MCSE NT Workstation 4.0 Study Guide |
|
Chapter 11 *Workgroups and Domains *Joining a Workgroup *Joining a Domain *Windows NT Servers *Domain Models *Browsing Microsoft Networks *Configuring Browsers * Exercise 11-6 Changing the Workstations Preferred Master Browser Status * Exercise 11-7 Configuring the Workstations Browser Status * The Browsing Process * Browser Elections * Browser Communications * Certification Summary *Two-Minute Drill *Self Test *Chapter 11
In this chapter, we explore workgroup and domain environments in more detail than we covered in Chapter 1. A common mistake when taking the Windows NT Workstation certification exam is to assume you dont need to know much about domains, figuring that theyll be covered in the Windows NT Server exams. But workgroup and domain environments figure prominently in networking and security for Windows NT, as well. To pass the Workstation exam, you must have a good understanding of domains. Related to workgroups and domains is browsing, a process computers use to find each other on the network. The whole purpose of workgroups lies in their capability to browse together, and that feature is no less important in the domain environment. Every Windows NT Workstation computer must belong to either a workgroup or a domain. If youre not joining a domain, you must belong to a workgroup. A workgroup simply consists of a set of one or more computers that specify a particular workgroup name in their network identification configuration. The first computer to specify a workgroup name "creates" that workgroup. In practical terms, workgroups do very little for you. In fact, every Windows NT Workstation computer in your organization could belong to a different workgroup, and your security setup would be the same as if they were all in the same workgroup! Where workgroups do make a difference is in network browsing, or finding other computers on the network. Computers participating in a workgroup (or a domain) delegate the responsibility of keeping track of the names of other computers on the network to a few systems, reducing the load on systems that dont need to browse. We cover browsing in detail in the last section of this chapter. Workgroups are typically used in small offices, where there are only a few computers and which need only peer-to-peer networking. Someone must be responsible for setting up user accounts and security on each workstation. If a user must change a password, for example, the change must be made on each workstation. You can see why this arrangement is impractical for larger networks. A Windows NT Domain is like a workgroup that shares a common account database, and provides other features well discuss shortly. Basically, a domain is an area of authority. For Windows NT 4.0, the domain is in the Windows networking (NetBIOS) namespace. Where Windows NT really shines is in the domain environment. Domains are more formal than workgroups, and require planning. For example, a Windows NT Server computer must be installed as a Primary Domain Controller to create a domain. Domains are typically larger than workgroups, and offer a much wider range of services. Now that the Internet is so popular, you may be familiar with another usage of the word domain. An Internet domain like "microsoft.com" is in the Internet domain namespace, and lets you know that systems within it, like "www.microsoft.com" are within that domain. The Internet meaning and the Windows NT meaning are entirely different. For Windows NT 4.0 usage, you can ignore the Internet meaning. The usage will blur once Windows NT 5.0 is released with its NDS-based active directory, but well have a new book for that. The same username and password may be used on any system participating in a particular domain. While a user can be restricted to as many as eight workstations, by default he may ' anywhere in the domain. This is in stark contrast to the username and password required for each workstation under the workgroup model. The administrator has the option of setting up a roaming profile for each user, which gives the user the same desktop environment on any workstation he logs on to. In practical terms, a roaming profile is only useful if the computers are similarly configured. What good is a users desktop shortcut to Microsoft Outlook on a computer that doesnt have it installed, or has it installed in a different location? The "master copy" of a roaming profile is stored on a server. Each workstation the user logs on to has the profile copied down to it. The profiles for the user are synchronized at every login and logout. Since a profile contains a users personal folder as well as temporary Internet files, it can become quite large. Another option for user accounts in a domain is a home directory, which can give the user an accessible place to store files from anywhere in the domain. Some applications use the home directory as the default location to open or save files. The home directory is usually bound to a directory under a share on a server. If you wish to use this feature, youll probably also be in the market for a third-party software package to provide disk quotas, since neither Windows NT Workstation nor Server provide any disk quota management. A user in one domain also can be authenticated to another domain by establishing trust relationships. When one domain trusts another, the users and groups of the trusted domain become available to the trusting domain. If both domains in question trust each other, they have a two-way trust relationship. Well go further into trust relationships in the Domain Models section. A user logging on to their usual workstation can still log on if all the domain controllers are down. Cached information from their last successful logon is used to authenticate them. Of course, logon scripts, roaming profiles, and any file and printer shares or other services on those servers would be unavailable. All account information is kept on the domain controllers. There is only one place to maintain accounts for all the users in the domain. This is what allows a few administrators to manage a large number of user accounts and workstations. Any additions or modifications are made only once. Centralized administration doesnt mean you have to be sitting at a domain controller to perform administration tasks, however. Any system that has domain administration tools such as Server Manager or User Manager for Domains installed can view or modify (assuming the appropriate user rights) the same domain information. These client-based network administration tools for Windows NT Workstation and Windows 95 are found on the Windows NT Server CD. By joining a domain, a computer can view and use domain user accounts and global groups, just as if they were in its own local account database. Any computer within a domain can use the domain user accounts and global groups to provide or restrict access to systems and resources. For example, a Windows NT Workstation computer in a domain can allow access to a shared printer on that workstation to members of a global group, called Sales, defined in the domain. This frees users from having to add local accounts and passwords, or from having to keep track of which users are in the Sales group at a given time. Centralized Control of Resources A domain administrator can control resources on any system within the domain. The Domain Administrators global group is added automatically to the local Administrators group on all Windows NT systems that join the domain. It provides administrative access to the computers within the domain. Centralized security also provides centralized access control to the domain resources. Products such as Microsoft Systems Management Server extend the ability of an administrator to manage and troubleshoot the systems and resources within the domain. As I mentioned in the workgroup discussion, all thats required to create or join a workgroup is to mention its name in your network configuration. Just about every site where the setup of computers isnt centralized has several computers that are members of the workgroup called Workgroup, because thats the default in the dialog box at setup time. Most people either dont know what a workgroup is, or cant think of a better name. At my site, browsing Workgroup currently shows 58 systems! If this were a real workgroup, so many systems would make it unmanageable. Exercise 11-1 Configuring Your Workstation to Join a Workgroup Figure 1: Joining a Workgroup. In order for a Windows NT Workstation to join a domain, a special account for that computer must first be created in the domain. While other Windows systems, like Windows 95, may participate at some level in a domain, they cant be full members, and no computer account need be created for them in the domain. We often still refer to non-Windows NT systems as domain members, even though their role is more cooperation than integration, and they cant take advantage of all the domain features. Exercise 11-2 Configuring Your Workstation to Join a Domain This is similar to Exercise 11-1, except now we need a domain to join.
If your workstation hasnt been added to the domain with Server Manager, youll need to check the box labeled Create a Computer Account in the Domain, and enter a domain administrators username and password in the appropriate dialog boxes. Figure 2: Joining a Domain Exercise 11-3 Creating a Domain User Account from the Primary Domain Controller Figure 3: Naming a new user account. If youve successfully completed exercises 11-2 and 11-3, youre ready to log in to the domain from the workstation.
Youre now logged on to the workstation as a domain user. If you didnt set up an existing profile when you created the account, youll get a new default profile. Even if you have the same username on the workstation and in the domain, you are considered a separate user on the workstation, and it keeps a separate profile. Windows NT Server computers may have any one of three roles in a domain: Primary Domain Controller, Backup Domain Controller, and Member Server. The Primary Domain Controller (PDC) must be installed in order to create a domain. The PDC is the heart (or brain, if you prefer) of a domain. All account creation and maintenance is performed on the PDC, though the User Manager for Domains may be run on another system. Logon scripts are typically created and maintained on the PDC as well. In smaller domains, it might also serve most of the resources in the domain, and it could be the only Windows NT Server system present. One or more Windows NT Servers may be installed as Backup Domain Controllers (BDC) after a domain has been created. The entire account database is basically mirrored on each BDC, and the PDC keeps the information updated within five minutes by default. If your PDC becomes unavailable, you may promote a BDC to be the PDC, which allows you to make account changes while your primary server is down. A BDC isnt automatically selected and promoted to a PDC when it becomes unavailable. This is in contrast to a PDCs role as Master Browser where a new Master Browser is selected, which is discussed later. In addition to keeping another copy of critical account information, each BDC acts as another logon server. This means that the account database on a BDC may authenticate user logons in the domain, as well as serve any logon scripts. Adding a BDC is useful in spreading the logon load among more domain controllers. In order to keep the PDC and BDC logon scripts synchronized, the servers usually have the replication service installed. Typically, a shared export directory keeps the updated logon scripts and files, which are then replicated, on a regular basis, to the import directories of all the domain controllers. Remember that the user accounts database is automatically kept synchronized as part of Windows NT domain handling; only the logon script directory tree requires replication setup. A Member Server is any Windows NT Server computer in a domain that is not acting as a domain controller. Its participation in the domain is almost identical to a system running Windows NT Workstation. Member Servers are typically used as resource-intensive servers, running applications such as Microsoft SQL Server. If a stand-alone server is being set up, its best to make it part of a workgroup, instead of yielding to the temptation to create a domain with it. Thats a common mistake, and makes the process of moving the server later to a specific domain much more painful. While a workgroup server may join a domain at any time and become a member server, a PDC or BDC requires a re-install of Windows NT Server to join another domain. You may also move a member server from one domain to another, if the need arises. As the number of users and computers in a single domain grows, it may become too complex to be handled as a single domain. Also, you may wish to distribute into smaller groups, tasks which it was once advantageous to centralize: administration, security, or control of resources. The four domain modelssingle domain, complete trust, master domain, and multiple-master domainrepresent various stages of growth and decentralization. In the Single User Logon section, we briefly described trust relationships. Understanding three of the models requires an understanding of trust relationships. Basically, in a trust relationship one domain trusts the authentication done by another domain. For example, if a domain called Nashville trusts a domain called Memphis, then a Memphis user could log on to a workstation in the Nashville domain using his Memphis domain authentication. Unless Memphis trusts Nashville as well, the reverse (a Nashville user logging on to a computer in the Memphis domain) is not true. In representing trust relationships, we typically use arrows. The arrowheads point to the domain being trusted; a two-headed arrow represents a two-way trust relationship. If you always remember that a domain only knows about users in its own account database, and those in the domains to which it points, trust relationships wont give you any trouble. Using our Nashville trusting Memphis example, the arrow would point from Nashville to Memphis, like so: Nashville Þ Memphis The single domain model is the one weve been describing so far: it has a PDC and zero or more BDCs, along with whatever workstations it contains. It is the basis for the other models. It is the most centralized domain model. When two or more domains want to start sharing their accounts and resources with each other, you set up two-way trust relationships with each of them. Figure 11-4 illustrates complete trust relationships among four domains. These relationships are set up when, for example, departments of a company have been using separate domains, and they decide they need to share resources with each other. They keep control of their own accounts and resources, but make them available, as they wish, with other domains. This can quickly become unwieldy with more than a handful of domains. Complete Trust is the most decentralized domain model. Figure 4: A complete trust relationship among four domains. The master domain model is most popular in large organizations that wish to keep centralized account maintenance, but utilize distributed resources. Figure 11-5 illustrates such a relationship, with Memphis as the master domain. The master domain contains all of the user accounts for the entire organization. Resource domains are created which trust the master domain, and offer file, print, or application services to the master domain users. The PDC in the master domain acts as the central account administration point for the entire organization. There are usually several BDCs in the master domain for an organization of considerable size, although the resource domains may be small or large. Figure 5: Nashville, Knoxville and Chattanooga trust Memphis. If an organization using the master domain model becomes so large that it must break up the users into more than one domain, it may use a multiple master domain model. Another good candidate for multiple master domains is a geographically diverse organization with slow network links between sitesthe occasional user from one site can authenticate from his own site when visiting. In Figure 11-6, Memphis and Nashville are both master domains; Knoxville and Chattanooga are resource domains. In the multiple master domain model, the master domains establish two-way trust relationships with each other, while the resource domains have one-way trusts with each of the master domains. Now there are multiple account maintenance points, and tasks such as group membership assignments must be duplicated manually on all master domains to keep them consistent. Figure 6: Memphis and Nashville are both master domains. While the Workstation exam doesnt emphasize domain models, a basic understanding of them adds to your understanding of domains. Lets take a moment for a quick question and answer session on workgroups and domains. Q: "My home office business uses three Windows NT Workstation computers " A: Use a common workgroup. Q: "Im setting up a SQL Server on a new Windows NT Server in an existing domain " A: Install the Windows NT Server as a member server, then install SQL Server on it. Q: "I commonly work on two different domains. How do I set up my Windows NT Workstation for both?" A: If at all possible, a trust relationship should be set up. If one domain trusts another, set up your workstation in the trusted domain. If you have two-way trust, add it to the domain you use most. A computer cant be a member of multiple domains. Q: "Im in a domain, but would like to share the printer attached to my workstation with others " A: Set up a share with permissions for a local group, to which youve added the domain users or global groups you want to allow to print there. Q: "I want to log on to the domain but still have administrative access to my Windows NT Workstation " A: Log on to your workstation as an administrator and add your domain account to the local Administrators group. Q: "I dont want my Windows NT Workstation to be in a workgroup or domain " A: You have to be in one or the other. You may choose a workgroup not in use. Q: "I have trouble with users keeping their Windows 95 and domain passwords synchronized " A: If feasible, migrate to Windows NT Workstation. Then youll only need one password. No one would bother to install a network if they didnt need to communicate with other systems. In order to communicate with other systems, you first have to be able to locate them. A network browser keeps a list of domains, workgroups, computers, and other shared resources it sees on the network. This list is often called the browse list. When you explore the Network Neighborhood, a browser provides the information you see. Its important to make a distinction at this point between a computer such as Windows 95 or Windows NT Workstation running a server service, and a system running Windows NT Server. Any system capable of sharing resources like printers or file shares is running a server service, and is part of the browse list. When discussing browsing, we always use the term server to mean server service, and not a Windows NT Server, unless it is specifically mentioned. Exercise 11-5 Browsing the Network If youve done much work with computers on networks, youve probably browsed the network many times, without knowing all the work that goes on behind the scenes. This exercise is just a quick tour of the neighborhood, for those of you who arent familiar with the territory.
A computer on the network can have one of many browser roles. The role it plays can change as nodes come and go. Although its easier to imagine one role per computer, a single computer may in fact have multiple roles, if it is using multiple network protocols. A system may be a Potential Browser with TCP/IP, and a Backup Browser with IPX, for example. The roles are really only meaningful within a particular protocol, so well discuss each role as if we are running only one protocol. The Master Browser keeps the browse list for all the systems in its workgroup or domain. The browse list for which its responsible includes all the server resources inside its workgroup or domain, and a list of the other workgroups and domains about which it has information. In a domain, the PDC is always the Master Browser. If you have a TCP/IP network with routers, there is a Master Browser for each subnetwork, in each domain that spans subnetworks. Workgroups are not permitted to span subnetworks. The Backup Browser is to the Master Browser much like the BDC is to the PDC. It receives the updated browse list from the Master Browser, and can distribute it on request to other systems in the workgroup or domain. It updates the list every 15 minutes from the Master Browser. The number of Backup Browsers you have depends on the number of systems in the workgroup or domain. Any system that is capable of browsing, but isnt currently browsing, is a potential browser. Computers running Windows NT 3.1 or higher, Windows for Workgroups 3.11, or Windows 9x can be browsers. In a later section, well cover what determines which computers actually are elected to the position. I mentioned already that, in a domain that spans subnetworks, there is a Master Browser for each subnetwork.. The Domain Master Browser is responsible for keeping track of all the Master Browsers, and keeps a master list of domain resources for them. The PDC is always the Domain Master Browser for a domain. A system can be designated as a Preferred Master Browser. This gives the system preference over similarly configured systems to become a Master Browser. A system that could browse can be designated as a Non-Browser. This designation totally eliminates it from being selected as a Master or Backup Browser. You can influence some of the factors used to determine browsing status for a computer. Weve already mentioned Preferred Master Browser and Non-Browser. Now lets discuss how to configure a Windows NT Workstation as one of these roles. There is a Registry setting IsDomainMaster, which is false by default. If you wish to give preference to a computer to become the Master Browser, you can change this value to true. It gives the computer a slightly higher vote over others of its class in browser elections. The Preferred Master setting isnt sufficient for a Windows NT Server to be elected over the PDC. See Exercise 11-6 for Registry details. Exercise 11-6 Changing the Workstations Preferred Master Browser Status Both this exercise and exercise 11-7 require making modifications to your computers Registry. Theres no user interface for these options, other than the Registry editor. You should exercise extreme caution when editing your Registry, as mistakes can be fatal to your system, and Microsoft wont lift a finger to help if you were playing with the Registry. Now that youve been warned, lets go edit the Registry!
Figure 7: Changing parameters with the Registry Editor. Registry entries are typically listed with their full path, just as if they were actual folders. We just edited HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters\IsDomainMaster and changed its value. There is another Registry setting "MaintainServerList" which is "Auto" by default on Windows NT Workstations, and "Yes" by default on Windows NT Servers. If you change the value to "No", the computer will never be a browser. See Exercise 11-7 for Registry details. The automatic setting lets the Master Browser tell the system whether or not it needs to become a Backup Browser. The Master Browser determines the number of Backup Browsers the system needs, based on the size of the workgroup or domain. If there arent enough existing browsers, one of the systems with the automatic setting is be told to become a Backup Browser. Exercise 11-7 Configuring the Workstations Browser Status Browsing is somewhat more organized than the name might imply. "Designated listener" would probably be a more descriptive term than Master Browser, but its called browsing, for better or worse. The basic elements of the browsing process are:
Browser elections are often viewed as things of great mystery. Heads nod knowingly when you speak of browsing trouble and browser elections. Actually, understanding which browser wins an election is not that complicated. But the cause of an election can be difficult to determine, if youre having network connectivity problems. A browser election occurs when a system sends out an election datagram. This is a packet that includes that systems election criteria. All browsers receive the datagram. A system whose own criteria beat the criteria it receives sends out its own datagram, and enters an election in progress state. Its similar to a bid process at an auction, but you can only bid a predetermined amount. If the bidding has already passed what you can "afford", you keep silent and listen to see who wins. In order to speed up the election process, each bid is made after a delay, with likely winners having a shorter delay. This usually means that systems unlikely to win the election remain silent during the process. A system should send out an election datagram when any one of the following happen:
The major determining factor of who wins a browser election is the operating system. Windows NT Server beats Windows NT Workstation, which beats Windows 95 or Windows for Workgroups. Since Windows NT makes a much better browser than other Windows systems, you can improve the browsing in a workgroup with other Windows operating systems by adding a couple of Windows NT Workstations to the mix. Theyll automatically end up as the browsers for the workgroup. Later versions of operating systems get preference over earlier versions. There are certain other "version bonuses" which are given. Here they are in order of importance:
The bonuses are cumulative, so a system running a WINS server, Preferred Master Browser set, and MaintainServerList set to Auto beats out a system running a WINS server, without Preferred Master Browser set, and MaintainServerList set to Yes. If all the previous criteria match, the system that has been browsing the longest wins. This is more likely to be the tiebreaker in a workgroup, with all systems having the same operating system and default settings. In the unlikely event that the browsers also have been running the same length of time, the final tiebreaker is the node name. The node that comes first alphabetically wins. At this point, one system would have no advantage over the other, so an arbitrary choice based on node name is as good as any other method. Weve seen how the browsing process and browser elections work. There are just a few more items worth mentioning before we can conclude our discussion on browsing. In the section on the browsing process, we briefly described routine browser communications. The announcements happen every 1-12 minutes. (The new announcements happen in intervals of 1, 2, 4, 8, and 12 minutes. Once 12 minutes is reached, it remains the interval between subsequent announcements.) The Master Browser listens to these announcements, and maintains a list. If you can see Microsoft Networking workgroups and domains, but are having trouble browsing IPX servers, the trouble is often with the frame type on the Master Browser. This is a problem especially when you select the default auto-detection of frame types, and someone adds a system using a preferred frame type over the one you were using. For example: If youre using Ethernet II on your servers as the frame type, and someone adds a node using 802.2-type frames, communications and browsing will be disrupted the next time networking is started on a system and its elected a Master Browser (because of the preference order in auto-detection). If you want to tell which systems are your Master and Backup Browsers, theres a diagnostic utility in the Windows NT Server Resource Kit called Browser Monitor (BROWMON.EXE). It shows the Master Browser for each protocol, and double-clicking a Master Browser shows all Backup Browsers, as well as the list of systems and domains they are maintaining in their lists. If a server makes no announcement for three consecutive announcement intervals, the Master Browser removes the system from the list. If the system that crashes is the Master Browser, weve already seen that the first system that notices its gone will force a new election. Backup Browsers get an updated list from the Master Browser every 15 minutes. This interval is long enough to ensure that a complete announcement cycle has passed and been processed. Since its the Backup Browsers that serve the lists to clients, there is some lag time after a system actually disappears, before it disappears from a clients browse list. The maximum length of time to be removed from the Master Browser list is: 36 minutes (3 times 12 minutes), plus up to 15 minutes for the Backup Browser to get the updated list, for a total of 51 minutes. The number of Backup Browsers depends on the size of the workgroup or domain. With one computer, theres just a Master Browser and no backups. With 2-31 computers, there is one Backup Browser. For each additional 32 computers in the workgroup or domain, another Backup Browser is added. If youre dealing with subnetworks, the rules apply for each subnetwork. Workgroups and domains are important Windows NT concepts to master. Workgroups do little more than determine the systems that participate in browsing together. Windows NT Workstations and Servers may participate in workgroups, as can Windows 95 and Windows for Workgroups 3.11. The only time a Windows NT Server cant enter and leave workgroups or domains is when its a domain controller. Domains are the cornerstone of Windows NT networking, and offer much more than just browsing groups. Single-user logon and centralized administration, security, and control of resources are a domains main features. A Windows NT Server may be a primary domain controller (PDC), a backup domain controller (BDC), or a member server. You must have a PDC to start a new domain. Browsing allows computers on a network to find each other. A Master Browser listens to all the server announcements, and maintains a list. This list is periodically retrieved by Backup Browsers, which in turn serve the information to Non-Browsers whenever requested. The primary determining factor of who is elected Master Browser is the operating system type. Other factors include the operating system version, certain Registry settings, other roles of the computer, and current browsing status. In order to pass the certification exam, you should have a through knowledge of workgroups and domains, and understand the role of browsing and the fundamentals of how it works.
|