June 19th, 2003, 11:54 PM
Creating Domains (Win 2k, 2003)
I decided to write my first tut on the thing I know most about about. I hope this is original because I searched the forums.
Windows 2000, 2003 Domains:
Why Use Them?
Its a well known fact that netwok security should be layered in order to be effective. A domain makes a perfect first layer. In order to communicate with a machine that is on a domain, you must also be a member of the same domain or domain tree. Domain Tree=collection of domains linked through parent/child trust relataionships. (i.e. child.antionline.com is the child domain of antionline.com and they are in the same tree.)
Another security measure that domains give you is that all users are authenticated at a central location, the Domain Controller(DC). The DC holds all usernames and passwords and is usually in a secure location(i.e. locked room). This makes it hard for blackhats because there are no passwords stored on the local workstations. It isn't impossible to crack these passwords but like I said, this is only one layer of your network security.
Basically, without a password from a domain level or enterprise level administrator, your computer cannot communicate on the domain.
Domains make life for network administrators, like myself, infinatley easier. On reason for this is the introduction of Active Directory in Windows 2000 and now in 2003. Active directory was designed entirely for convenience. Lets say you are controlling a domain with 20,000 users and 20 domain controllers for that domain. You want to create a new username for a new empleyee. It would be a pain in the ass if you had to create that username on each domain controller. If you create the username in Active Directory on one domain controller, it will begin to replicate out to all DC's within that domain. I believe it uses the LDAP protocol to accomplish this task.
Yet another convenient part of using domains is the ability to "push" software out to your users. Hypothetically, your company has a proprietary piece of software that each user needs on their workstation. Through active directory you can assign to it to the whole domain which could be tens of thousands of people or simply give it to a small piece. After assigning the software, the next time a user logs on to their workstation, it will atomatically install and be available. I have even "pushed" a full blown copy of Office 2000 over my domain through Active Directory. You could even tell your boss that through this process you can save the company money, because you no longer have to have people employed to go out to the remote locations and install software on each workstation. Bosses love hearing that.
This is a big one. Asside from security, policies could be the most important aspect of domains. Once a computer is joined to a domain, it is subject to the policies in effect for that domain. You could even assign policies to a certain computer or group of computers. Microsoft(Evilsoft) calls them GPOs, or Group Policy Objects. These GPOs can be configured to perform nearly anything you need. Lets say that at your building you have a computer in the lobby that is available to the public. You wouldn't want people to be able to access certain things, like the control panel or maybe the My Computer icon. You can set a GPO on that machine that is so anal, it will only allow them to access the internet, period. You can make it so they can't even touch the internt options, just surf. Or another example could be your company users. You can require them to change the passwords after a specific amount of time. You can make sure their passwords are complicated enough. Oh and this one is popular, you can make it so that your users can only: logoff, use microsoft office and use the internet. They can't touch anything else. This accomplishes a few things. The user can't touch important parts of the OS which could lead to problems that you are just going to have to fix. Also they can't sit there and play with screen savers or solitair on company time. It's a bit of a God complex but heh, we're admins and thats our job.
How Do I Set One Up?
What you need= A computer/server with enough power to suit the needs of your sized network, Win 2000/2003 Server, it must have ethernet(obviously), and must be running a DNS server. That last one is critical. Without DNS, your domain is useless and will not operate. Luckily, you are now reminded of that when you setup your domain.
On your server, you go to a command prompt and type: dcpromo (stands for Domain Controller Promotion)
Your computer will go through a long process of installing and configuring Active Dirtectory. After it's done you will have to reboot and sit through the longest boot cycle your computer has ever gone through. The first one is always the worst but Domain Controllers always take a while to boot.
Next, you can start joining workstations to your domain. For Win 2K Professional=Right Click My Computer> Properties> Network Identif ication> Where it says domain, enter your domain name.
(I could be slightly off on this click path because I'm on my SuSE box and I'm doing it from memory.)
Domains are very helpful and convenient. They help secure your network but should always be layered with other things, like IPsec, VPNs and Firewalls.
There are a lot of specifics that I didn't go into like forrests and trusts that you can research on your own. Hope this helped some of you that don't know much about domains.