Sams Teach Yourself MCSE Windows NT Server 4 in 14 Days
(Publisher: Macmillan Computer Publishing)
Author(s): David Schaer, et al
ISBN: 0672311283
Publication Date: 12/15/97

2.5. NT Directory Services

NT Directory Services provide a secure, distributed directory database to manage user accounts, resources, and network access on an NT network. The essence of the NT Directory Services is that every user on a network has one user account. This allows for a single logon from anywhere on the network and for centralized administration of users and resources.

2.5.1. Single Logon

With the single logon feature, a user must remember only one password to be able to log on to the network from either the home domain or a trusting domain and still access those resources to which she has been assigned permissions. For example, a worker who is normally based in Chicago logs on to the network while visiting the Fargo office. Assuming that Chicago and Fargo are separate domains in which Fargo trusts Chicago, the domain controller will forward the logon request to the Chicago domain, which then will verify the user. This process is known as pass-through authentication.

Pass-Through Authentication

Pass-through authentication provides two very important features:

•  The capability to log on from a domain in which you have no user account (providing that the domain trusts the domain where your user account resides)

•  The capability to access resources in a domain other than the one in which your user account resides (also providing that the resource domain trusts the domain where your user account resides)

In either case, the logon request is passed to the primary domain controller (PDC) of the domain in which the resource you are accessing resides, which in turn passes the request to the PDC in the domain in which your user account is defined (see Figure 2.6).

Figure 2.6.  Pass-through authentication.

Whenever a user logs on, the logon dialog box asks to which domain she would like to log on. The user must log on to the domain on which her user account resides in order to be able to access resources. On the exam, pay close attention. The domain to which a user logs on will make a difference in the answer you choose.

The NetLogon Service

The NetLogon service governs authentication interactions within the domain as well as between trusting domains. It is primarily responsible for

•  Validating logon requests

•  Synchronizing the NT directory database between the PDC and BDCs of a domain

•  Pass-through authentication between trusting domains

The NetLogon service must be running on any NT computer acting as a domain controller, or that computer cannot provide the functions just listed. Because the NetLogon service depends on the Workstation and Server services, they also must be running.

You can pause the NetLogon service using the Services Control Panel. When it is paused, no logon requests will be validated, but synchronization can still occur.

2.5.2. Centralized Administration

NT Directory Services also provides for centralized administration. As the administrator of a network, you may log on from any computer in your domain and administer the resources of that domain. You may also log on from a trusting domain to administer your home domain. Centralized administration enables you to administer an entire network no matter where the members of that domain are physically located

Before you can administer a domain, your account must be a member of the Domain Admin group. When a Windows NT computer joins a domain, the global group Domain Admin is automatically added to the local Administrator group on that computer.

2.6. Domain Design and Implementation

The most basic Windows NT-based network is a single domain with a primary domain controller and one or more backup domain controllers. In some situations, however, you might be forced to consider using more than one domain on your network. Understanding how domains interact with each other is the basis of enterprise-level networking.

A domain is a logical grouping of users, computers, and resources. It is tempting to think of a domain in physical terms, but this is misleading. A domain is not necessarily described by the geography of its users and resources or the architecture on which the network is built. Depending on the situation, however, you might choose to define domains by either the geography or architecture of your network.

Trusts are used to define the relationships between domains. If one domain trusts another domain, it enables the user accounts in the domain it trusts to access its local resources (see Figure 2.7).

Figure 2.7.  Domain A trusts Domain B.

The concept of trusts is a tough one for many people. A good way to think about trusts is that resources trust people. If Domain A trusts Domain B, then Domain A’s resources trust Domain B’s users. User accounts in Domain B can be assigned permissions to the resources in Domain A.

You will find that a solid understanding of trust relationships, and how they affect other aspects of Windows NT networking, is essential to passing the Windows NT Enterprise exam. Almost every question presents trusts in some way.

2.6.1. Who’s on the Team?

Every team has a captain. Within a domain the primary domain controller (PDC) is the captain. The PDC holds the original copy of the SAM database, which is like a team roster. The SAM database includes the names of all the team members, including users, local groups, global groups, NT workstations, NT Member Servers (stand-alone servers), and NT backup domain controllers (BDC). When deploying NT Server it is important to understand the purpose of each of the server types.