A network security model for grouping computers together. Computers on a network based on Microsoft Windows NT or Windows 2000 that are in the same domain share a common directory database of security information such as user accounts, passwords, and password policies. Domain-based networks have the following features:
Graphic D-35. This shows a Windows 2000 domain.
Typically, the following computers are members of the domain:
A Windows NT or Windows 2000 network can be installed as either a domain or a workgroup. The domain model is preferable because it allows computers to share a common security policy and a common domain directory database. Machines running Windows 98 and legacy Windows machines can also participate in domain security on Windows NT and Windows 2000 networks but are not considered full members of the domain because they have no computer accounts within the domain directory database.
A Windows NT domain requires only one primary domain controller (PDC) and can have a number of backup domain controllers (BDCs). By creating a PDC, you create a new domain. Windows NT member servers and workstations can join a domain. Other systems, such as computers running Windows 95 and Windows 98, can participate in a domain but are not considered members of the domain because they have no computer accounts in the domain directory database.
Windows 2000 domains use peer domain controllers, which are all equal in status. In Windows 2000, domains are core entities within Active Directory and act as a boundary for network security and for the replication of directory information over the network. If you establish a security policy in one domain, the settings, rights, and discretionary access control lists (DACLs) of that policy are limited to that domain. Domains are also the fundamental containers for all network objects within them. Domains contain users, groups, computers, and other directory objects. These objects can be grouped together using a hierarchy of organizational units (OUs).
Domains can span geographical boundaries and networks; an enterprise can have branches in several continents with all machines belonging to a single domain. Alternatively, a single network or location can have multiple domains installed, with or without trust relationships between them.
To change the name of a domain in Windows NT, you first change it on the PDC and then on the other machines in the domain. However, this can affect other software installed on the servers.