Windows NT4 Workgroup versus Domain

by Johannes Helmig [Published on 16 July 1999 / Last Updated on 16 July 1999]

When installing a Windows NT4 workstation and there is no NT4 server, you have no choice: you have to use a "Workgroup".
But when installing Windows NT4 Server, you have during the installation (and you can ONLY select it during the installation and CANNOT change it later), on whether to setup the system as a "Primary Domain Controller","Backup Domain Controller" or "Stand-Alone Server".


Each system has its own User-Management/User-Database.
Everytime, a user needs to be validated, it is done using the local User Database.
When now needing to access data on other systems, the Users with their passwords must be defined in ALL systems.
( in the above diagram, the user "Jim" can work/access data on Systems #1 and 2, but not on #3, because system#3 has a different password defined for "Jim".
"Mary" and "Susan" are not defined on all systems).


In a domain, there is only ONE User-Management/User-Database,
it is located on the Domain-Server.
If now any of the users like to work/logon or access data on any of the systems, the username and password is validated in the Domain-User-Database.

While Workgroups usually work fine for small network and few users, the central User-Management is an advantage on larger networks with a lot of users.
(less workload to maintain the single Domain User-Database than multiple local User-Databases, trying to keep them synchronized, which can be a substantial workload, especially if periodical changes for passwords are required for security reasons).

In a Domain-network, there MUST be always ONE "Primary Domain Controller", in charge for the User-Database.
In a large network with hundreds of connected systems, the "Primary Domain Controller" needs some help to handle all the security validations, so one or more "Backup Domain Controller" can be installed on the network. A "Backup Domain Controller" stores a copy of the User-Database, which is identical to the User-Database on the "Primary Domain Controller" (and if a change is made on the "Primary Domain Controller" by adding/deleting/modifying a user-information, the copies on the "Backup Domain Controller" are updated automatically).
A "Backup Domain Controller" is entitled to handle security validations (checking Username and password for Logon and for accessing to Shared data), so the workload of security validations is distributed to multiple Domain Controllers.
In addition, the "Backup Domain Controller" is the Backup: in case the "Primary Domain Controller" goes down, a "Backup Domain Controller" can be promoted to become (either temporary or permanent) the "Primary Domain Controller".

What is now a "Stand-Alone Server" ?
It is a Windows NT4 server WITHOUT any Domain Controller responsibility.
For example, it is possible to use NT4 Server as simple Workgroup networking, which maybe a good solution in small networks.
In larger configurations, NT4 Server is often used as a more secure platform to run automated
processes, because it offers a higher Fault-Tolerance by supporting Disk-Mirroring or RAID.

Featured Links