Trusted and Trusting Domains in NT 4.0

Email this Article

Printer-Friendly

View Reader Comments

[December 1999]
Trusted and Trusting Domains in NT 4.0
By: L. J. Locher
Feature
InstantDoc #7588
From the December 1999 edition of Windows IT Pro

SideBar Troubleshooting Synchronization Errors

Get a Handle on Trust Relationships

A Windows NT domain comprises a collection of computers that share a common directory database. A domain administrator maintains the domain, and only centralized user accounts can access the domain. What do these facts mean? Simply that a domain organizes the resources from one or more NT servers into one administrative structure. NT grants logon privileges to the domain, rather than to the individual servers within the domain, and each domain has a unique name that distinguishes it from other domains. Domain administrators grant end users access to a domain's resources. Therefore, when you establish multiple domains in a network, you must create trust relationships between the domains so that you can selectively assign users access to necessary resources. In this article, I explain trust relationships in NT 4.0, and I describe the four domain models. Then, I walk you through the process of establishing trust relationships and show you how NT 4.0 establishes interdomain trust accounts. The sidebar, "Troubleshooting Synchronization Errors," page 107, gives you step-by-step instructions for solving the synchronization problems that can occur in interdomain trusts.

Trust Relationships
In a domain trust relationship, users log on in only one domain. Other domains that trust the user's logon domain (i.e., trusting domains) rely on the logon, or trusted, domain to authenticate the end user's logon and password. When the trusting domain's administrator assigns the appropriate permissions, user accounts in the trusted domain can access resources in the trusting domain. Establishing a trust between domains doesn't automatically grant users rights to resources in the trusting domains; the domain administrator must assign such rights.

Setting up trusts between domains lets administrators manage multiple domains as one administrative unit. The trusted domain's administrator can perform administrative tasks in the trusting domain; the trusted domain contains the user accounts. The trusting domain trusts the trusted domain to manage users, groups, and resources. The trusting domain contains the resources that validated users need to access. (Validated users are users with assigned permissions to access the resources of a domain. These resources include files, directories, workstations, and printers.) Administrators of trusting domains can still manage their users, groups, and resources but can't manage users in trusted domains unless a two-way trust relationship exists between the trusting and trusted domains.

Trust relationships aren't transitive. In other words, if the Production domain trusts the Engineering domain and the Engineering domain trusts the Administrative domain, the Production domain doesn't necessarily trust the Administrative domain. A domain's administrator must explicitly grant a trust to another domain to establish a trust relationship.

Trusts flow in one direction. For example, if the Production domain trusts the Engineering domain, validated users in the Engineering domain can access resources in the Production domain. However, users in the Production domain can't access resources in the Engineering domain. Arrows in trust-relationship diagrams always point from the resources toward the domain that is trusted to use the resources, as Figure 1 shows.

Even though trusts flow in only one direction, you can establish a reciprocal trust relationship between two domains. As Figure 2 shows, validated users in both the Production and the Engineering domains can access the resources of both domains because each domain trusts the other. Domain administrators use NT 4.0's User Manager for Domains to establish explicit trust relationships and manage trusts.

Four Domain Models
There are several reasons why an organization might need to establish more than one domain. For best performance, Microsoft suggests that an NT 4.0 domain database not exceed 40MB. Obviously, this limitation restricts the number of workstations, users, and groups you can define in a given domain. (For information about how to plan domain capacity, see Michael D. Reilly, "The Accounts Database," February 1997.) Another reason to establish multiple domains is that some departments within an organization might prefer to manage their own resources. When you establish separate domains for such departments, you can grant resource control to them. Finally, because too many servers on one domain can impair performance, keeping domains small to limit the number of necessary domain servers is a sound management practice.

Four NT domain models exist: single domain, master domain, multiple master domain, and complete trust. You can use one model or a combination of models to manage your network. (For in-depth descriptions of each domain model, see Michael D. Reilly, "Domains and Trust Relationships," September 1998.)

The single domain model. The single domain model consists of only one domain and thus is the simplest of the four domain models. Because the single domain model comprises one domain, it doesn't require trust relationships. This model works well for small networks.

The master domain model. Figure 3 illustrates the master domain model. In this model, users belong to one domain—the master, or accounts, domain. Resources (i.e., databases, folders, files, printers) belong to multiple resource domains. The domain administrator establishes trust relationships between the master and the resource domains. Each resource domain trusts the master domain. However, the resource domains don't necessarily trust one another, and the master domain doesn't need to trust the resource domains.

The multiple master domain model. As Figure 4 shows, this model consists of two or more master domains with reciprocal trusts between the master domains. That is, each master domain trusts every other master domain in the model. You need to establish trusts in the multiple master domain model so that each resource domain trusts each master domain. Because this model lets you manage complex relationships, it's useful for large enterprises or when companies merge.

The complete trust model. Figure 5 illustrates the complete trust model. In this model, each domain is a separate entity, and a reciprocal trust exists between all domains. The number of trust relationships rapidly increases as the domains in a complete-trust-model network increase. Microsoft recognizes that this domain model lacks central security control; therefore, the company recommends that, when possible, companies use the multiple master domain model rather than the complete trust model. When you choose the complete trust model, you must be sure that each domain administrator maintains a high level of security.

Prev. page [1] 2 next page

ADS BY GOOGLE

SQL JOB OPENINGSSPONSORED LINKS

SQL Management Made Easy with DBLaunch 4.0!: Wish you could migrate multiple SQL databases with the same time and effort it takes for one? Now you can with DBLaunch. Download a free trial today!

Order Your SharePoint Fundamentals CD!: Learn how to uncover rich information management capabilities with this free SharePoint CD.

FEATURED LINKS

Empower Your Processes with PowerShell 201: Paul Robichaux delves deep into PowerShell how-tos in 3 informative lessons, each followed by live Q&A—all on your own computer! Register today!

SQL Connections, March 22-25, 2009 – Orlando, FL: The first 800 paid attendees receive SQL Server 2008 Standard Edition w/one CAL. Register by January 12 and receive a free night at the JW Marriott (with 3-night stay). For details (203) 268-3204 or 800-438-6720.

Join Today: VIP Monthly Pass: Get online access to ALL of the resources in the Windows IT Pro and SQL Server Magazine network! With your order, you'll also receive a full digital copy of the latest issue of SQL Server Magazine.

	SQL Server Magazine Register Subscribe FAQ for Windows WinInfoNews
	Contact Us / Customer Service Editorial Calendar Media Kit Affiliates / Licensing Technology Resource Directory
	Windows IT Pro Office & SharePoint Pro Windows Dev Pro IT Library Connected Home Windows Excavator SuperSite IT Job Hound ITTV

	Copyright © 2009 Penton Media, Inc. All rights reserved. Terms and Use Privacy Statement Reprints and Licensing

SQL Server Magazine

Search

Related Resources

SQL JOB OPENINGSSPONSORED LINKS

SQL Management Made Easy with DBLaunch 4.0!

Order Your SharePoint Fundamentals CD!

FEATURED LINKS

Empower Your Processes with PowerShell 201

SQL Connections, March 22-25, 2009 – Orlando, FL

Join Today: VIP Monthly Pass