. It authenticates users, stores user account information and enforces security policy for a Windows domain.
Windows NT Primary and Backup Domain Controller In older versions of Windows such as Windows NT server, one domain controller per domain was configured as the Primary Domain Controller (PDC); all other domain controllers were Backup Domain Controllers (BDC).
Primary Domain Controller (PDC) Read/Write copy of Security Accounts Manager (SAM) Primary Domain Controller the one that seeds the domain SAM.
In Windows NT and 2000 networking, this machine is the main machine that responds to security authentication requests, such as logging in, within its domain. The PDC may be backed by one or more backup domain controllers that can also handle security authentication. Backup Domain Controller (BDC) Read only replica copy of SAM Backup Domain Controller one that obtains a copy of the domain SAM.
A BDC could authenticate the users in a domain, but all updates to the domain (new users, changed passwords, group membership, etc.) could only be made via the PDC, which would then propagate these changes to all BDCs in the domain. If the PDC was unavailable (or unable to communicate with the user requesting the change), the update would fail. If the PDC was permanently unavailable (e.g. if the machine failed), an existing BDC could be promoted to be a PDC. Because of the critical nature of the PDC, best practices dictated that the PDC should be dedicated solely to domain services, and not used for file/print/application services that could slow down or crash the system. Some network administrators took the additional step of having a dedicated BDC online for the express purpose of being available for promotion if the PDC failed. In Windows NT domain controller for each domain configured as the primary domain controller and all other was backup domain controllers which substantiate the users in a domain, and all domains could only be made through primary domain controller, which would then broadcast these modifications to all Backup Domain Controllers in the domain. If the primary domain controller is incapable to communicate with the user appealing the change then update would not succeed. If the primary domain controller eternally not obtainable a presented backup domain controller could be supported to primary domain controller.
NT4 style Primary Domain Controller NT4 style Backup Domain Controller ADS Domain Controller
The Primary Domain Controller or PDC plays an important role in MS Windows NT4. In Windows 200x domain control architecture, this role is held by domain controllers. Folklore dictates that because of its role in the MS Windows network, the domain controller should be the most powerful and most capable machine in the network. As strange as it may seem to say this here, good overall network performance dictates that the entire infrastructure needs to be balanced. It is advisable to invest more in standalone (domain member) servers than in the domain controllers. In the case of MS Windows NT4-style domains, it is the PDC that initiates a new domain control database. This forms a part of the Windows registry called the Security Account Manager (SAM). It plays a key part in NT4-type domain user authentication and in synchronization of the domain authentication database with BDCs. With MS Windows 200x Server-based Active Directory domains, one domain controller initiates a potential hierarchy of domain controllers, each with its own area of delegated control. The master domain controller has the ability to override any downstream controller, but a downline controller has control only over its downline. With Samba-3, this functionality can be implemented using an LDAP-based user and machine account backend. New to Samba-3 is the ability to use a backend database that holds the same type of data as the NT4-style SAM database (one of the registry files)[1] The Backup Domain Controller or BDC plays a key role in servicing network authentication requests. The BDC is biased to answer logon requests in preference to the PDC. On a network segment that has a BDC and a PDC, the BDC will most likely service network logon requests. The PDC will answer network logon requests when the BDC is too busy (high load). When a user logs onto a Windows domain member client the workstation will query the network to locate the nearest network logon server. Where a WINS server is used, this is done via a query to the WINS server. If a netlogon server can not be found from the WINS query, or in the absence of a WINS server, the workstation will perform a NetBIOS name lookup via a mailslot broadcast over the UDP broadcast protocol. This means that the netlogon server that the windows client will use is influenced by a number of variables, thus there is no simple determinant of whether a PDC or a BDC will serve a particular logon authentication request. A Windows NT4 BDC can be promoted to a PDC. If the PDC is online at the time that a BDC is promoted to PDC, the previous PDC is automatically demoted to a
BDC. With Samba-3, this is not an automatic operation; the PDC and BDC must be manually configured, and other appropriate changes also need to be made. With MS Windows NT4, a decision is made at installation to determine what type of machine the server will be. It is possible to promote a BDC to a PDC, and vice versa. The only method Microsoft provide to convert a Windows NT4 domain controller to a domain member server or a standalone server is to reinstall it. The install time choices offered are: .
Windows NT 4.0
To configure Windows NT for domain logons, log in to the computer as Administrator or another user in the Administrators group, open the Control Panel, and double-click the Network icon, click on the Network Identification tab. Click the Change... button, and you should see the dialog box shown in Figure below. In this dialog box, you can choose to have the Windows NT client become a member of the domain by clicking the checkbox marked Domain: in the Member of box. Then type in the name of the domain to which you wish the client to log on; it should be the same as the one you specified using the workgroup parameter in the Samba configuration file. Click the checkbox marked Create a Computer Account in the Domain, and fill in "root" for the text area labelled User Name:. In the Password: text area, fill in the root password you gave smbpasswd for creating computer accounts.
Domain Admins --- The Domain Admins built-in group initially contains the Administrator account. When you create accounts for the administrators of your domain, you should add these accounts to the Domain Admins global group, which is already a member of the Administrators local group. Domain Users --- The Domain Users built-in group initially contains the Administrator account. Administrators and Account Operators can modify these groups. Every user account you subsequently add to this domain is put automatically in the Domain Users global group. Domain Guests --- The Domain Guests built-in group initially contains the Guest account. Administrators and Account Operators can modify the Domain Guests built-in group.
Table 4-5 lists the types of built-in global groups, their initial contents, and who can modify them.
Table 4-5 Built-In Global Groups Global Group Domain Admins Domain Users Domain Guests Initial Contents Who Can Modify
Administrato Administrators r Administrato Administrators, Account r Operators Guest Administrators, Account Operators
The following sections further explain the built-in global groups and how to use them.
4.7.1.1 Administrators
The Administrators local group is the most powerful group in the domain. Members of this group have more control over the domain than do any other users. They manage the overall configuration of the domain and the domain's servers. The built-in Administrator user account is a member of the Administrators local group and cannot be removed. By default, the Domain Admins global group is a member of this local group, but it can be removed. In the Advanced Server, the user right "Access this computer from the Network" cannot be revoked from the Administrators local group. Unlike administrators in LAN Manager servers, Advanced Server administrators do not automatically have access to every file in the domain. If a file's permissions do not grant access, the administrator cannot access the file. If needed, an administrator can take ownership of a file and thus have access to it. But if the administrator does so, this event is recorded in the security log (if auditing of files is turned on) and the administrator cannot give ownership back to the original owner. For more information about ownership of files and directories, see Chapter 6, Managing Network Shares, in this guide.
3. On each workstation that manages printers, place the Domain Print Operators global group in the workstation's Power Users local group.
4.7.1.6 Users
Membership in the Users local group provides the abilities most users need to perform normal tasks. By default, the Domain Users global group is a member of the Users built-in local group, but it can be removed.
4.7.1.7 Guests
Differences between the rights granted to the Guests built-in local group and to the Users local group are minimal; both groups have the right to access the server over the network. For information on the built-in Guest account, see Section 3.4.2, Guest Account.
After you complete these steps, every Print Operator has the ability to administer all printers. If you also need to administer printers on Windows NT workstation computers, you will need to go a step further, because a domain's local groups (such as Print Operators) cannot be used by Windows NT workstation computers --- even Windows NT workstation computers participating in that domain. To each Windows NT workstation computer with printers to administer, add all of the Domain PrintOps global groups to the workstation's Power Users local group.
Contains the Domain Users global group and is used to assign rights and permissions to all ordinary users.
2. Administrators:
Contains the Domain Admins global group and the Administrator account created during setup.
3. Guests:
The following table shows which of these groups exist within the domain directory database on Windows NT domain controllers and which exist within the local directory database on Windows NT member servers and workstations:
Built-In Local Groups of Windows NT
Built-In Local Group Users Administrators Guests Power Users Replicator Windows NT Domain Controller Y Y Y N Y Windows NT Member Windows NT Server Workstation Y Y Y Y Y Y Y Y Y Y
N N N
N N N
Lists the types of built-in global groups, their initial contents, and who can modify them.
Table 4-5 Built-In Global Groups Global Group Domain Admins Domain Users Domain Guests Initial Contents Who Can Modify
Administrato Administrators r Administrato Administrators, Account r Operators Guest Administrators, Account Operators