ANS :
In the following section we will introduce concepts of domains, workshops and
trusted relationships.
Concept of Domains
A Windows 2000 domain is a logical collection of network computers that share a
centralized directory database referred to as Active Directory Service. In a domain
this centralized information directory resides on a computer called domain controller.
In Windows 2000 domain controllers are peers only.
Thus Windows 2000 domains provide the following advantages:
• They provide extensibility features to existing networks.
• Domains provide centralized control of all user information.
• Thus domain can be referred to as the basic unit that is used for network growth
and security in Windows 2000 network.
Usually one or more domain controllers are associated with a domain. In Windows
2000 Server a domain controller is the computer that is responsible for storing an
entire copy of domain directory. In Windows 2000 it is the Windows 2000 Active
Directory service that divides an organization’s network logically and physically.
Logical structuring facilitates the finding by a user of a resource by name not by its
physical location.
Logical structure of a domain comprises:
• Objects
• Organization Units (OU)
• Domains
• Trees
• Forests
Physical Structure of a domain comprises:
• Domain controllers
• Sites
Objects: A distinct named network resource can be referred to as an object. This
object comprises certain related attributes. As an example, for an object printer, the
attribute list may include printer name, make, etc. Similar objects can be grouped into
classes.
Organizational Units: This is a container object. Container objects are objects that
are residing within other objects. The purpose of an organizational unit is to organize
the objects of a domain into logical administrative groups.
Domains: The basic unit of Active Directory Service is a domain. It is also referred
to as a partition of an Active Directory Service. It is the domain only that is
responsible for containing all network objects within it. It also serves as a security
boundary to its objects. None of the security policies and settings, such as
administrative rights, ACLs, ACE (Access Control Entries) can cross from one
domain to another.
Trees: In order to support global sharing of resources trees are required. In a tree one
or more Windows 2000 domains are arranged in a hierarchy. Thus by joining multiple
domains in a hierarchy a large namespace can be constructed, which can further avoid
name conflicts. All domains that are a part of a tree, or that share a tree can share
information and resources. A domain tree has only one directory. As long as the user
has the appropriate permissions he can use the resources of other domains in a tree.
All domains in a tree share a common schema, which is a layout, a formal definition
of all objects.
The central repository of information about objects in a tree or forest is called a global
catalog. All domains belonging to a single tree share a global catalog. Domains in a
tree also share a common namespace.
Forest: One or more trees can be grouped into a forest.
A forest comprises:
• One or more trees
• A common schema
• It serves transitions trust relationships between trees.
• Different namespaces between these trees.
• A global catalog that contains the list of all objects in the forest.
Different users while accessing user objects must be aware of the domain name.
Trust Relationships
A trust relationship refers to a link between two such domains, where one domain is
referred to as the trusting domain and other as the trusted domain. Trusting domain
lets the trusted domain logon.
User accounts and groups that are defined for a trusted domain can access trusting
domain resource even though those accounts are not present in trusting domain
directory database.
A Kerberos (a security algorithm) transitive trust refers to a relationship type where
Domain I trusts Domain II,
Domain II trusts Domain III,
Domain I trusts Domain III.
So a domain joining a tree acquires trust relationships of every domain in the tree. In
Windows NT and earlier versions, there used to be only one-way trust relationships
among domains.
Physical Structure of an Active Directory Service is responsible for affecting
efficiency of replication in domain controllers.
Domain Controllers contains a copy of domain database. Wherever an update in the
directory takes place, Windows 2000 automatically replicates the change to all other
domain controllers in a domain. In a domain having multiple domains controller’s
directory information is replicated from time to time.
Only those computers running Windows 2000 Server, Advanced Server, or Data
Center server can become domain controllers.
Sites is a grouping of IP subnets (ranges). For example, one site can be
192.168.20.0/24 to 192.168.30.0/24
Building Domains
A computer can join Windows 2000 domain only after an account has been created in
or added to the domain database. For that a user must have the Join A Computer to
the Domain permission.
By default, permission is granted to Administrator Members, Domain Administrator
or Members of Administrators, Account Operators and Domain Administrator groups.
To join a domain a computer account for that computer should have been created in
advance or it may be created during the installation process by selecting the check box
‘Create a Computer Account in the Domain’.