There are two distinct kinds of Microsoft network environments the peer-to-peer or workgroup (non-server-based) and the domain (server-based). Peer-to-peer networking is geared to small groups of users sharing resources on a one-to-one basis. Networks with Novell 3.x servers or standalone Windows NT-based, Windows 2000 based, or Windows Server 2003 based servers fall into the peer-to-peer group The domain model is enterprise networks built around a central directory database.
Peer-to-Peer Network Environment
A peer-to-peer network or workgroup is a single-subnet network that is used as a convenient way to connect a small number of users to share resources. Peer-to-peer clients have the identical level of authority on a network, which eliminates the need for domain controllers. User authentication is decentralized by the use of the local account database located on each client. A user must have a user account on each computer to gain access. Figure 20-1 shows an example of a peer-to-peer network.
Figure 20-1: Peer-to-peer network
Peer-to-peer networks are ideal for small office/home office (SOHO) configurations that have from two to 10 computers. They can also be helpful for users who work with more than one computer and share resources (such as files, applications, or printers) with other users. For more information about small office/home office local connections, see Connecting Remote Offices in this book.
Windows XP Professional is compatible with all Microsoft products that use the Server Message Block (SMB) protocol. SMB functionality includes support for peer-to-peer networking with all other Microsoft networking products.
A Windows XP Professional based computer in a peer-to-peer environment performs account authentication locally. Because the Kerberos V5 protocol is only used for domain authentication, Windows XP Professional uses NTLM to authenticate users in the local account database. For more information about account authentication, see Account Authentication later in this chapter.
Windows based computers communicate with each other on peer-to-peer networks by using a common protocol. Due to dominance of the Internet, TCP/IP has become the protocol of choice for peer-to-peer networks. For more information about configuring protocols for peer-to-peer networking, see TCP/IP and Other Network Protocols later in this chapter.
Windows Domain Environment
A domain is a logical grouping of networked computers that share a central directory database that contains user account and security information for resources within the domain.
In a domain, the directory database is stored on computers that are configured as domain controllers. A domain controller manages all security-related aspects of interactions between users and domains. Security and administration are centralized. Figure 20-2 illustrates a domain configuration.
In a domain that has more than one domain controller, the domain accounts database is replicated between domain controllers within the domain for increased scalability and fault tolerance. If a domain controller becomes unavailable, directory information is still available from the other domain controllers. For more information about Windows 2000 Server domain controller placement in a Windows 2000 domain, see Designing the Active Directory Structure in the Deployment Planning Guide of the Microsoft Windows 2000 Server Resource Kit. For more information about Windows Server 2003 domain controller placement, see the Microsoft Windows Server 2003 Deployment Kit.
Windows 2000 and Windows Server 2003 domains improve on Windows NT domains. In Windows 2000 and Windows Server 2003 domains, all domain controllers can receive updates to the directory database. In Windows NT domains, the single-master model allows only one domain controller to be updated, which then replicates the changes to the other domain controllers. In Windows 2000 and Windows Server 2003 domains, the directory is distributed, and it uses a hierarchical namespace based on the Domain Name System (DNS). In Windows NT domains, the directory is centralized, and a flat namespace is used.
Windows XP Professional is fully compatible with Windows NT, Windows 2000, and Windows Server 2003 domains. For more information about whether to migrate an existing Windows NT domain to Windows 2000, see Determining Domain Migration Strategies in the Deployment Planning Guide.
Figure 20-2: Domain-based network
Active Directory
Active Directory is the directory service included with Windows 2000 Server and Windows Server 2003. The service provides a place to store information about network-based entities (such as applications, files, printers, and users) and the means to locate and manage resources. Active Directory provides a consistent way to name, describe, locate, access, manage, and secure information about network resources.
Active Directory is available only in domains with Windows 2000 based or Windows Server 2003 based domain controllers. Active Directory presents domain information in a hierarchical, object-based format and protects network data from unauthorized access. It replicates directory data across a network so that data remains available if one domain controller fails.
Active Directory Clients
Active Directory supports clients running Windows XP Professional, Windows 2000, Windows NT, and Windows 9x. These computers can have access to shared resources within a domain to the extent allowed by the security on the resources. However, a computer that runs Windows 98, Windows 95, or Windows NT 4.0, or must have the Active Directory client software installed to search for information in Active Directory about the shared resources.
Active Directory Objects
In Active Directory, network resources such as users, groups, and computers are represented as objects. An object is a unique namespace within the directory with object specific attributes that represents something concrete, such as a user, a printer, or an application. An Active Directory object is defined by a set of rules, or schema. When you create an Active Directory object, Active Directory generates values for some of the object s attributes, and you provide other values. For example, when creating a new user account, Active Directory automatically assigns a globally unique identifier (GUID) but requires the administrator to provide values, at least for the minimally required attributes such as the user name and the logon identifier.
Organizational Units
An Active Directory domain can contain an organizational unit hierarchy. Organizational units are containers to which you can delegate administrative authority over sets of objects. Organizational units can also be used to apply policies to users and computers. An organizational unit can contain Active Directory objects, such as users, groups, computers, printers, and shared folders, as well as other organizational units. Each domain can have its own hierarchy of organizational units that implements domain-specific administration.
An Active Directory organizational unit can represent a group of users, such as the marketing department, or a collection of related objects, such as printers. You can create a tree structure by nesting organizational units, objects, and containers in the same way that a Windows file system uses folders and files. Storing objects in an organizational unit allows an administrator to use Group Policy to apply restrictions to all users or all computers within that unit. Objects can still be stored in containers other than organizational units when such container-level policies are not required.
Global Catalog
Windows 2000 Server introduced the global catalog, which provides forest-wide Active Directory searches. Ordinarily, a domain controller stores objects for only one domain. A global catalog server is a special domain controller that stores complete objects for one domain and partial objects (every object but only a limited set of each object s attributes) for every other domain in the forest. The global catalog is also required for user logon. There can be multiple global catalog servers in a forest.
The global catalog makes directory structures within an enterprise transparent to end users seeking information. In an enterprise that contains many domains, the global catalog allows clients to easily perform searches across all domains without having to search each domain separately.
Administration Tools
Administrators who have the required permissions can use the Windows Server 2003 Administration Tools Pack to remotely create Active Directory objects and perform other administration tasks from a Windows XP Professional client that meets the following criteria:
The Windows Server 2003 Administration Tools Pack has been installed locally.
The Windows XP Professional Client has been updated with Service Pack 1 or the hotfix included with Knowledge Base Article Q329357.
The Windows XP Professional client is a 32-bit client. The tools support 32-bit and 64-bit server operating systems. However, the Windows Server 2003 Administration Tools Pack does not install on 64-bit systems.
Warning
You must have administrative permissions on the local computer to install or run Windows Server 2003 Administration Tools Pack. For security reasons, Windows Server 2003 Administration Tools Pack should be uninstalled if the Windows XP Professional computer is to be used by a non-administrator. In addition, you should be aware of specific security requirements for each tool.
The Administration Tools Pack is available as adminpak.msi on the Windows Server 2003 family operating system CDs. For more information about installing the Administration Tools Pack, see the Windows Server 2003 Help and Support Center.
Active Directory Security
A security identifier (SID) is a unique number created by the security subsystem of the Windows XP Professional, Windows 2000, Windows Server 2003 or Windows NT operating system and assigned to security principal objects such as user, group, and computer accounts. Every account on a network is issued a unique SID when that account is first created. For example, when you join a computer to a Windows 2000 or Windows Server 2003 domain, a SID is created for that computer account. Internal processes in the Windows XP Professional, Windows 2000, Windows Server 2003, and Windows NT operating systems refer to an account by its SID instead of its user name or group name.
Each object is protected by an access control list (ACL) that contains access control entries (ACEs) that specify the users or groups who are permitted access to that object and what these access rights are. An ACE is created for an object by assigning permissions. Each ACE contains the SID of a user or group who is allowed (or explicitly denied) access to that object. An ACE also defines the level of access allowed. For example, a user might have read-only access to some objects, read-and-write access to other objects, and no access to the remaining objects.
If you create an account, delete it, and then create a new account that has the same user name, the new account does not have the rights or permissions previously granted to the old account because the accounts have different SIDs. For more information about planning and implementing access permissions, see Authorization and Access Control in this book.
DNS and Active Directory Domains
Domain Name System (DNS) is required for support of Active Directory for the following reasons:
Active Directory domains are named with DNS names.
Active Directory uses DNS as its location service, to enable clients to locate domain controllers.
Active Directory can also benefit DNS. DNS zone information can be copied to Active Directory domain controllers to enhance zone replication and provide security.
To implement Active Directory, one or more DNS servers must be available to the Windows 2000 or Windows Server 2003 domain, and the DNS client service must be configured at each member computer. This can be done automatically through DHCP.
Active Directory domains are named with DNS names. The DNS hierarchical naming structure is an inverted tree structure, or a single-root domain, under which can be parent and child domains. For example, a Windows 2000 domain name such as seattle.noam.reskit.com identifies a specific computer in a domain named noam, which is a child domain of the domain reskit. The com domain is a top-level domain on the Internet by which reskit.com and any of its child domains might be located.
Each computer in a DNS domain is identified by a unique, fully qualified domain name (FQDN). The FQDN of a computer located in the domain noam.reskit.com is computername.noam.reskit.com. Figure 20-3 illustrates a Windows 2000 domain that uses the DNS hierarchical naming structure.
Figure 20-3: Windows 2000 domain hierarchy
Every Windows 2000 (or Windows Server 2003) domain and every Windows XP Professional based computer has a DNS name. Thus, domains and computers are represented both as Active Directory objects and as DNS nodes (a node in the DNS hierarchy represents a domain or a computer). When you add a computer to a Windows 2000 or Windows Server 2003 domain, you need to specify the FQDN, consisting of the computer name and domain name. This information is provided when you add the computer account to the domain during or after initial Windows XP Professional Setup. For more information about adding Windows XP Professional based clients to a Windows 2000 or Windows Server 2003 domain, see Joining the Network Environment later in this chapter.
Although the two namespaces can share an identical domain structure, it is important to understand that they are not the same namespace. Each stores different data and therefore manages different objects. DNS stores zones and resource records, and Active Directory stores domains and domain objects.
Note
Not every client needs to be visible to the Internet and not every company that wants to implement Active Directory needs to be on the Internet.
For more information about configuring the DNS client, see Configuring IP Addressing and Name Resolution in this book. For more conceptual information about DNS and the Windows 2000 DNS service, see Introduction to DNS and Windows 2000 DNS in the Microsoft Windows 2000 Server TCP/IP Core Networking Guide.
Windows NT 4.0 Compatibility
In addition to being able to use Active Directory domain controllers, Windows XP Professional based computers can access domain controllers used in Windows NT 4.0 domains. Like Active Directory, the Windows NT 4.0 account database includes the following two types of accounts in its domain environment:
Computer accounts. Windows NT 4.0 based, Windows 2000 based, and Windows XP Professional based computers that can access the domain.
User accounts. Users who can access the domain.
Shared resources defined within the domain are associated with accounts by using ACEs, which determine the permissions to domain resources such as shared files and printers. A Windows XP Professional based computer can access objects stored in a Windows NT account database without modification.
Typically, a Windows XP Professional based computer uses Kerberos V5 authentication to find a Windows 2000 based or Windows Server 2003 based domain controller. A Windows XP Professional based computer that is authenticating against a Windows NT 4.0 domain controller uses NTLM as its security protocol. For information about Kerberos V5 authentication, see Account Authentication later in this chapter.
