Multiple Master Domain Model

Once you have more than 1,000 users or 50 servers, you really need to think about how you can lessen your administrative burden and provide additional fault tolerance capabilities. The multiple master domain model might just fill the bill. Like the master domain model, the multiple master domain model includes resource domains. But, instead of a single domain with all the user accounts defined in it, you have two or more domains that contain the user accounts, as shown in Figure 15.3. Your MIS department can still administer the entire network as long as it has accounts defined in either of the master domains.

Figure 15.3  The multiple master domain model.

In our example, there are two domains that have split the user accounts between them. The master domain on the left includes the user accounts from A through K, while the master domain on the right includes user accounts from L through Z. Each of these master domains trusts the other, which essentially provides you with one user database, much as the master domain model provides.

Continuing this concept requires that each resource domain trusts each master domain to provide all users access to all resources in the resource domains. This increases your logon and user authentication capabilities because a single failure of a primary domain controller (assuming you do not have backup domain controllers) will only prevent half of your network users from logging on to the domain or being authenticated for resource access. If you have a WAN, you can also include a master domain on each side of the wire to give the local users fast access to their local resources, while still providing them the capability to access resources anywhere on the network.

While I have used this example to split user accounts alphabetically, you will find that this model will work better for large organizations if you split the user accounts by department or divisions. Each department could have a master domain with the departmental user accounts. Departmental resource domains could then trust the departmental master domain. This would provide you (the administrator) the capability to create a global group that grants users access to a particular resource in only one domain rather than in two or more domains.

For example, suppose you want to create a global group called OFFICE. OFFICE includes the users to be granted access to the MSOFFICE share (which contains the Office installation files). If all your departmental users are included in the departmental domain, it is a simple matter of creating the group and including your users. But if you have multiple master domains splitting user accounts alphabetically, you would have to create an OFFICE global group in each of the master domains. Then, in your resource domain, you would have to create a local group that would contain the global groups defined in the master domain in order to accomplish the same task.

Complete Trust Domain Model

The last domain model for us to look at is the complete trust domain model. In this model, all domains trust each other, as Figure 15.4 demonstrates. As you can see, each domain has its own user database. This particular model is designed for corporations that either do not have a centralized administration group or do not want to have a centralized group dictate who has access to their network resources.

Figure 15.4  The complete trust domain model.

In some cases, corporations wind up with this model from lack of prior planning rather than any specific need. And while it works fine, it is much more difficult to administer. As your network grows, it becomes very time-consuming to create additional trust relationships. You can express the number of trust relationships mathematically as n(n-1) where n is the number of domains on the network. For instance, if you have 5 domains, as the example shows, and decide to add another domain, you will have to create 6 * 5 or 30 trust relationships. If you have 20 domains, adding the 21^st will require 420 trust relationships. And you thought your life as an administrator was difficult now.