Nice article that I found on Win NT domain model.
Single Domain model: there is one domain with accounts and resources. The advantages:
* Works best for small organizations
* Centralized management of users and resources
* No trusts involved
The least complex structure. One security boundary with no internal divisions. The disadvanages are performances issues as the domain grows and lack of internal security divisions (for units or departments) to reflect entities in a growing enterprise. The SAM can manage up to about 40,000 accounts. As the number of accounts grows, the power of the domain controllers needs to increase - but with modern inexpensive pentium-based PCs, this is not particulary important. You will see some penalty in browsing as the number of members in the domain increases. The maximum size of the SAM is approximately 40MB and this is a real limitation for this model. User account, group definitions, and PC accounts all add to the cumulative size.
Single Master Domain model : there is one account domain and multiple resource domains with each resource domain trusting the account (user) domain. The advantages of the single master domain are:
* Good solution for moderately sized networks
* Departmental control of resources based on resource domains (departmental, unit, ...)
* Centralized user account management
* Global groups are defined centrally in account domain
Basically, the accounts are centralized under one administrative unit and the resources are decentralized. This fits the departmental political model of resource ownership. For the model to work well, the account domain admins must create the appropriate global groups needed to manage the security of resources in the resource domains and the resource admins should manage security by assigning permissions to groups, not individuals. Resource domain admins can assign permissions to global groups once and thats the end of their permissions management task. Its set once and forget it. When permissions need to be added or removed, one does not search through many resources to add or remove that persons access, one simply adds or removes that person's account from the group (or groups) in the account domain. The one change in group membership results in permission changes in many resource permissions. The single master domain model has a single account domain with the 40MB SAM and approximately 40,000 account limitation.
The number of trusts:
T = R
that is, the number of trusts is equal to the number of resource domains, one trust per resource domain where the resource domain trusts the account domain.
Multiple Master Domain model: an extension of the single master domain model. Most appropriate for divisions separated geographically and when one must scale beyond the number of accounts supported in a single account domain. You have multiple single master domains linked together by two way trusts. Each account domain trusts every other account domain. Each resource domain trusts each account domain. The advantages are:
* Good solution for very large organizations
* Scaleable to accommodate any number of users - just add more account domains
* Resources are locally and logically grouped
* Departmental-focused management of resources
* Any master domain could administer all user accounts or not if wished
The disadvantage of the multiple master domain is complexity: there are multiple account domains, the number of global groups needed multipled by at least the number of account domains and the number of trusts explodes.
The number of trusts :
T = M * (M - 1) + R * M
where M is number of account masters and R is the number of resource domains. Actually this is the maximum number of trusts. You generally can not avoid the
M * M-1
trusts between account domains. One has the
R * M
trusts only if all resource domains have users needing access in all account domains.
Complete Trust Domain model: a mesh model is a set of single domains with trusts between each domain. Appropriate for early phase of consolidation between small organizations with existing single domains or politically sensitive departmentally organized enterprises with control issues over accounts and resources. The advantages are:
* Useful for organizations with no MIS department
* Scaleable for any number of users
* Each department (entity with a domain) has Full Control over its users and resources
* Users and resources are located within the same domain
The disadvantages reflect the other side of the coin:
* No centralized management
* Many trust relationships to manage
* Administrators must trust each other to properly manage users, groups, and resources
That is there is a lot of trust required in many senses. It is a decentralized, high overhead environment.
The number of trusts :
T = D * ( D - 1)
where D is number of domains.
One sees the term two-way trusts. There are no two way trusts. When domainA trusts domainB
domainA --> domainB
domainA is the trusting domain and domainB is the trusted domain. The relationship is that users in B may be permitted to access resources in A. The resources are in the trusting domain and the users are in the trusted domain. If one needs it to work both way, you need to create another trust going the other way
domainA <-- domainB
domainB is the trusting domain and domainA is the trusted domain. To create a "two-way" trust, you have to create the two one-way trusts. I use the memory aid that the accounts include an account for Ed and that resources are thINGs. Thus the trustED domain, the domain with accounts, is the trustED domain and the trustING domain, the domain with thINGs (resources), is the trustING domain. There is no transitivity in trust relationships: if domainA trusts domainB and domainB trusts domainC, this does not mean that domainA also trusts domainC.
Full article can be found at the following link:
http://www.windowsnetworking.com/kbase/WindowsTips/WindowsNT/AdminTips/Network/WindowsNT4DomainModels.html
Thursday, April 30, 2009
Understanding Windows NT trust relationships
Nice article that I found while searching for Trust relationships in the Windows NT domain.
What's a trust relationship?
A trust relationship is nothing more than an agreement between two Windows NT domains. This agreement allows users from one domain to use resources in a different domain, as long as the Administrator allows them to do so. For example, a trust relationship might be used to allow users in domain B to use a printer or a mail server that's located in domain A.
Trusting a domain
The domain that has the resource that the other domain wants to use is called the trusting domain. This is the case because in the situation where someone in domain B wants to use a printer in domain A, the Administrator of domain A must agree to trust users from domain B. Therefore, domain A is doing the trusting.
The trusted domain
The domain containing users who need access to the resource in a foreign domain is called the trusted domain. This is the case because they are trusted by the Administrator of the resource domain. If you have trouble remembering the difference, just keep in mind that the trusted domain always contains users. One silly, but effective, way to remember this is that the word trusted ends in the letters ed. Ed could be a username within a trusted domain.
Two-way trusts
If you have a situation in which users in both domains need to access resources in both domains, you can establish a two-way trust. By doing so, users in either domain may access resources in either domain. For example, a user in domain A could access resources in domain A and domain B. Likewise, a user in domain B could access resources in domain B and domain A.
Transitive trusts
Transitive trusts—in which more than two domains are involved—are trust relationships passed between domains. An example of a transitive trust is a situation in which domain A trusts domain B. Domain B trusts domain C. Therefore, through transitive trusts, domain A trusts domain C.
In Windows NT 4, transitive trusts don't exist. It's still possible to create such an arrangement, but domain A would have to establish separate trust relationships with domain B and domain C. In Windows 2000, transitive trusts will finally be supported. Therefore, in Windows 2000 environments, be careful who you trust, because you never know who they trust.
What about security?
The thought of opening your domain up to another domain may sound scary at first, but remember that as an Administrator, you're always in control. Simply establishing a trust relationship doesn't give anyone rights to anything. For anyone from the foreign domain to access a resource on your system, you must grant them rights to do so, in the same way that you would grant rights to a user within your domain.
Conclusion
In this article, I've tried to simplify the concept of Windows NT trusts. I also explained the various types of trusts and how they work.
Brien M. Posey is an MCSE and works as a freelance technical writer and as a network engineer for the Department of Defense. If you'd like to contact Brien, send him an e-mail. (Because of the large volume of e-mail he receives, it's impossible for him to respond to every message. However, he does read them all.)
The authors and editors have taken care in preparation of the content contained herein, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.
Here is the link to the original article on TechRepublic:
http://articles.techrepublic.com.com/5100-10878_11-5027007.html
What's a trust relationship?
A trust relationship is nothing more than an agreement between two Windows NT domains. This agreement allows users from one domain to use resources in a different domain, as long as the Administrator allows them to do so. For example, a trust relationship might be used to allow users in domain B to use a printer or a mail server that's located in domain A.
Trusting a domain
The domain that has the resource that the other domain wants to use is called the trusting domain. This is the case because in the situation where someone in domain B wants to use a printer in domain A, the Administrator of domain A must agree to trust users from domain B. Therefore, domain A is doing the trusting.
The trusted domain
The domain containing users who need access to the resource in a foreign domain is called the trusted domain. This is the case because they are trusted by the Administrator of the resource domain. If you have trouble remembering the difference, just keep in mind that the trusted domain always contains users. One silly, but effective, way to remember this is that the word trusted ends in the letters ed. Ed could be a username within a trusted domain.
Two-way trusts
If you have a situation in which users in both domains need to access resources in both domains, you can establish a two-way trust. By doing so, users in either domain may access resources in either domain. For example, a user in domain A could access resources in domain A and domain B. Likewise, a user in domain B could access resources in domain B and domain A.
Transitive trusts
Transitive trusts—in which more than two domains are involved—are trust relationships passed between domains. An example of a transitive trust is a situation in which domain A trusts domain B. Domain B trusts domain C. Therefore, through transitive trusts, domain A trusts domain C.
In Windows NT 4, transitive trusts don't exist. It's still possible to create such an arrangement, but domain A would have to establish separate trust relationships with domain B and domain C. In Windows 2000, transitive trusts will finally be supported. Therefore, in Windows 2000 environments, be careful who you trust, because you never know who they trust.
What about security?
The thought of opening your domain up to another domain may sound scary at first, but remember that as an Administrator, you're always in control. Simply establishing a trust relationship doesn't give anyone rights to anything. For anyone from the foreign domain to access a resource on your system, you must grant them rights to do so, in the same way that you would grant rights to a user within your domain.
Conclusion
In this article, I've tried to simplify the concept of Windows NT trusts. I also explained the various types of trusts and how they work.
Brien M. Posey is an MCSE and works as a freelance technical writer and as a network engineer for the Department of Defense. If you'd like to contact Brien, send him an e-mail. (Because of the large volume of e-mail he receives, it's impossible for him to respond to every message. However, he does read them all.)
The authors and editors have taken care in preparation of the content contained herein, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.
Here is the link to the original article on TechRepublic:
http://articles.techrepublic.com.com/5100-10878_11-5027007.html
Subscribe to:
Posts (Atom)
Posts
