What you will learn in this module:

• Understand the difference between workgroups and domains
• Differentiate between domains and Organisational Units
• Be able to use the DCPROMO command to promote a server
• Identify trees and forests
• Be able to use Management Console and create a taskpad
• Be able to create an OU, and delegate control to it

Directory Services

Computers on a Microsoft network are grouped logically into either workgroups or domains. Computers in a workgroup are sometimes referred to as standalone computers; computers in a domain are sometimes called member computers.

When you have installed Windows 2000, the computer can be moved from a workgroup into a domain; it can also be moved between domains, and ultimately, removed from a domain and placed back in a workgroup environment.

Workgroups



Workgroups are designed to support small groups of users. There is no centralised management of user accounts or of resources, and each machine requires a separate administrator.

A workgroup may evolve as an organisation starts to network its small number of computers.

However, once there are a certain number of machines on the network, the ad-hoc nature of a workgroup no longer suits, and the domain model should be utilised to manage the resources.

Domains



In Windows 2000, it is possible to configure domains. These are logical groups of computers on a network, like workgroups, but there the similarity ends.

A domain is the basic administrative building block in Windows 2000. To create a domain, you will need a Windows 2000 server, and the administrator of the system will need to promote the machine to domain controller.

You can define as many domain controllers as you need using this process.

Now we have our domain, the key benefits are :

• Centralised logon control
• Centralised user and group management
• Better control of resources
• Single group policy for whole domain

In Windows NT 4 the domain was :

• A replication boundary - All domain controllers received updates to their SAM via the PDC at automated intervals
• An administrative boundary - An administrator in the domain can manage all of the domain

However, in Windows 2000, the domain can be broken down into administrative units called OUs (Organisational Units). This allows for the delegation of administration.

In addition, the physical topology of the network can be made separate from the logical topology, through the use of sites. In Windows 2000 a site is the replication boundary, although all computers initially belong to the same site. This means the domain is no longer the replication boundary.

Active Directory Structures

Trees



A Domain Tree is a group of domains that share a contiguous namespace as above. These domains are all connected together and users in any domain potentially have access to resources in any of the domains within the tree.

The lines between the domains represent automatic two way, transitive trusts. This means that when you add a domain to a tree there is no need to set up trust relationships between the domains. It also means, as is the case of the illustration above, that a user in admin.glasgow.comsurf.co.uk could potentially access resources in comsurf.co.uk even though there is not a direct trust.

As a network designer, you should attempt to minimise the number of domains because it will simplify things.

To create a tree, the installer creates the root domain first by promoting a domain controller in that domain. Then all other domains are promoted in such a way as to define the link between these domains, and the parent-child relationship.