Chapter 19:
Introducing Domains (excerpt)
As you may
remember from page xx, Windows XP Pro was designed to thrive on two very
different kinds of network worlds: the workgroup
(an informal small or home office network) and the domain (a hard-core, security-conscious corporate network of
dozens, hundreds, or thousands of PCs). Depending on which kind of network your
PC belongs to, the procedures and even dialog boxes you experience are quite a
bit different.
Chapter 18
guides you through the process of setting up a workgroup network, but no single
chapter could describe setting up a corporate domain. That’s a job for Super
Geek, otherwise known as the network administrator—somebody who has studied the
complexities of corporate networking for years.
This chapter is
designed to help you learn to use a
corporate domain. If your PC is connected to a workgroup network or no network
at all, feel free to use these pages as scratch paper.
Note: In the
context of this chapter, the term domain
refers to a group of Windows computers on the same network. It’s not the same
as an Internet domain, which you may
occasionally mentioned. An Internet domain is still a
group of computers, but they don’t have to be connected to the same network,
and they don’t have to be running Windows. In addition, the domain name (like amazon.com) must
be registered to ensure that there’s no duplication on the Internet. Because
Windows domains are private, they can be named any way the administrator
chooses.
As you may
remember from Chapter 17, nobody else on a workgroup network can access the
files on your PC unless you’ve created an account
for them on your machine. Whenever somebody new joins the department, you have
to create another new account; when people leave, you have to delete or disable
their accounts. If something goes wrong with your hard drive, you have to
re-create all of the accounts.
You must have an account on each shared PC, too. If you’re
lucky, it’s the same name and password on each machine—but that isn’t always
the case. You might have to remember that you’re pjenkins on the front-desk computer, but JenkinsP on the Administrative machine.
Similarly,
suppose there’s a network printer on one of the computers in your workgroup. If
you want to use it, you have to find out whose computer the printer is
connected to, call him to ask if he’ll create an account for you, and hope that
he knows how to do it. You either have to tell him your username and password,
or find out what user name and password he’s assigned to you. In that case,
every time you want to use that printer, you might have to log on by typing
that user name and password.
If you multiply
all of this hassle by the number of PCs on your small network, it’s easy to see
how you might suddenly find yourself spending more time managing accounts and
permissions than doing the work the PC was supposed to help you with.
The solution to
all of these problems is the domain network. In a domain, you only have a
single name and password, which gets you into every shared PC and printer on
the network. All of the account information for everybody resides on a central
computer called a domain controller.
A domain
controller keeps track of who is allowed to log on, who is logged on, and what each person is allowed to do on the network.
When you log on to the domain, your PC communicates with a domain controller,
which verifies your credentials and permits (or denies) you access.
Most domain
networks have at least two domain controllers with identical information, so
that if one computer dies, the other one can take over. (Some networks have
many more than two, although you might never see them because they’re kept in
locked closets or data centers to which only administrators have the keys.)
This redundancy is a critical safety net; without a happy, healthy domain
controller, the entire network is dead.
Without budging
from their chairs, network administrators can use a domain controller and its
software to create new accounts, manage existing ones, and assign permissions.
The domain takes the equipment-management and security concerns of the network
out of the hands of individuals, and puts them into the hands of professionals
who are trained to deal with them. (You may sometimes hear this kind of
networking called client/server
networking. Each workstation—that
is, each mere mortal PC like yours—relies on a central server machine for its
network access.)
If you use
Windows XP Professional in a medium- to large-sized company, you probably use a
domain every day. You may not even have been aware of it.
In fact, knowing
what’s been going on right under your nose isn’t especially important to your
ability to get work done. After all, it’s not your job—it’s the network
administrator’s job. But knowing about the domain system can help you take
better advantage of a domain’s features.
You may be aware
that Microsoft sells two versions of Windows XP: Home Edition and Professional.
One key difference is that Windows XP Home Edition computers can’t join a domain.
There are other
versions of Windows, however: the ones that run on the above-mentioned domain
controller computers. To create a domain, at least one computer must be running
the operating systems called Windows .NET Server or Windows 2000 Server. (These
are far more expensive operating systems—the price depends on the number of
machines that they connect—and they run only on high-octane PCs. They also
require high-octane expertise to install and maintain.)
One key offering
of these specialized Windows versions is an elaborate application called Active Directory. It’s a single,
centralized database that stores every scrap of information about the hardware,
software, and people on the network. (The older operating system called Windows
NT Server can create domains, but it doesn’t include Active Directory.)
After creating a
domain by installing Active Directory on a server computer, network
administrators can set about filling the directory (database) with information
about the network’s resources. Every computer, printer, and person is
represented by an object in the
database, and attributes (properties)
that describe it. For example, a user
object’s attributes specify that person’s name, location, telephone number,
email address, and other more technical elements.
Active Directory
lets network administrators maintain an enormous hierarchy of computers. A
multinational corporation with tens of thousands of employees in offices all
over the world can all be part of one Active Directory, with servers distributed
in hundreds of locations, all connected by wide-area networking links. (A group
of domains is known as a tree. Huge
networks might even have more than one tree, called, of course, a forest.)
The objects in
an Active Directory domain are arranged in a hierarchy, something like the
hierarchy of folders within folders on your hard drive. Some companies base
their directory tree designs on the organization of the company, using
departments and divisions as the building blocks. Others use geographic locations
as the basis for the design, or a combination of both.
Unless you’ve
decided to take up the rewarding career of network administration, you’ll never
have to install an Active Directory domain controller, design a directory tree,
or create domain objects. You very well may encounter the Active Directory at
your company, however; you can use it to search for the mailing address of
somebody else on the network, for example, or locate a printer that can print
on both sides of the page at once. Having some idea of the directory’s
structure can help in these cases.
Security is one
of the primary reasons for Active Directory’s existence. First of all, all of
the account names and passwords reside on a single machine (the domain
controller), which can easily be locked away, protected, and backed up. (Even
when the machines themselves are locked away in a closet, network
administrators can still access the Active Directory database from their own
PCs, which lets them perform account maintenance tasks from any location.) The
multiple domain controllers automatically replicate
the changes to each other, so that every one of them has up to date
information.
Active Directory
is also a vital part of the network’s other security mechanisms. When your
computer is a member of a domain, the first thing you do is log on, just as in
a workgroup. But when you log into a domain, Windows XP Professional transmits
your name and password (in encrypted form) to the domain controller, which
checks your credentials and grants or denies you access.
In Chapter 20,
you can read about NTFS permissions—a system that, when you share various files
and folders on your hard drive with other network citizens, lets you specify
how much access each person has to each file or folder. This process, too, is
simpler in a domain situation. First of all, you get to use the same name and
password to access any shared file or folder on the network (provided you’ve
been given permission to use it); second, when you share of file or folder on your
own machine, you can choose from a ready-made, accurate list of people on the
network. That list is provided, of course, by the domain controller.
Note: Actually, on
a large company network, you won’t often share files that sit on your own hard
drive. More likely than not, your files aren’t even on your PC—they’re stored
on network servers, where the network administrators control access to them.
You can share your own PC’s files on
an informal basis with somebody else, though.