Understanding NT domains and trusts are important skills for any NT
administrator. Books could be, and have been written on the topic. For starters:
Single Domain model: there is one domain with
accounts and resources. The advantages:
- Works best for small organizations
- Centralized management of users and resources
- No trusts involved
boundary with no internal divisions. The disadvanages are performances issues as
the domain grows and lack of internal security divisions (for units or
departments) to reflect entities in a growing enterprise. The SAM can manage up
to about 40,000 accounts. As the number of accounts grows, the power of the
domain controllers needs to increase – but with modern inexpensive pentium-based
PCs, this is not particulary important. You will see some penalty in browsing as
the number of members in the domain increases. The maximum size of the SAM is
approximately 40MB and this is a real limitation for this model. User account,
group definitions, and PC accounts all add to the cumulative size.
Single Master Domain model : there is one account
domain and multiple resource domains with each resource domain trusting the
account (user) domain. The advantages of the single master domain are:
- Good solution for moderately sized networks
- Departmental control of resources based on resource domains (departmental,
unit, …)
- Centralized user account management
- Global groups are defined centrally in account domain
the accounts are centralized under one administrative unit and the resources are
decentralized. This fits the departmental political model of resource ownership.
For the model to work well, the account domain admins must create the
appropriate global groups needed to manage the security of resources in the
resource domains and the resource admins should manage security by assigning
permissions to groups, not individuals. Resource domain admins can assign
permissions to global groups once and thats the end of their permissions
management task. Its set once and forget it. When permissions need to be added
or removed, one does not search through many resources to add or remove that
persons access, one simply adds or removes that person’s account from the group
(or groups) in the account domain. The one change in group membership results in
permission changes in many resource permissions. The single master domain model
has a single account domain with the 40MB SAM and approximately 40,000 account
limitation.
The number of trusts:
T = Rthat is, the number of trusts is equal to the number of
resource domains, one trust per resource domain where the resource domain trusts
the account domain.
Multiple Master Domain model: an extension of the
single master domain model. Most appropriate for divisions separated
geographically and when one must scale beyond the number of accounts supported
in a single account domain. You have multiple single master domains linked
together by two way trusts. Each account domain trusts every other account
domain. Each resource domain trusts each account domain. The advantages are:
- Good solution for very large organizations
- Scaleable to accommodate any number of users – just add more account domains
- Resources are locally and logically grouped
- Departmental-focused management of resources
- Any master domain could administer all user accounts or not if wished
are multiple account domains, the number of global groups needed multipled by at
least the number of account domains and the number of trusts explodes.
The number of trusts :
T = M * (M – 1) + R * Mwhere M is number of account masters and R
is the number of resource domains. Actually this is the maximum number of
trusts. You generally can not avoid the
M * M-1trusts between account domains. One has the
R * Mtrusts only if all resource domains have users needing access
in all account domains.
Complete Trust Domain model: a mesh model is a set
of single domains with trusts between each domain. Appropriate for early phase
of consolidation between small organizations with existing single domains or
politically sensitive departmentally organized enterprises with control issues
over accounts and resources. The advantages are:
- Useful for organizations with no MIS department
- Scaleable for any number of users
- Each department (entity with a domain) has Full Control over its users and
resources
- Users and resources are located within the same domain
disadvantages reflect the other side of the coin:
- No centralized management
- Many trust relationships to manage
- Administrators must trust each other to properly manage users, groups, and
resources
is a decentralized, high overhead environment.
The number of trusts :
T = D * ( D – 1)where D is number of domains.
One sees the term two-way trusts. There are no two way trusts. When domainA
trusts domainB
domainA –> domainBdomainA is the trusting domain and domainB is the trusted domain. The relationship is that users in B may be
permitted to access resources in A. The resources are in the trusting domain and
the users are in the trusted domain. If one needs it to work both way, you need
to create another trust going the other way
domainA <– domainBdomainB is the trusting domain and domainA is the trusted domain. To create a “two-way” trust, you have to
create the two one-way trusts. I use the memory aid that the accounts include an
account for Ed and that resources are thINGs. Thus the trustED domain, the
domain with accounts, is the trustED domain and the trustING domain, the domain
with thINGs (resources), is the trustING domain. There is no transitivity in
trust relationships: if domainA trusts domainB and domainB trusts domainC, this
does not mean that domainA also trusts domainC.
To summarize:
Domain Model | Max Users | Account Management | Resource Management | Trusts |
Single | 40000 | Centralized | Centralized | 0 |
Master | 40000 | Centralized | Decentralized | R |
Multiple Master | unlimited | Centralized in Account Domains | Decentralized | M * (M – 1) + R * M |
Complete Trust Mesh | unlimited | Decentralized | Decentralized | D * ( D – 1) |
User Manager for Domains is the tool used to create/delete trusts. To create
a trust between domainA and domainB, where domainA is the account domain:
- domain admin of the account domainA starts User Manager for Domains. In the
Trust Relationships window, click the Add button next to the display area
labeled “Trusting Domains.” Type the name of the trusting domain (domainB). User
Manager will request a password for the trusting domain.
- domain admin of the resource domainB starts User Manager for Domains. In the
Trust Relationships window, click the Add button next to the display area
labeled “Trusted Domains.” Type the name of the trusted domain (domainA). You
will be prompted to enter the password required for the trusting domain to
communicated to the trusted domain. The domain admin of the trusted domain would
need to give you this password. The trusting domain will create an account which
uses this password to communicate with the trusted domain.
Related tips:
Integrity Checking on Secure Channels
with Domain Controllers
Anonymous User
Connections
Interdomain trust
account
Disable Secure Channel
Password and Trust Password Changes