Sams Teach Yourself MCSE Windows NT Server 4 in 14 Days
(Publisher: Macmillan Computer Publishing)
Author(s): David Schaer, et al
ISBN: 0672311283
Publication Date: 12/15/97

Chapter 2
Windows NT Architecture and Domain Design

by David Schaer, Walter Glenn, and Theresa Hadden

This chapter introduces two concepts very important to Windows NT. Windows NT architecture describes the way in which Windows NT itself runs on a particular machine and the way in which applications interface with the operating system. Domain design concentrates on the way in which computers running Windows NT interact with one another, as well as how entire Windows NT-based networks interact with one another.

2.1. Overview

In order to understand Windows NT thoroughly, you must understand the underlying system architecture. This chapter will present you with a detailed explanation of the Windows product line, including Windows NT Server, Windows NT Workstation, and Windows 95. There are distinct differences in these operating systems, and understanding those differences is essential to understanding how they operate together on a network. You will also learn how applications run on each of these operating systems and how the internal processes of the operating systems themselves function.

After you have developed an understanding of how the operating system works on a single machine, you will be introduced to the concepts behind networking. On a Microsoft-based network, computers are organized into logical groupings called domains. This chapter details the workings and interoperability of domains and provides insight into domain design.

2.1.1. Objectives

The basic Windows NT Server exam tests the concepts of Windows NT architecture, and the enterprise-level exam covers the concepts only tangentially. The Microsoft Preparation Guide for the Windows NT Server exam lists the following objectives concerning Windows NT architecture:

•  Managing the operations of 32-bit and 16-bit applications in a Windows environment

•  Configuring application priority

The concepts of domain design are tested in the Windows NT enterprise-level exam and are not covered in the scope of the Windows NT Server exam. The Microsoft Preparation Guide for the enterprise-level exam lists the following objectives about domain design:

•  Plan the implementation of a directory services architecture, including selecting the appropriate domain model, supporting a single logon account, and letting users access resources in different domains.

•  Manage user and group accounts, including managing Windows NT user accounts, managing Windows NT user rights, managing Windows NT groups, and administering account policies.

This list might seem short, but keep in mind that trust relationships also affect how you think about almost every other thing you learn about implementing a Windows NT-based network.

2.1.2. Fast Facts

The following list of facts is a concise picture of the information presented in this chapter. It acts as both an overview for the chapter and as a study aid to help you do any last-minute cramming.

•  Windows 95 has excellent backward compatibility because it supports both 32-bit protected mode and older real-mode DOS drivers. It does not provide the same level of operating system protection as NT.

•  Both Windows NT and Windows 95 run NetBEUI, TCP/IP, and IPX/SPX protocols.

•  The most important service provided by NT Directory Services is the capability to log on to the network from any location with a single user name and password.

•  Pass-through authentication occurs when the domain in which you are logging on cannot verify your user account and must pass the verification process on to a trusted domain.

•  Trust relationships require a permanent link between two NT servers that are Primary Domain Controllers (PDCs). Trust relationships cannot exist over a RAS dial-up link.

•  Trust relationships also require a common protocol between the two PDCs.

•  When logging on to a network with trust relationships, user location is irrelevant, but user account location is important.

•  Remember the acronym AGLP. Accounts are placed into Global groups, which are placed into Local groups, which are assigned Permissions.

•  Global groups are defined in the trusted domain.

•  Local groups are defined in the trusting domain.

•  Trusts are established with User Manager for Domains. A trust relationship must be defined on both the trusting and trusted PDCs.

•  Trusts are non-transitive. Just because Domain A trusts Domain B and Domain B trusts Domain C does not mean that Domain A trusts Domain C.

•  The only effective way to repair a trust is to break it on both ends and re-establish the trust.

•  The NetLogon service validates logon requests, synchronizes the PDC with the BDCs, and provides pass-through authentication.

•  The NetLogon service is dependent on the Workstation and Server services.

•  The single domain model contains only one PDC and is the easiest to administer.

•  The master domain model consists of a master domain that contains all the user accounts and multiple resource domains that contain all computer accounts and resources. The resource domains trust the master domain.

•  The multiple master domain model contains more than one master domain containing user accounts and multiple resource domains, each of which trusts all master domains.

•  In the complete trust model, each domain trusts every other domain.

•  Each single domain can contain up to approximately 20,000 users. This includes user accounts, groups, and computer accounts.

•  Each master domain can contain up to approximately 40,000 users. This includes user and group accounts only.

•  The NT Directory Services database size is limited to 40MB. A user account takes up 1KB. Computer accounts take up 0.5KB. Global group accounts take 512 bytes plus 12 bytes per user. Local group accounts take 512 bytes plus 36 bytes per user.

•  There should be one backup domain controller for every 2,000 user accounts.

•  The following are minimum installation requirements to install various operating systems on Intel-based systems:

•  The basic differences in Microsoft’s major operating systems are summarized in Table 2.1.