|
Windows NT WHAT ARE THE ADMIN PROBLEMS WITH THE FOUR DOMAIN MODELS? (AND HOW TO I GET FROM NT4 TO W2K?) |
from The
Sunbelt Team
Single Domain Model
Problems:
- Many organizations were or are too
large for a Single Domain Model
environment.
- Many
organizations are too geographically distributed and have
too slow of
line speeds between sites for a Single Domain Model
environment to
provide acceptable performance and reliability.
- All or nothing
administrative model for the entire organization.
- Native tools are
inadequate for proper administration.
Master Domain
Model Problems:
- Many organizations were or are still
too large for a Master Domain
Model environment.
- Many
organizations are still too geographically distributed and
have too
slow of line speeds between sites for a Master Domain
Model
environment to provide acceptable performance and reliability.
This
model allows for significant improvements in this area, however.
- All or
nothing administrative model for the entire organization, except
for
local resources in resource domains that can be managed by resource
domain Administrators who have no rights to the master account domain.
- Native tools are inadequate for proper
administration.
Multiple Master Domain
Problems:
- In theory, it logically and physically
separates administration. In
reality, the all or nothing
administrative model for the entire
organization still occurs.
- Native tools are inadequate for proper administration.
- If size is not
the reason to create multiple master domains, the urge
to consolidate
domains for simplicity and Windows 2000 migration
concerns come to
light. While Microsoft has tools to migrate from a
competing
NOS (Netware), they do not provide tools for moving objects
and their
properties from one NT domain to another.
Complete
Trust Model Problems:
The final Microsoft Domain Model is
the Complete Trust Model. In
their literature Microsoft states that
the Complete Trust Model is
the most complex to administer and the most
costly in terms of network
resources. This model is a throw back to the
anarchic peer-to-peer
reality of LAN Manager.
With the Complete
Trust Model, an LSA trust is established between all
Windows NT 4.0 domains
such that security principal definitions in any
of the established Windows
NT 4.0 domains can be granted access to any
resource defined in any of the
existing domains. Microsoft suggests that
most companies that employ the
Complete Trust Model need to because of
the following situations:
-
The organization is fractured or disjointed and has not taken the
time for adequate planning of a simpler topology.
- The organization has
complex internal politics that result in multiple
groups of
administrators whose responsibilities span many areas and may
overlap.
- The organization has grown more quickly than expected and many
divisions
have performed their own Windows NT-based
installations.
- Other Problems are the same as the Multiple Master Domain as
above.
Solution
Presented:
There are several serious administrative and
architectural problems
and limitations with all NT domain models that do not
exist on most
other commercially viable NOS platforms. Trusted
Enterprise Manager
(TEM) can help you solve many of these problems and
limitations prior
to adopting NT 4.0, while preparing your organization for
Windows 2000
and beyond.
TEM allows a NT administrator to logically
divide the static domain
(or domains) into native NT objects called global
groups and delegate
the appropriate administrative tasks to "Workgroup
Managers".or who we
call Trusted Managers. over those global groups. This
will inherently
reduce the number of domains that would need to be created
for admin
or political reasons and prepare your organization to migrate to
W2K's
structure.
TEM is very granular and delegates 24 user, group,
and system permissions
to non-administrators on the network to manage global
groups, users,
resources, and their properties. All 24 permissions can be
delegated
singularly, in any combination, or by templates called Active
Collections
to individual user accounts, global groups, and local groups in
order to
manage specific global groups of users. Active Collections can
be thought
of as "administrative roles" and are analogous to Group Policy
Objects
in Windows 2000, but easier to use.
Some TEM features are not
even available in native NT for Domain Admins
like the renaming of global
and local groups in place (i.e. retains the
original SID and all group and
ACL/ACE memberships) and drag-and-drop
migration of users or whole
domains(!)
Companies that implement TEM today will have an advantage when
they
decide to migrate to Win2K because they will have defined their global
groups, management of global groups, implemented naming conventions, and
started their hierarchical organizational tree structure.
ADS will
bring about some significant upgrades to NT user administration,
but will
still fall down in the delegation and reporting aspects. In
addition, since
ADS will open up much more information to manage, the
ability to delegate
management of that information with TEM's new 'Active
Collection' technology
will make the lives of network administrators
much easier.
Today
administrators are designing their networks and domain models to
cope with
inefficiencies of NT. Using TEM allows you to design your domain
models the
way you want (and need) them to be securely managed.
You may have heard
that there is going to much more granularity in W2K
(like 135 rights or
similar). Thing is you have to set them all ONE BY
ONE for each user
;-( But TEM's active collections will add templates
to this and make
it a snap.
CONTACT
SUNBELT
Sunbelt offers a hand-held installation and walk-through for TEM
downloads: http://www.sunbelt-software.com/tem.htm
@Macarlo,
Inc.
@Macarlo's Shareware & Web
OS/2
Java
Lobby Member
Java Site Accredited