P1: GSB/FFX P2: GSB/FFX QC: IML/FFX T1: IML
WL040C-63 WL040/Bidgoli-Vol III-Ch-64 June 23, 2003 16:45 Char Count= 0
HOWW2K WORKS 793and so forth, but workgroups are not at all conducive to
security because there is no mechanism within W2K to
limit workgroup membership. If an attacker discovers the
name of a workgroup, that person can add a malicious
system to it. Additionally, the lack of centralized control
in a workgroup necessitates setting security parameters
and adjusting configurations on every machine within the
workgroup; in contrast, domains have settings (embedded
in “Group Policy Objects” or GPOs) that can be set from
a single domain controller (to be defined shortly) within
the domain.
The following sections consider various possible rela-
tionships between domains and the implications of each.Trees and Forests
W2K domains can be arranged in a hierarchical fashion
starting with a root domain at the top, then domains at the
level immediately below the root domain, and then possi-
bly still other domains at the next level(s). One option is
to nest domains so that they form a “contiguous names-
pace.” In simple terms, this means that there is one com-
mon root domain; all subordinate (lower) domains’ names
are derived from their parent domains. Consider the name
of one domain, research.entity.org. Consider also market-
ing.entity.org. If the domains are nested in a contiguous
name space, both of the domains in this example will have
the same parent domain, entity.org. If research.entity.org
is a parent domain, every one of its children will have a
first name followed by research.entity.org (see Figure 1 be-
low). Contiguous name spaces characterize W2K “trees.”
In contrast, if the name space is not contiguous, then
there is no common namespace. “Forests” (as opposed to
“trees”) are characterized by noncontiguous name spaces.
In a tree or forest, every domain connected directly to an-
other domain (as are entity.org and research.entity.org) by
default has a two-way trust relationship with every other
domain. Note that if domains are not directly connected to
each other (as in the case of marketing.entity.org and re-
search.entity.org in Figure 1), they nevertheless have tran-
sitive trust between them because entity.org has a two-way
trust relationship with each of its child domains. Trust is a
property that allows users, groups, and other entities from
one domain to potentially access resources (files, directo-
ries, printers, plotters, and so forth) in another, provided,
of course, that the appropriate access mechanisms (e.g.,
shares) and sufficient permissions are in place. Trust is
an essential element in characterizing domains that are
linked together to form trees or forests. These domainsmay be either in “Mixed Mode” or “Native Mode,” as the
next section explains.Mixed Mode Versus Native Mode
Domains can be deployed in two modes: “Mixed Mode”
and “Native Mode.” In Mixed Mode, a domain contains
both W2K and NT DCs, or has all W2K DCs, but nobody
has migrated the domain to Native Mode. In Native Mode,
a domain contains all W2K DCs and the domain has been
migrated to this mode.
Native Mode is better from a security standpoint in
that certain security-related functions (such as Kerberos
authentication, a very strong type of network authentica-
tion, as explained shortly) are available only in this mode.
The primary downside of Native Mode is that functional-
ity is much more complex than in Mixed Mode. Complex-
ity normally requires greater time and cost in planning
and design; additionally, complexity generally makes se-
curity more difficult to achieve.Domain Controllers
DCs are a special type of server used for controlling set-
tings, policies, changes, and other critical facets of W2K
domain functionality. In W2K mixed mode, DCs may con-
sist of both W2K and NT servers. One W2K server must
serve as a primary domain controller (PDC) in mixed
mode, however. A PDC receives changes, such as changes
to the authentication database, and replicates them to the
other DCs within the domain. In W2K Native Mode, how-
ever, there is no PDC per se; all DCs are capable of pick-
ing up and replicating changes to the other domain con-
trollers. Every DC in a Native Mode deployment holds a
copy of Active Directory. In W2K Mixed Mode (or, in an NT
domain), if the PDC crashes, some degree of disruption in-
variably occurs. In W2K, however, if any DC crashes, there
is no particular problem—all DCs more or less function
as equals to each other.
Active Directory is so important in understanding how
W2K works that it merits further examination. The next
section describes Active Directory functionality in greater
detail.Active Directory
Each object in a W2K tree or forest has an X.500 compli-
ant distinguished name (DN), one that uniquely refers to
the object in question (e.g., /O=Internet/DC=COM/DC=
Example/CN=Users/CN=Jill Cooper). Each object alsostaff.research.entity.org
marketing.entity.org
group.research.entity.org
entity.org
research.entity.org
Figure 1: Example how name space is organized within a tree.