Network Building Blocks-An Overview

An understanding of domain components and how they interact is critical to making appropriate decisions when using a domain structure to implement Advanced Server directory services features. The following section provides a brief explanation of the key components and functionality of an Advanced Server domain.

Advanced Server Domains

A domain is a logical grouping of network servers and other computers that share common security and user account information. Within domains, administrators create one user account for each user. Users then log on to a domain, not to individual servers within the domain.

A domain is the administrative unit of Advanced Server directory services. The term domain does not refer to a single location or specific type of network configuration. Computers in a single domain can share physical proximity on a small local area network (LAN) or can be located in different corners of the world, communicating over any number of physical connections, including dial-up lines, ISDN, fiber, Ethernet, Token-Ring, frame relay, satellite, and leased lines.

Directory Database

The directory database stores all security and user account information for a domain. (Other Advanced Server and Windows NT documents may refer to the directory database as the "Security Accounts Manager (SAM) database"). The master copy of the directory database is stored on one server and is replicated to backup servers and then synchronized on a regular basis to maintain centralized security. When a user logs on to a domain, Advanced Server software checks the user name and password against the directory database.

Primary and Backup Domain Controllers

Within a domain, domain controllers manage all aspects of user-domain interactions. Domain controllers are computers running Advanced Server or Windows NT Server that share one directory database to store security and user account information for the entire domain; they comprise a single administrative unit. Domain controllers use the information in the directory database to authenticate users logging on to domain accounts. :

There are two types of domain controllers:

The primary domain controller (PDC) tracks changes made to domain accounts. Whenever an administrator makes a change to a domain account, the change is recorded in the directory database on the PDC. The PDC is the only domain server that receives these changes directly. A domain can have only one PDC.
A backup domain controller (BDC) maintains a copy of the directory database. This copy is synchronized periodically and automatically with the PDC. BDCs also authenticate user logons, and a BDC can be promoted to function as the PDC. Multiple BDCs can exist in a domain.

You create a domain when you install Advanced Server on a computer and designate that computer as the PDC. There can be as many BDCs as needed in a domain to share the load of authenticating network logons. In a small organization, a PDC and a single BDC in one domain may be all that is required.

For information about promoting and demoting domain controllers, see "Promoting and Demoting Domain Controllers" later in this chapter.

Benefits of Domains

Grouping computers into domains provides two main benefits to network administrators and users. The more important one is that the domain controllers form a single administrative unit, sharing security and user account information. In this way, administrators need to manage only one account for each user, and each user needs to use (and remember the password for) only one account. By extending the administrative unit from individual servers to an entire domain, Advanced Server saves administrators and users time and effort.

The second benefit of grouping computers into domains is user convenience. When users browse the network for available resources, they see the network grouped into domains, rather than seeing all of the network servers and printers at once. This benefit is analogous to the benefit of using Microsoft Windows® for Workgroups and the Windows 95 concept of a workgroup.

User Access to Domain Resources

Advanced Server provides you with many ways to control the actions of users while letting them use the resources they need. The basis of Advanced Server security is that all resources and actions are protected by discretionary access control. You can allow some users to connect to a resource or perform an action while preventing others from doing so. For example, you can set different permissions on different files in the same directory.

Together, the user account, user rights, and resource permissions provide resource access and restrictions appropriate for each user.

User Accounts Allow Access to Domain Resources

An individual who participates in a domain must have a user account to log on to the network and to use domain resources such as files, directories, and printers.

An administrator creates a user account by assigning a user name to an account, specifying the user's identification data, and defining the user's rights on the system. Advanced Server then assigns a unique security identifier (SID) to the new account. For information about user accounts and user rights, see Chapter 3, "Working with User and Group Accounts."

For procedural information on how to create user accounts, see "Creating a New User Account" in User Manager for Domains Help.

User Rights Control Actions by the User

User rights are rules that determine the actions a user can perform on domain controllers, workstations, or member servers. In addition, they control whether a user can add users to a workstation or domain group, delete users, and so on. Assigned user rights can apply to all of the domain controllers in a domain, or to a computer running Windows NT Workstation or Windows NT Server as a member server.

Predefined, or built-in, groups have sets of user rights already assigned to them. Administrators usually assign user rights by adding a user account to one of the predefined groups or by creating a new group and assigning specific user rights to that group. Users who subsequently are added to a group automatically gain all of the user rights assigned to the group account. Individual users can be given specific user rights; however, most administrators prefer to control the actions of groups rather than those of individual users.

For information on how to assign rights to groups, see Chapter 3, "Working with User and Group Accounts."

Permissions Control Access to Domain Resources

Permissions are rules that regulate which users can use objects such as directories, files, and printers, and in what manner. The owner of an object sets the permissions on the object. Similar to user rights, permissions on an object apply to each member of a group to which the permissions are granted.

For information on how to set permissions on objects, see Chapter 5, "Managing Shared Resources and Resource Security."

Trust Relationships

Although small organizations can store accounts and resources in a single domain, large organizations typically establish multiple domains. With multiple domains, accounts usually are stored in one domain and resources in another domain or domains.

Advanced Server directory services provide security across multiple domains through trust relationships. A trust relationship is a link that combines two domains into one administrative unit that can authorize access to resources in both domains.

There are two types of trust relationships:

In a one-way trust relationship, one domain trusts the users in another domain to use its resources. More specifically, one domain trusts the domain controllers in another domain to validate user accounts to use its resources. The resources that become available are in the trusting domain, and the accounts that can use them are in the trusted domain. However, if user accounts located in the trusting domain need to use resources located in the trusted domain, that situation requires a two-way trust relationship.
A two-way trust relationship is composed of two one-way trust relationships in which each domain trusts users in the other domain. Users can log on from computers in either domain to the domain that contains their account. Each domain can have both accounts and resources. Global user accounts and global groups can be used from either domain to grant rights and permissions to resources in either domain. In other words, both domains are trusted domains.




	NOTE: Using resources located in any domain, trusting or otherwise, always is subject to permissions associated with the resources.

For information about resource permissions, see Chapter 5, "Managing Shared Resources and Resource Security."

For information on creating trust relationships, see "Administering Trust Relationships" later in this chapter.

For additional information on planning and managing trust relationships, see the Windows NT Server Resource Kit.

For information on how to create a trust relationship, see "Adding a Trusting Domain" and "Adding a Trusted Domain" in User Manager for Domains Help.

Grouping Users With Similar Needs

Administrators typically group users according to the types and degrees of network access their jobs require. For example, most accountants working at a certain level probably will need access to the same servers, directories, and files. By using group accounts, administrators can grant rights and permissions to multiple users at one time. Other users can be added to an existing group account at any time, immediately gaining the rights and permissions granted to the group account.

There are two types of group accounts:

A global group consists of several user accounts from one domain that are grouped together under one group account name. A global group can contain user accounts from only one domain — the domain in which the global group was created. "Global" indicates that the group can be granted rights and permissions to use resources in multiple (global) domains. A global group can contain only user accounts and can be created only on a domain, not on a workstation or member server.
A local group consists of user accounts and global groups from one or more domains, grouped together under one account name. Users and global groups from outside the local domain can be added to the local group only if they belong to a trusted domain. "Local" indicates that the group can be granted rights and permissions to use resources in only one (local) domain. A local group can contain users and global groups but no other local groups.

When working with groups, keep the following points in mind:

Global groups are the most efficient way to add users to local groups.
Global groups can be added to local groups in the same domain, in trusting domains, or on computers running Windows NT Workstation or Windows NT Server as a member server in the same domain or in a trusting domain.
Although a global group can be granted permissions and rights in its own domain, it is best to grant rights and permissions to local groups and to use global groups to add user accounts from account domains (trusted) to resource domains (trusting).

Built-in Local Groups and User Rights

Advanced Server domain controllers contain built-in local groups that determine what users can do on the domain when logged on to domain controllers. Computers running Windows NT Workstation and member servers running Windows NT Server have built-in local groups that determine what users can do on the local computer.

The built-in local groups on domain controllers give administrators a significant head start in managing domain security. Each built-in local group has a predetermined set of rights, which automatically apply to each user account that is added to the group. The rights assigned to the built-in groups on a domain controller provide sets of abilities for domain users, as characterized by the group names: Administrators, Account Operators, Server Operators, Backup Operators, Print Operators, Users, Guests, and Replicator.

The built-in local groups for workstations and member servers are Administrators, Backup Operators, Power Users, Users, Guests, and Replicator.

For information about the abilities of built-in global and local groups, see Chapter 3, "Working With User and Group Accounts."

Computers that Can Participate in Domains

In addition to Advanced Server and Windows NT primary and backup domain controllers, a domain can contain computers running Windows NT Workstation and computers running Windows NT Server as members, but not domain controllers. Advanced Server/9000 and LAN Manager 2.2 servers cannot operate in the same domain.




	NOTE: If LAN Manager servers reside in the same domain as an Advanced Server or Windows NT Server, the NT format Domain Security Database will overwrite and destroy the LAN Manager User database.

Computers Running Windows NT Workstation

For each computer running Windows NT Workstation on your network, you specify whether to have the workstation participate in a domain or in a workgroup. A workgroup is a collection of computers that can view each others' directories over the network but do not share a common directory database. Workgroup members log on to workstation accounts only and share resources between computers in the workgroup. In most cases, you will want each workstation to participate in a domain.

For information about domain interactions with workgroup computers, see "Computers that Can Interact with Domain Computers" later in this chapter.

Windows NT Server Member Servers

Computers running Windows NT Server can be configured as member servers that do not store copies of the directory database, and therefore do not authenticate accounts or receive synchronized copies of the directory database. These servers are used to run applications dedicated to specific tasks, such as managing print or file servers or high-volume tasks such as running database applications.

For information about running Windows NT Server as a member server, see Windows NT Server Concepts and Planning.

Advanced Server Computer Accounts

Each computer running Advanced Server, Windows NT Server, or Windows NT Workstation that participates in a domain has its own account in the directory database. A computer account is created when the computer first is identified to the domain during network setup at installation. Computer accounts are used to establish secure communications channels.

Secure Communications Channel

A secure communications channel is created when computers at each end of a connection are satisfied that the computer at the other end has identified itself correctly. Computers identify themselves using their computer accounts. When a secure communications channel has been established, a communications session can begin between the two computers.

The Net Logon service on each computer running Advanced Server, Windows NT Server, or Windows NT Workstation creates a secure communications channel when it starts — but only if the computer is participating in a domain. A BDC creates a secure communications channel to its PDC. A Windows NT Workstation or Windows NT Server computer running as a member server in a domain creates a secure communications channel to a domain controller in the domain.

Computer accounts and secure communications channels also are used by interdomain trust relationships. A computer account is associated with each trust relationship. Each domain controller in a trusting domain establishes a secure communications channel with a domain controller in each of its trusted domains.

Effects of Computer Accounts on Domain Administration

Computer accounts and the secure communications channels they provide enable administrators to manage workstations and member servers remotely. They also affect the relationship between workstations and domain servers and between primary and backup domain controllers in the following ways:

A computer account is part of an implicit one-way trust relationship between a client computer and the controllers in its domain. Workstations request logon authentication for a user account from a domain server in the same way a server in a trusting domain requests validation from a server in a trusted domain. This trust relationship enables administrators to select a workstation or member server for administration in the same way they select a domain.
When a workstation or member server is added to a domain, the Domain Admins global group automatically is added to the computer's Administrators local group. Domain administrators then can use Windows NT Server Tools or Windows NT Administrative Tools to manage the computer's user environment remotely and to manage the computer's user and group accounts, including adding domain global groups to the computer's local groups. Additionally, domain administrators can perform any function on the computer itself that is allowed by the Administrators local group.
For Advanced Server and Windows NT Server domain controllers, computer accounts link BDCs with the PDC and pair up trusting and trusted domains. A computer account that is created when a BDC joins a domain allows the BDC to get a copy of the master directory database from its PDC. Interdomain trust computer accounts allow domain controllers in a trusting domain to pass authentication of user accounts through to the trusted domain. For more information, see "How User Logons Work" later in this chapter.

For information on how to add a computer to a domain, see "Adding a Computer to the Domain" in Server Manager Help and "To join a domain" in Control Panel Help.

Computers that Can Interact with Domain Computers

Advanced Server has an open networking architecture that allows flexibility in communicating with other network products. Client computers running operating systems other than Advanced Server, Windows NT Server, or Windows NT Workstation can interact with computers in an Advanced Server domain. However, they do not have domain computer accounts and therefore do not have Windows NT Workstation logon security. Their users can have user accounts stored in the directory database but their computers will not have logon security to protect access to their resources.

Workgroup Computers

A workgroup is an organizational unit of computers (not users) that do not belong to a domain. In a workgroup, each computer tracks its user and group account information and — in contrast to domain controllers — does not share this information with other workgroup computers.

Workgroup members only can log on to workstation accounts and can view only the directories of other workgroup members over the network.

Computers running Windows NT Server, Windows NT Workstation, Windows 95, or Windows for Workgroups can be configured to participate in either a domain or a workgroup. When setting up one of these computers for networking, you can specify a computer name and a workgroup name. If the workgroup name matches a domain name, then the computer name appears in the browse list for that domain. To determine whether the computer participates in a domain or a workgroup, you can specify that the computer log on to either an Advanced Server domain or a workgroup during installation.

Windows 95 Clients

Windows 95 has built-in access to Advanced Server networking. Users who have domain accounts can log on to their accounts in the same way as Windows NT Workstation users. Windows 95 user account logons can be validated by both Advanced Server and LAN Manager, Version 2.2 domain controllers.

MS-DOS Clients

If MS-DOS client computers are running one of the following components, they can share network resources on their respective servers:

Microsoft Network Client for MS-DOS, Version 3.0, enables computers running MS-DOS to interact with domain controllers and computers running Windows NT Workstation.
Microsoft LAN Manager for MS-DOS, Version 2.2, enables computers running MS-DOS to interact with LAN Manager, Version 2.2 servers and Advanced Server domain controllers.

Because computers running MS-DOS cannot store user accounts, they do not participate in domains in the same way as Windows NT computers. Each computer running MS-DOS usually has a default domain set for browsing. If an MS-DOS user has a domain account, you can set the browsing domain on the user's computer to any domain. It does not have to be the domain containing the user's account.

LAN Manager 2.2 Servers and Clients

MS-DOS and Windows 3.1 computers running LAN Manager workstation software can connect to servers running Advanced Server. LAN Manager 2.2 servers (on HP-UX system computers) cannot reside in a domain that has an Advanced Server/9000 primary domain controller.




	NOTE: If LAN Manager servers reside in the same domain as an Advanced Server or Windows NT Server, the NT format Domain Security Database will overwrite and destroy the LAN Manager User database.

For information about LAN Manager domain interoperability, see "How Advanced Server Works With LAN Manager" later in this chapter.

How User Logons Work

Network resources are protected at several levels by different processes. However, access to a domain or a computer is protected by logon security. This security requires users to identify themselves to the domain or the computer. The user name and the password that the user types in the Logon Information dialog box are checked against the computer directory database if the user is logging on to a user account defined on the computer, or against the domain directory database if the user is logging on to a domain user account.

Through directory services, authenticated accounts are available for use with all Advanced Server network services.

Interactive and Remote Logons

Two logon processes can start logon authentication:

Interactive logon occurs when the user types information in the Logon Information dialog box displayed by the computer's operating system. In the Domain box, the user selects either the name of a domain or the name of the computer being used for logon, depending on where the user account being logged on to is defined.
Remote logon takes place when a user already is logged on to a user account and makes a network connection to another computer. For example, the user connects to another computer using the Map Network Drive dialog box or the net use command.

For information about connecting to computers in a non-trusting domain, see Chapter 3, "Working With User and Group Accounts."

User Authentication

On a computer running Windows NT Workstation or member servers running Windows NT Server, the Net Logon service processes logon requests for the local computer. On a domain controller, the Net Logon service processes logon requests for the entire domain.

The Net Logon service initiates the following processes: discovery, secure communications channel setup, and pass-through authentication.

Discovery: When a computer running Windows NT Workstation or a member server running Windows NT Server starts, the Net Logon service attempts to locate a domain controller running Advanced Server or Windows NT Server in its domain. The Net Logon service on PDCs and BDCs likewise attempts discovery with all trusted domains. Once a domain controller has been discovered, it is used for subsequent user account authentication.
Secure communications channel: A computer's Net Logon service establishes secure communications channels with the Net Logon services on servers that are located by the discovery process. These secure communications channels are used to exchange user identification data between computers' Net Logon services.
Pass-through authentication: When a user logs on, the user specifies credentials that identify the user account. When the user account must be authenticated but the logon computer is not a domain controller in the domain where the user account is defined nor the computer on which the user account is defined, the computer passes the logon information to a domain controller (directly or indirectly) on which the user account is defined.

Pass-Through Authentication

Pass-through authentication occurs in the following cases:

At interactive logon when a user logs on to a computer running Windows NT Workstation or a computer running Windows NT Server as a member server and the name in the Domain box in the Logon Information dialog box is not the computer name.
The logon computer sends the logon request to a domain controller in the domain to which the logon computer belongs. The controller checks the domain name. If the domain name is the domain to which the controller belongs, the controller authenticates the logon credentials against its directory database and passes the account identification information back to the logon computer, allowing the user to connect to resources on both the logon computer and the domain.
If the domain name is not the one to which the domain controller belongs, the domain controller determines whether the domain is a trusted domain. If it is a trusted domain, then the domain controller passes the logon request through to a domain controller in the trusted domain. That domain controller authenticates the account user name and password against its domain directory database and passes the account identification information back to the initial domain controller which sends it back to the logon computer.
If the name in the logon credentials is not the computer name, not the name of the domain to which the computer belongs, and not the name of a domain trusted by the computer's domain, then the credentials are assumed to belong to an untrusted domain and the interactive logon fails.
At interactive logon when the Windows NT computer being logged on to is a domain controller but the name in the Domain box is not the domain to which the controller belongs.
The controller checks the domain name to see if it is a trusted domain. (The domain controller does not check for the computer name because its directory database contains only domain accounts.) If the domain is a trusted domain, then the controller passes the logon information to a domain controller in the trusted domain for authentication. If the trusted domain controller authenticates the account, the logon information is passed back to the initial domain controller and the user is logged on. If the account is not authenticated (that is, not defined in the trusted domain directory database), the logon fails.
At remote logon (connecting to a computer over the network).
If the user is logged on to a computer or domain account and then tries to make a network connection to another computer, pass-through authentication proceeds as in interactive logon. The credentials used at interactive logon are used for pass-through authentication unless the user overrides those credentials by typing a different domain or computer name and user name in the Connect As box in the Map Network Drive dialog box.
If the user tries to make a network connection to a computer in a domain that does not trust the user's domain, then the logon proceeds as if the user were connecting using an account on the remote computer. The computer being connected to authenticates the logon credentials against its directory database. If the account is not defined in the directory database but the Guest account is enabled on the computer being connected to, and if the Guest account has no password set, the user is logged on with Guest privileges. If the Guest account is not enabled, the logon fails. For information about the Guest account, see Chapter 3, "Working With User and Group Accounts."
If the computer being connected to is a BDC in the domain where the user account is defined, but the BDC fails to authenticate the user's password (for example, the password has changed but the BDC is not synchronized at the time the user logs on), then the BDC passes the logon request through to the PDC in the same domain.

How Administrators Should Log On

Most network administrators have dual roles. They are both administrators and users of the network. For this reason, it is a good idea for each administrator to have two domain user accounts. One of these accounts should be in the Domain Admins global group and should be used to perform network management tasks. The other account should be in the Domain Users global group and should be used at all other times.

A network is more secure if an administrator uses two accounts. While logged on as a regular user, an administrator cannot inadvertently change aspects of the network that only administrators can change. And, if an administrator were to accidentally introduce a virus, the program would not have the rights of an administrator and would not modify the operating system.

Logging On at a Computer Running Windows NT Workstation or a Computer Running Windows NT Server as a Member Server

The Logon Information dialog box prompts the user for a user name, password, and domain or computer name (Domain):

The User name and Password fields are straightforward; however, the content of the Domain list depends on whether the computer participates in a domain.

If the computer participates in a domain, the list contains both the computer name and the domain name in which the computer's computer account resides, as well as any domains trusted by that domain. In other words, every domain (including the computer itself) in which user accounts can be authenticated.
If the computer is a member of a workgroup, then the user must log on to the local computer.

If a user with a domain account is logging on to an individual computer account, the user selects the computer name — rather than a domain name — in the Domain list. Then the computer checks its directory database for the specified user name and password. If a match occurs, the logon is approved and the user's logon information is obtained from the account on the computer.

To log on to a domain, the user selects the name of the domain in which the user account resides. This domain either is the domain in which the computer's computer account resides or in a domain that is trusted by that domain. When the user clicks OK, the computer sends the domain name, user name, and password to a domain controller. The domain controller checks the domain name and then checks the user name and password against that domain's directory database. It processes the request as follows:

If the domain name is correct and the user name and password match a domain account, the server notifies the computer that the logon is approved.
If the domain name is different and the domain controller recognizes the domain as a trusted domain, the domain controller passes the information to the appropriate domain which authenticates the logon and sends the information back to the original domain controller.
If the domain name is different and the domain controller does not recognize the domain, the controller denies domain access.

Cached Logon Information

The first time a user logs on to a domain account from a given computer, a domain controller downloads validated logon information (from the directory database) to the computer. This downloaded information is cached on the computer. On subsequent logons, if a domain controller is not available, the user can log on to the domain account using the cached logon information.

Computers running Windows NT Server and Windows NT Workstation store the information used to authenticate the last several (the default is 10) users who logged on interactively. The credentials for users who log on to the local computer also are stored in that computer's local directory database.

Logging On at a Windows NT Server Domain Controller

Logging on at a computer running Windows NT Server as a domain controller is identical to logging on at a computer running Windows NT Workstation except that servers configured as domain controllers do not maintain a local accounts database separate from the accounts in the directory database. The user must log on to a domain account.

Not everyone with an account in a domain can log on locally at the domain's controller servers. By default, only members of the Administrators, Server Operators, Print Operators, Account Operators, and Backup Operators groups can do so.

For more information about groups and their rights and abilities, see Chapter 3, "Working With User and Group Accounts."

Logging On at Windows 95, Windows for Workgroups, MS-DOS, or LAN Manager, Version 2.2, Client Computers

Logons from client computers other than computers running Windows NT Workstation and computers running Windows NT Server as member servers are validated by a domain controller when the user logs on to the network. The extent of the validation is checking that the domain, user name, and password are typed correctly. The client computers do not receive any account information at the workstation that can be cached and used for access to local resources. If domain controllers are unavailable when a user logs on from one of these client computers, the user cannot use network resources that are protected by domain permissions.