Windows XP Pro: The Missing Manual

As you may remember from Chapter 18, nobody else on a workgroup network can access the files on your PC unless you've created an account for them on your machine. Whenever somebody new joins the department, you have to create another new account; when people leave, you have to delete or disable their accounts. If something goes wrong with your hard drive, you have to re-create all of the accounts.

19.1.1 What's Wrong with Workgroups

You must have an account on each shared PC, too. If you're lucky, you have the same name and password on each machine ”but that isn't always the case. You might have to remember that you're pjenkins on the front-desk computer, but JenkinsP on the administrative machine.

Similarly, suppose there's a network printer on one of the computers in your workgroup. If you want to use it, you have to find out whose computer the printer is connected to, call him to ask if he'll create an account for you, and hope that he knows how to do it. You either have to tell him your user name and password, or find out what user name and password he's assigned to you. In that case, every time you want to use that printer, you might have to log on by typing that user name and password.

If you multiply all of this hassle by the number of PCs on your small network, it's easy to see how you might suddenly find yourself spending more time managing accounts and permissions than doing the work the PC was supposed to help you with.

19.1.2 The Domain Concept

The solution to all of these problems is the network domain. In a domain, you only have a single name and password, which gets you into every shared PC and printer on the network. Everyone's account information resides on a central computer called a domain controller ” a computer so important, it's usually locked away in a closet or a data-center room.

A domain controller keeps track of who is allowed to log on, who is logged on, and what each person is allowed to do on the network. When you log onto the domain, your PC communicates with a domain controller, which verifies your credentials and permits (or denies) you access.

Most domain networks have at least two domain controllers with identical information, so that if one computer dies, the other one can take over. (Some networks have many more than two.) This redundancy is a critical safety net; without a happy, healthy domain controller, the entire network is dead.

Without budging from their chairs, network administrators can use a domain controller to create new accounts, manage existing ones, and assign permissions. The domain takes the equipment-management and security concerns of the network out of the hands of individuals and puts them into the hands of trained professionals. You may sometimes hear this kind of networking called client/server networking. Each workstation ”that is, each mere mortal PC like yours ”relies on a central server machine for its network access.

If you use Windows XP Professional in a medium- to large- sized company, you probably use a domain every day. You may not even have been aware of it.

In fact, knowing what's been going on right under your nose isn't especially important to your ability to get work done. After all, it's not your job ”it's the network administrator's. But understanding the domain system can help you take better advantage of a domain's features.

19.1.3 Active Directory

You may be aware that Microsoft sells two versions of Windows XP: Home Edition and Professional. One key difference is that Windows XP Home Edition computers can't join a domain.

There are other versions of Windows, however: the specialized ones that run on the above-mentioned domain controller computers. To create a domain, at least one computer must be running either Windows .NET Server 2003 or Windows 2000 Server. These are far more expensive operating systems (the price depends on the number of machines that they connect) and they run only on high-octane PCs. They also require high-octane expertise to install and maintain.

One key offering of these specialized Windows versions is an elaborate application called Active Directory. It's a single, centralized database that stores every scrap of information about the hardware, software, and people on the network. (The older operating system called Windows NT Server can create domains, but it doesn't include Active Directory.)

After creating a domain by installing Active Directory on a server computer, network administrators can set about filling the directory (database) with information about the network's resources. Every computer, printer, and person is represented by an object in the database and attributes (properties) that describe it. For example, a user object's attributes specify that person's name, location, telephone number, email address, and other more technical elements.

Active Directory lets network administrators maintain an enormous hierarchy of computers. A multinational corporation with tens of thousands of employees in offices all over the world can all be part of one Active Directory domain, with servers distributed in hundreds of locations, all connected by wide-area networking links. (A group of domains is known as a tree . Huge networks might even have more than one tree and are called, of course, a forest .)

The objects in an Active Directory domain are arranged in a hierarchy, something like the hierarchy of folders within folders on your hard drive. Some companies base their directory-tree designs on the organization of the company, using departments and divisions as the building blocks. Others use geographic locations as the basis for the design, or use a combination of both.

Unless you've decided to take up the rewarding career of network administration, you'll never have to install an Active Directory domain controller, design a directory tree, or create domain objects. You very well may encounter the Active Directory at your company, however; you can use it to search for the mailing address of somebody else on the network, for example, or locate a printer that can print on both sides of the page at once. Having some idea of the directory's structure can help in these cases.

19.1.4 Domain Security

Security is one of the primary reasons for Active Directory's existence. First of all, all of the account names and passwords reside on a single machine (the domain controller), which can easily be locked away, protected, and backed up. The multiple domain controllers automatically replicate the changes to one another, so that every one of them has up-to-date information.

Active Directory is also a vital part of the network's other security mechanisms. When your computer is a member of a domain, the first thing you do is log on, just as in a workgroup. But when you log into a domain, Windows XP Professional transmits your name and password (in encrypted form) to the domain controller, which checks your credentials and grants or denies you access.

Категории