Nt Domains - HP NetStorage 6000 Manual

Under User Level security, each computer on the network is responsible for authenticating users, before the user is
allowed to access the resources on that computer. Once a user is authenticated on a computer, a session is
established with the user. Thus, the user will not need to be authenticated again during that session. This not
only applies to users accessing machines directly (interactive logon), but also to users accessing resources on
remote servers (remote, or network logon).
Interactive logon is a very common experience for most users. Every time a Windows NT computer boots, a user
must logon to the system before gaining access to any resource. The user is prompted to press Ctrl-Alt-Del and
then enter a name, password and NT Domain name at the console of the local computer. Once the user is
authenticated with these credentials, then the user is allowed access to the resources of the computer.
Remote logon is not as obvious to most users. When a user attempts to access files on a remote computer (such
as through Network Neighborhood, or by mapping a network drive to a drive letter), the remote computer must
first authenticate the user before allowing access, even though the user has already logged onto the local system.
Unlike the interactive logon, remote logon usually occurs automatically, without user interaction. The local
computer will offer the account name and password from the interactive logon as credentials to logon to the
remote computer.

3.3.1 NT Domains

NT Domains provide the means of authenticating users on a network, both for interactive logon, as well as
remote logon. In addition, NT Domains are used to group together and manage resources on a network. An
NT Domain is defined by one or more NT servers acting in the role of a Domain Controller. The NT Domain
must have one and only one server configured as the Primary Domain Controller (PDC). All other Domain
Controllers in the domain must be Backup Domain Controllers (BDC). All Domain Controllers store a current copy
of the Security Accounts Manager (SAM) database, and use this database to authenticate users. The domain
administrator manages the SAM database from the Primary Domain Controller. Backup Domain Controllers
manage a read-only version of the SAM database, replicated from the PDC. The purpose of having multiple
Domain Controllers in a domain is for redundancy and load balancing.
One important aspect of NT Domains is the concept of Trust relationships. One NT Domain may be configured
to "Trust" another NT Domain, so that the first domain trusts the members of another domain. Trust relationships
are one way. Domain A can be configured to trust Domain B, but the reverse would not be true. When Domain
A trusts Domain B, then the user accounts on Domain B are given access to resources on Domain A, just as
though the user accounts existed on Domain A.
The concept of the Trust allows the administration of the user accounts and the network resources to be distributed
among multiple NT Domains. One common architecture is to allocate all resources in one or more resource
domains and allocate all user accounts on one or more account domains. There is nothing special about these
domains other than how the administrator has used them to manage user and resource accounts. The domains
are then linked together by having the resource domains Trust the account domains.
A common architecture is to have one or more domains configured as resource domains, and one domain
configured as the account domain. All of the resource domains are then configured to trust the account domain.
In NT literature, this architecture is known as the Master Domain model. Figure 1 shows a diagram of the trust
relationships in the master domain model. Each circle in the diagram represents a different NT domain.
Domains X, Y and Z are configured as resource domains. Domain A is configured as an account domain. The
Copyright © 2000 Hewlett-Packard Company Page 10 of 28
All Rights Reserved