A domain model used in enterprise-level Microsoft Windows NT–based networks. In the single master domain model, all global users and group accounts reside in a single Windows NT domain called the accounts domain. Network resources reside in other domains called resource domains.
Each resource domain must have a trust relationship with the accounts domain. Users who log on to their accounts in the accounts domain can access shared network resources in any resource domain if they have the appropriate permissions. The advantages and disadvantages of using this model are shown in the following table.
Not difficult to implement - one trust per resource domain
Poor performance when the number of accounts is large
Centralized administration of accounts
Local groups must be created in each resource domain
Resource domains manage their own resources
Works for up to 40,000 accounts
Graphic S-14. Single master domain model.
When you upgrade a Windows NT–based network based on the single master domain model to a Microsoft Windows 2000–based network, you usually perform the upgrade from the top down. You first upgrade the master domain to a Windows 2000 domain based on Active Directory. Then you upgrade resource domains to child domains within a directory tree whose root domain is the former master domain. You can move user accounts from the master domain to the domains where users actually work, because two-way transitive trusts enable users in any domain within the domain tree to access resources in any other domain.
Alternatively, companies with a centralized IT department can upgrade both the master domain and the resource domains to a single Windows 2000 domain. Organizational units (OUs) can then be created within Active Directory to mirror the administrative structure of the former master domain model. Administrative rights and permissions can be assigned to users and groups based on the new OUs. Here are the advantages of using this approach: