Domain in Windows Server

Domain (in Windows Server) is a network security model for grouping computers together.

What is Domain in Windows Server?

A network security model for grouping computers together. Computers on a network based on Microsoft Windows NT or Windows 2000 that are in the same domain share a common directory database of security information such as user accounts, passwords, and password policies. Domain-based networks have the following features:

  • Centralized administration:
    The entire network can be administered from a single location.


  • Single-user logon:
    Users need only one user account to access any workstation on the network.


  • Universal resource access:
    Users can access any network resource for which they have the appropriate permissions.

    Graphic D-35. This shows a Windows 2000 domain.

How It Works

Typically, the following computers are members of the domain:

  • Domain controllers, which maintain the database of directory information for the domain. On Windows NT servers, this database is called the Security Accounts Manager (SAM) database, while in Windows 2000 domains, this information is stored in Active Directory. Domain controllers periodically exchange directory information using directory replication so that the information in any given domain controller is kept up to date. (If the information stored in a domain controller is out of date, users might have trouble logging on with that particular domain controller or finding recently shared resources on the network.)
  • Member servers, which are stand-alone servers typically used for file and print services, Web services, or running applications such as Microsoft SQL Server. Member servers cannot authenticate users like domain controllers can.
  • Workstations or client computers, which participate in the security policies of the domain and are members of the domain, but are used as desktop machines for users instead of as network servers.

A Windows NT or Windows 2000 network can be installed as either a domain or a workgroup. The domain model is preferable because it allows computers to share a common security policy and a common domain directory database. Machines running Windows 98 and legacy Windows machines can also participate in domain security on Windows NT and Windows 2000 networks but are not considered full members of the domain because they have no computer accounts within the domain directory database.

A Windows NT domain requires only one primary domain controller (PDC) and can have a number of backup domain controllers (BDCs). By creating a PDC, you create a new domain. Windows NT member servers and workstations can join a domain. Other systems, such as computers running Windows 95 and Windows 98, can participate in a domain but are not considered members of the domain because they have no computer accounts in the domain directory database.

Windows 2000 domains use peer domain controllers, which are all equal in status. In Windows 2000, domains are core entities within Active Directory and act as a boundary for network security and for the replication of directory information over the network. If you establish a security policy in one domain, the settings, rights, and discretionary access control lists (DACLs) of that policy are limited to that domain. Domains are also the fundamental containers for all network objects within them. Domains contain users, groups, computers, and other directory objects. These objects can be grouped together using a hierarchy of organizational units (OUs).


Domains can span geographical boundaries and networks; an enterprise can have branches in several continents with all machines belonging to a single domain. Alternatively, a single network or location can have multiple domains installed, with or without trust relationships between them.


To change the name of a domain in Windows NT, you first change it on the PDC and then on the other machines in the domain. However, this can affect other software installed on the servers.