Windows NT 4 Domain Models

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

Understanding NT domains and trusts are important skills for any NT administrator. Books could be, and have been written on the topic. For starters:

Single Domain model: there is one domain with accounts and resources. The advantages:

  • Works best for small organizations
  • Centralized management of users and resources
  • No trusts involved
The least complex structure. One security boundary with no internal divisions. The disadvanages are performances issues as the domain grows and lack of internal security divisions (for units or departments) to reflect entities in a growing enterprise. The SAM can manage up to about 40,000 accounts. As the number of accounts grows, the power of the domain controllers needs to increase - but with modern inexpensive pentium-based PCs, this is not particulary important. You will see some penalty in browsing as the number of members in the domain increases. The maximum size of the SAM is approximately 40MB and this is a real limitation for this model. User account, group definitions, and PC accounts all add to the cumulative size.

Single Master Domain model : there is one account domain and multiple resource domains with each resource domain trusting the account (user) domain. The advantages of the single master domain are:

  • Good solution for moderately sized networks
  • Departmental control of resources based on resource domains (departmental, unit, ...)
  • Centralized user account management
  • Global groups are defined centrally in account domain
Basically, the accounts are centralized under one administrative unit and the resources are decentralized. This fits the departmental political model of resource ownership. For the model to work well, the account domain admins must create the appropriate global groups needed to manage the security of resources in the resource domains and the resource admins should manage security by assigning permissions to groups, not individuals. Resource domain admins can assign permissions to global groups once and thats the end of their permissions management task. Its set once and forget it. When permissions need to be added or removed, one does not search through many resources to add or remove that persons access, one simply adds or removes that person's account from the group (or groups) in the account domain. The one change in group membership results in permission changes in many resource permissions. The single master domain model has a single account domain with the 40MB SAM and approximately 40,000 account limitation.

The number of trusts:

 T  =  R 
that is, the number of trusts is equal to the number of resource domains, one trust per resource domain where the resource domain trusts the account domain.

Multiple Master Domain model: an extension of the single master domain model. Most appropriate for divisions separated geographically and when one must scale beyond the number of accounts supported in a single account domain. You have multiple single master domains linked together by two way trusts. Each account domain trusts every other account domain. Each resource domain trusts each account domain. The advantages are:

  • Good solution for very large organizations
  • Scaleable to accommodate any number of users - just add more account domains
  • Resources are locally and logically grouped
  • Departmental-focused management of resources
  • Any master domain could administer all user accounts or not if wished
The disadvantage of the multiple master domain is complexity: there are multiple account domains, the number of global groups needed multipled by at least the number of account domains and the number of trusts explodes.

The number of trusts :

 T  =  M * (M - 1) + R * M 
where M is number of account masters and R is the number of resource domains. Actually this is the maximum number of trusts. You generally can not avoid the
 M * M-1 
trusts between account domains. One has the
 R * M 
trusts only if all resource domains have users needing access in all account domains.

Complete Trust Domain model: a mesh model is a set of single domains with trusts between each domain. Appropriate for early phase of consolidation between small organizations with existing single domains or politically sensitive departmentally organized enterprises with control issues over accounts and resources. The advantages are:

  • Useful for organizations with no MIS department
  • Scaleable for any number of users
  • Each department (entity with a domain) has Full Control over its users and resources
  • Users and resources are located within the same domain
The disadvantages reflect the other side of the coin:
  • No centralized management
  • Many trust relationships to manage
  • Administrators must trust each other to properly manage users, groups, and resources
That is there is a lot of trust required in many senses. It is a decentralized, high overhead environment.

The number of trusts :

 T  =  D * ( D - 1)  
where D is number of domains.

One sees the term two-way trusts. There are no two way trusts. When domainA trusts domainB

 domainA --> domainB 
domainA is the trusting domain and domainB is the trusted domain. The relationship is that users in B may be permitted to access resources in A. The resources are in the trusting domain and the users are in the trusted domain. If one needs it to work both way, you need to create another trust going the other way
 domainA <-- domainB 
domainB is the trusting domain and domainA is the trusted domain. To create a "two-way" trust, you have to create the two one-way trusts. I use the memory aid that the accounts include an account for Ed and that resources are thINGs. Thus the trustED domain, the domain with accounts, is the trustED domain and the trustING domain, the domain with thINGs (resources), is the trustING domain. There is no transitivity in trust relationships: if domainA trusts domainB and domainB trusts domainC, this does not mean that domainA also trusts domainC.

To summarize:

Max Users Account
Single 40000 Centralized Centralized 0
Master 40000 Centralized Decentralized R
Multiple Master unlimited Centralized in
Account Domains
 M * (M - 1) + R * M 
Complete Trust
unlimited Decentralized Decentralized
 D * ( D - 1)  

User Manager for Domains is the tool used to create/delete trusts. To create a trust between domainA and domainB, where domainA is the account domain:

  • domain admin of the account domainA starts User Manager for Domains. In the Trust Relationships window, click the Add button next to the display area labeled "Trusting Domains." Type the name of the trusting domain (domainB). User Manager will request a password for the trusting domain.
  • domain admin of the resource domainB starts User Manager for Domains. In the Trust Relationships window, click the Add button next to the display area labeled "Trusted Domains." Type the name of the trusted domain (domainA). You will be prompted to enter the password required for the trusting domain to communicated to the trusted domain. The domain admin of the trusted domain would need to give you this password. The trusting domain will create an account which uses this password to communicate with the trusted domain.

Related tips:

Integrity Checking on Secure Channels with Domain Controllers
Anonymous User Connections
Interdomain trust account
Disable Secure Channel Password and Trust Password Changes

See Also

See Also

Featured Links