LABRADOR, JENLYN S.
BSCOEII-2
ENGR. ALLAN VERZO
Domain
A domain is a grouping of computers and users that eases administration of the computers and user accounts. Windows NT Advanced Server is required to create a domain. The Windows NT Advanced Servers (referred to as "servers") all share a common user account and security database, thus enabling each user to have a single account which is recognized on all servers in the domain. Security policies such as how long passwords remain valid are also held in common by all servers in a domain. Windows NT workstations can also be members of a domain; the benefit they derive is the ability to recognize user accounts that are created on the servers in the domain. Security policies on a workstation are always independent of the domain security policies, however.
Domain Controller
There is no single database that is shared by all servers in the domain; there is a single computer called the domain controller which "owns" the master copy of the user account and security database. This master copy is then replicated (copied) to all other servers in the domain. When the domain controller is unavailable, no changes can be made to the domain's user account security database. If necessary, any server may be promoted to be the domain controller at any time. This should not be done casually because the server may not have the most recent changes that have been made on the former domain controller. If the domain controller is active when you promote another server to be domain controller, there is less risk of losing changes because the promoted server is first brought up-to-date with the current domain controller before taking over its role. Use Server Manager to choose the domain controller.
Domain controllers pull some security settings only from group policy objects linked to the root of the domain. Because domain controllers share the same account database for the domain, certain security settings must be set uniformly on all domain controllers. This ensures that the members of the domain have a consistent experience regardless of which domain controller they use to log on. Windows 2000 accomplishes this task by allowing only certain setting in the group policy to be applied to domain controllers at the domain level. This group policy behavior is different for member server and workstations.
The following settings are applied to domain controllers in Windows 2000 only when the group policy is linked to the Domain container:
All settings in Computer Configuration/Windows Settings/Security Settings/Account Policies (This includes all of the Account Lockout, Password, and Kerberos policies.)
The following three settings in Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options:
Automatically log off users when logon time expires
Rename administrator account
Rename guest account
The following settings are applied to Windows Server 2003-based domain controllers only when the group policy is linked to the domain container. (The settings are located in Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options.)
Accounts: Administrator account status
Accounts: Guest account status
Accounts: Rename administrator account
Accounts: Rename guest account
Network security: Force logoff when logon hours expire
