Security In A Windows Domain Structure Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Windows Domain, when a group of computers running different versions or same versions of operating system which are connected and running with a shared central directory database. When a windows network is been considered one of the important concept is domain. Domain is accumulation of user accounts and computers that are grouped together which can be managed centrally.

The concept of domain is first been introduced in Microsoft Windows NT server. And these domains are controlled by domain controller.


A server with a Windows Server Operating system with installed active directory domain service is a domain controller. This domain controller will respond to all the calls for authentication that came in with in that windows server domain. It is must and should for every windows domain to have at least one domain controller.

These domain controllers are mainly used for secured authentication requests, different Services like access checking, logging in etc are been monitored by this domain controllers. In order to access to different resources situated on different servers in a network using this concept of domain he just need to provide his login. This domain controller will only give access to the access but it cannot specify what resources that is available for access.


A domain relationship is used whenever it is trying to establish a relation between domain classes.

There are two different types of domain relationships

EMBEDDING RELATIONSHIPS: In this type of relationship the target domain class elements are embedded in the elements of source domain class.

REFERENCE RELATIONSHIPS: Unlike the embedding relationship in reference relationship the source domain class elements references the target domain class elements.

These domain relationships mainly got two roles one is source role and other is target role.

When we consider a Windows domain it mainly contains different modes. If we consider WINDOWS 2000 then it got two different modes

Mixed Mode: This will allow all the Windows NT Backup Domain Controllers.

Native Mode: In this domain controllers which are based on Win2k can take part. A WIN NT 4.0 based backup domain controller can't act as a domain controller in this mode. When moved to native mode different groups like universal, nested, SID history and conversions between security and distribution are supported. Whereas it disables the NT domain controller.

When a WINDOWS 2003 domain is considered other than the WIN 2000 it got 4 modes in it. With the two modes which are present in the older version two more new mode's are been extended.

WIN2k Mixed : A domain can contain both Windows NT 4.0 and even the later DC's (domain controllers)

Win2k Native: This mode is similar to the one in WINDOWS 2000

Windows 2003 interim: Domain controllers of only win 2003 and NT 4.0 are been supported in this.

Windows 2003: In this the domain only supports the WIN 2003 domain controllers.

The following figure represents a domain structure and shows how different system is connected in a domain. This is a multiple master domain structure which is found in many of the organisations.


Multiple Master Domain Structure

Let us consider our university and to understand simply let us only consider students and staff. Here in the above figure there are 4 domains they are student domain, staff domain and resource domains. Student domain will connect all information about students user accounts the systems which are in student workgroup and authentication process is been verified by this domain. Similarly staff domain contains all the information about the staff user accounts whenever a staff member wants to connect then this domain will verify the login details and grant permission. Resource domain holds the information about the different resources in that group.

These resources are been accessed by different people fro different domains the user domains like staff and student will verify the loggings and resources will trust the user domains and provide resources.


` When dealing with security when a work group is considered it is not possible to protect a network in that workgroup. With the help of domain structure a firewall can be implanted to protect from internal attacks in the network. Proxy servers, log on scripts and inner security gateways are also been handled with those firewall settings. But as an intruder with this only the password of the system he wants to gain control is required.

As mentioned if an intruder is in the workgroup because of this domain structure he know all the computers which are in that network group. Hence if is more easy than a normal attack.

If an attacker can manage to break into the server then all the systems in that work group can be managed. Details can be easily identified and if it's in a server then we can amend all the permissions.


Let us consider a large organisation. It is not possible to manage all the domains by a systems department. There are number of departments present in an organisation. It will be more efficient if each department is provided with its own domain.

This can be achieved in two different ways one is creating domain for each department. Other is dividing the network into two parts one is user domain and other is resource domain and managing them separately.

Let us consider the first method. Creating domain for each department, if a domain is created to each department then it contains details about all the user accounts from that department and all the resources available for that department. For an example if we consider a university depending on types like students, staff, admin etc... Different domains can be created and if we look at the student's domain it contains details about all the students' user accounts and the resources that are provided to them. This method will reduce the work load on the windows domain and give efficient results.

If we look at the second method, i.e. dividing the entire network into user accounts domain and resource domain. The user account domain contains all the user account details and this domain deals with the user authentication and the resource domain deals with all the resources. In this type the resource domain will completely trust the user domain. Whenever some resources are required the admin of that resource domain will simple grant access to the user without any verification. As this domain trust the user domain and the user domain verify the logging in details resource domain other than verifying it simple trusts.


Let us consider windows 2000 to discuss about how to secure the domain structure.

ACTIVE DIRECTORY CREATION: creation of an active directory will help an application it identify, manage and use resources in a distributed environment. Depending on the security boundaries that are imposed on the organisation the active directory architecture depends. Planed implementation will help in developing a secured active directory.


There are different types of boundaries available with these active directories.

Security Boundaries: With this the liberty of different groups within an organisation can be defined.

Forest as a Security Boundary: Forest is been considered as a security boundary in this.

Administration Boundaries: level of administration is specified.


In order to secure a domain structure the domain policy must be reviewed when ever important changes like modification of permission s on different components like file system, register objects or changing the registry settings or user rights etc... should be overviewed.