Windows NT 4 Domain Models

Understanding NT domains and trusts are important skills for any NT
administrator. Books could be, and have been written on the topic. For starters:

Single Domain model: there is one domain with
accounts and resources. The advantages:

  • Works best for small organizations
  • Centralized management of users and resources
  • No trusts involved
The least complex structure. One security
boundary with no internal divisions. The disadvanages are performances issues as
the domain grows and lack of internal security divisions (for units or
departments) to reflect entities in a growing enterprise. The SAM can manage up
to about 40,000 accounts. As the number of accounts grows, the power of the
domain controllers needs to increase – but with modern inexpensive pentium-based
PCs, this is not particulary important. You will see some penalty in browsing as
the number of members in the domain increases. The maximum size of the SAM is
approximately 40MB and this is a real limitation for this model. User account,
group definitions, and PC accounts all add to the cumulative size.

Single Master Domain model : there is one account
domain and multiple resource domains with each resource domain trusting the
account (user) domain. The advantages of the single master domain are:

  • Good solution for moderately sized networks
  • Departmental control of resources based on resource domains (departmental,
    unit, …)
  • Centralized user account management
  • Global groups are defined centrally in account domain
the accounts are centralized under one administrative unit and the resources are
decentralized. This fits the departmental political model of resource ownership.
For the model to work well, the account domain admins must create the
appropriate global groups needed to manage the security of resources in the
resource domains and the resource admins should manage security by assigning
permissions to groups, not individuals. Resource domain admins can assign
permissions to global groups once and thats the end of their permissions
management task. Its set once and forget it. When permissions need to be added
or removed, one does not search through many resources to add or remove that
persons access, one simply adds or removes that person’s account from the group
(or groups) in the account domain. The one change in group membership results in
permission changes in many resource permissions. The single master domain model
has a single account domain with the 40MB SAM and approximately 40,000 account

The number of trusts:

 T  =  R 
that is, the number of trusts is equal to the number of
resource domains, one trust per resource domain where the resource domain trusts
the account domain.

Multiple Master Domain model: an extension of the
single master domain model. Most appropriate for divisions separated
geographically and when one must scale beyond the number of accounts supported
in a single account domain. You have multiple single master domains linked
together by two way trusts. Each account domain trusts every other account
domain. Each resource domain trusts each account domain. The advantages are:

  • Good solution for very large organizations
  • Scaleable to accommodate any number of users – just add more account domains

  • Resources are locally and logically grouped
  • Departmental-focused management of resources
  • Any master domain could administer all user accounts or not if wished
The disadvantage of the multiple master domain is complexity: there
are multiple account domains, the number of global groups needed multipled by at
least the number of account domains and the number of trusts explodes.

The number of trusts :

 T  =  M * (M – 1) + R * M 
where M is number of account masters and R
is the number of resource domains. Actually this is the maximum number of
trusts. You generally can not avoid the
 M * M-1 
trusts between account domains. One has the
 R * M 
trusts only if all resource domains have users needing access
in all account domains.

Complete Trust Domain model: a mesh model is a set
of single domains with trusts between each domain. Appropriate for early phase
of consolidation between small organizations with existing single domains or
politically sensitive departmentally organized enterprises with control issues
over accounts and resources. The advantages are:

  • Useful for organizations with no MIS department
  • Scaleable for any number of users
  • Each department (entity with a domain) has Full Control over its users and
  • Users and resources are located within the same domain
disadvantages reflect the other side of the coin:

  • No centralized management
  • Many trust relationships to manage
  • Administrators must trust each other to properly manage users, groups, and
That is there is a lot of trust required in many senses. It
is a decentralized, high overhead environment.

The number of trusts :

 T  =  D * ( D – 1)  
where D is number of domains.

One sees the term two-way trusts. There are no two way trusts. When domainA
trusts domainB

 domainA –> domainB 
domainA is the trusting domain and domainB is the trusted domain. The relationship is that users in B may be
permitted to access resources in A. The resources are in the trusting domain and
the users are in the trusted domain. If one needs it to work both way, you need
to create another trust going the other way
 domainA <– domainB 
domainB is the trusting domain and domainA is the trusted domain. To create a “two-way” trust, you have to
create the two one-way trusts. I use the memory aid that the accounts include an
account for Ed and that resources are thINGs. Thus the trustED domain, the
domain with accounts, is the trustED domain and the trustING domain, the domain
with thINGs (resources), is the trustING domain. There is no transitivity in
trust relationships: if domainA trusts domainB and domainB trusts domainC, this
does not mean that domainA also trusts domainC.

To summarize:

Max Users
Multiple Master
Centralized in
Account Domains
 M * (M – 1) + R * M 
Complete Trust
 D * ( D – 1)  

User Manager for Domains is the tool used to create/delete trusts. To create
a trust between domainA and domainB, where domainA is the account domain:

  • domain admin of the account domainA starts User Manager for Domains. In the
    Trust Relationships window, click the Add button next to the display area
    labeled “Trusting Domains.” Type the name of the trusting domain (domainB). User
    Manager will request a password for the trusting domain.
  • domain admin of the resource domainB starts User Manager for Domains. In the
    Trust Relationships window, click the Add button next to the display area
    labeled “Trusted Domains.” Type the name of the trusted domain (domainA). You
    will be prompted to enter the password required for the trusting domain to
    communicated to the trusted domain. The domain admin of the trusted domain would
    need to give you this password. The trusting domain will create an account which
    uses this password to communicate with the trusted domain.

Related tips:

Integrity Checking on Secure Channels
with Domain Controllers

Anonymous User

Interdomain trust

Disable Secure Channel
Password and Trust Password Changes

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top