Single Domain:
- Small organizations
- No Trust relationships
- Centralized Management of users, groups and resources
- As the domain grows, performance can take a hit. i.e. adding
more and more users, groups, servers, etc.
Master Domain:
- Moderate to large networks
- All users and groups are added and managed in the Master
or Users Domain.
- Dept. control of Resource domains
- Local groups must be defined in each resource domain to add users
from the Master domain.
- Trust relationships must be set up between the Resource and Master
domains.
MultiMaster Domain:
- Large to very large organizations
- All users and groups are added and managed in the Master or Users
Domain.
- Dept. control of Resource domains
- Local groups must be defined in each resource domain to add users
from the Master domain.
- One way Trust relationships must be set up between the Resource
and
Master domains, and 2 way trusts must be set up between
the Master domains.
- Use the formula T = M(M+1) + RM to calculate the number of trust
relationships required.
In a network with 2 Master domains and 4 Resource domains
it would be:
T = 2(2-1) + 4*2
2+8 = 10 Trust relationships
Complete Trust Domain:
- Can be used by organizations of any size
- Decentralized management
- Provides universal access to all resources.
- 2 way Trust relationships must be set up between all domains which
can get out of hand very quickly.
- This is not a recommended Domain model beause of the hellish Trust
relationships
that are created in a network with numerous domains.
- Use the formula T= N(N-1) to calculate the number of trust relationships
required.
In a network with 4 domains it would be:
T = 4(4-1)
3*4 = 12 Trust relationships
Things to consider:
- A maximum of 10,000 users per domain.
- Local groups can contain Global groups and Users from their own
domain
and trusted domains, but Global groups can only contain
users from their own domain.
- If you login to a Trusting domain instead of your own domain,
you will only have
access to objects that the Domain Guests group from
your own domain has access
to, in both domains. That's why you should always login
to your own domain and
not a Trusting domain.
- When setting up a Trust, start with the Trusted domain first,
then go to the Trusting
domain and set up the trust from there.
- In the above picture, Domain A trusts Domain B's users.
Domain A is the Trusting Domain, Domain B is the Trusted
Domain.
Domain B would initiate the Trust relationship, then
Domain A
would set up it's Trust in User Manager for Domains,
Policies, Trust Relationships.
- Once a Trust Relationship is set up, you have to assign NTFS
and Share
permisisons in the Trusting domain for users in the
Trusted domain.
Just because a Trust is set up doesn't mean users automatically
have
Access to resources.
- The best way to give users access to resources in the Trusting
domain is
to create a Global group in the Trusted domain, add
users to the group,
then add that Global group to a Local group in the Trusting
domain.
|