Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP 9000 Networking: Advanced Server/9000 Concepts and Planning Guide > Chapter 2 Managing Advanced Server Domains

Deciding on a Domain Model
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

A domain model is a grouping of one or more domains with administration and communications links between them (trust relationships) that are arranged for the purpose of user and resource management.

By properly planning and organizing domains, you can simplify network administration and ensure that users can connect to available resources throughout the network. For example, you can set up your domains so that all user accounts and global groups are valid in all domains.

To decide how many domains your organization needs, take into account the work structure and number of users. Advanced Server domain models provide the flexibility needed for different organizations. These include both small and large organizations, as well as organizations with many small branch offices.

In addition, expansion is easy. Offices can start out with separate domains and can link to each other later or can be added to existing domains.

Your first consideration is the size of your organization because the size of the directory database determines how many domains you need.

Directory Database Size

If you are managing a small or medium organization, you probably do not need to worry about the upper limits of an Advanced Server domain. However, if you are planning for significant growth, you should keep these numbers in mind.

The limiting factor for the size of a domain is the number of user accounts that can be supported by a single directory database.

A domain consists of user accounts, computer accounts, and group accounts, both built-in and those you create. Each of these objects occupies space in the directory database file. The practical limit for the size of the directory database file depends on the type of computer processor and amount of memory available in the machine being used as the primary domain controller.

Different types of objects require different amounts of space in the directory database file, as follows:

Object

Space Used

User account

1.0K

Computer account

0.5K

Global group account

4.0K (average group size = 300 members)

Local group account

0.5K (no members)

Local group member

0.13K

When computing the expected size of the directory database, remember that each user's Windows NT Workstation has a computer account. You also should allow for approximately 0.5 MBytes of control space overhead.

Single Domain Model

In most cases, you can use the single domain model. In this model, the network has only one domain. You create all of the users and global groups in this domain. The single domain has a PDC with one or more BDCs.

The single-domain model is an appropriate choice for organizations that require both centralized management of user accounts and ease of administration. Any member of the Domain Administrators group can administer all network servers and domain accounts on the PDC.

A network can use the single domain model if the number of users and groups does not jeopardize performance. The exact number of users and groups depends on the number of servers in the domain and the server hardware.

Having a single domain also means that all of your network administrators can administer all of the network servers. Dividing a network into domains enables you to create administrators who can administer only some servers, such as those in their own departments.

Single Master Domain Model

When a network does need to be divided into domains for organizational purposes and the network has a small enough number of users and groups, the master domain model may be the best choice. This model offers both centralized administration and the organizational benefits of multiple domains.

With this model, one domain, the master domain, acts as the central administrative unit for user and group accounts. All of the other domains in the network trust this domain. This means that they recognize the users and global groups that are defined in it. If your company has a specialized department that manages your LAN, it is logical to have the this department administer the master domain.

Users log on to their accounts in the master domain. Resources, such as printers and file servers, are located in the other domains. Each resource domain establishes a one-way trust with the master domain, enabling users with accounts in the master domain to use resources in all of the other domains. The network administrator can manage the entire multiple-domain network and its users and resources by managing a single domain.

Single master domain model

The single most important benefit of the single master domain model is its flexibility of administration. For example, in a network requiring four domains, it may at first seem easier to create four separate user account databases, one for each domain. However, by putting all user accounts in a single directory database on one of the domains and then implementing one-way-trust relationships between these domains, you can consolidate administration of user and computer accounts.

The administrator of a master domain can administer all resources or delegate this responsibility to local administrators. Users need only one logon name and one password to use resources in any of the domains.

The single master domain model balances the requirements for account security with the need for readily available resources on the network because users are given permission to use resources based on their master domain logon identity.

The single master domain model is particularly suited for the following:

  • Centralized account management.

  • Decentralized resource management or local system administration capability. Departmental domains can have their own administrators who manage the resources in the department.

  • Resources can be grouped logically, corresponding to local domains.

Multiple Master Domain Model

A multiple master domain model consists of two or more master domains. Like the single master domain model, the master domains serve as account domains, with every user account created and maintained on one of these master domains. A company's LAN management department can manage these master domains centrally. Like the single master domain model, the other domains on the network are called resource domains. Resource domains do not store or manage user accounts. Rather, they provide resources such as shared file servers and printers to the network.

In this model, every master domain is connected to every other master domain by a two-way trust relationship. Each resource domain trusts every master domain with a one-way trust relationship. The resource domains can trust other resource domains, but are not required to do so. Because every user account exists in one of the master domains and because each resource domain trusts every master domain, every user account can be used on any of the resource domains.

Multiple master domain model.

A user logs on to the domain that contains his of her account. Every master domain contains one PDC and at least one BDC.

The multiple master domain model incorporates all of the features of a single master domain model and also accommodates the following features:

  • Is scalable to networks with any number of users.

  • Mobile users. Users can log on from anywhere in the network or the world.

  • Centralized or decentralized administration.

  • Organizational needs. Domains can be configured to mirror specific departments or internal company organizations.

  • BDCs can be distributed between sites to facilitate LAN-WAN interactions.

Dedicated Server in a Master Domain Model

An Advanced Server computer dedicated to a specific task, such as printing or running database applications, is an appropriate choice for organizations wishing to offload some of their high-volume operations. Such a server is configured as a primary domain controller in a domain that contains no other servers or workstations. Trust relationships with other domains then are established so that users from the trusted domains can access its resources.

Because a "dedicated" server is the only computer in its domain, it does not need to replicate the user accounts database nor respond to interactive logon requests. Its sole function is to perform specific tasks. An example follows.

A Marketing department needs a print server. It already has a Marketing domain which contains a primary domain controller, backup domain controllers, and user accounts. Instead of adding another backup domain controller in the Marketing domain for use as a print server, it creates a primary domain controller in a new domain called Marketing Print.

The administrator then creates a one-way trust relationship from the Marketing Print domain to the Marketing domain. This enables users in the Marketing domain to use the dedicated print server.

To allow for simple administration of the dedicated print server by the administrator of the Marketing domain, the administrator adds the Marketing\Domain Admins global group to the Administrators local group in the Marketing Print domain.



Network Building Blocks-An Overview
  		 


Managing Domains  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 1997 Hewlett-Packard Development Company, L.P.