[Previous] [Next]

Lesson 3: Windows 2000 Workgroups and Domains

Windows 2000 supports secure network environments in which users are able to share common resources, regardless of network size. The two types of networks that Windows 2000 supports are workgroups and domains.

After this lesson, you will be able to

• Identify the key characteristics of workgroups and domains.

Estimated lesson time: 10 minutes

Windows 2000 Workgroups

A Windows 2000 workgroup is a logical grouping of networked computers that share resources, such as files and printers. A workgroup is referred to as a peer-to-peer network because all computers in the workgroup can share resources as equals, or as peers, without a dedicated server. Each computer in the workgroup, running either Windows 2000 Professional or Windows 2000 Server, maintains a local security database, as shown in Figure 1.1. A local security database is a list of user accounts and resource security information for the computer the database is on. Therefore, the administration of user accounts and resource security in a workgroup is decentralized.

Figure 1.1 An example of a Windows 2000 workgroup

Because workgroups have decentralized administration and security

• A user must have a user account on each computer to which he or she wants to gain access.
• You must make any changes to user accounts, such as changing a user's password or adding a new user account, on each computer in the workgroup. If you forget to add a new user account to one of the computers in your workgroup, the new user won't be able to log on to that computer and will be unable to access resources on it.

A Windows 2000 workgroup provides the following advantages:

• It doesn't require a computer running Windows 2000 Server to hold centralized security information.
• It's simple to design and implement. A workgroup doesn't require the extensive planning and administration that a domain requires.
• It's convenient for a limited number of computers in close proximity. A workgroup becomes impractical in environments with more than 10 computers.

NOTE

---

In a workgroup, a computer running Windows 2000 Server is called a stand-alone server.

Windows 2000 Domains

A Windows 2000 domain is a logical grouping of network computers that share a central directory database. (See Figure 1.2.) A directory database contains user accounts and security information for the domain. This directory database is known as the Directory and is the database portion of Active Directory directory services, which is the Windows 2000 directory service.

In a domain, the Directory resides on computers that are configured as domain controllers. A domain controller is a server that manages all security-related aspects of user/domain interactions. Security and administration are centralized.

NOTE

---

You can designate only a computer running Windows 2000 Server, Windows 2000 Advanced Server, or Windows 2000 Datacenter as a domain controller. If all computers on the network are running Windows 2000 Professional, the only type of network available is a workgroup.

A domain doesn't refer to a single location or specific type of network configuration. The computers in a domain can share physical proximity on a small local area network (LAN) or can be located in different corners of the world, communicating over any number of physical connections, including dial-up lines, integrated Services Digital Network (ISDN) lines, fiber lines, Ethernet lines, token ring connections, frame relay connections, satellite connections, and leased lines.

Figure 1.2 A Windows 2000 domain

The benefits of a domain are as follows:

• Provides centralized administration because all user information is stored centrally.
• Provides a single logon process for users to gain access to network resources, such as file, print, and application resources for which they have permissions. In other words, a user can log on to one computer and use resources on another computer in the network as long as he or she has appropriate privileges to the resource.
• Provides scalability so that you can create large networks.

A typical Windows 2000 domain has the following types of computers:

• Domain controllers running Windows 2000 Server. Each domain controller stores and maintains a copy of the Directory. In a domain, you create a user account once, which Windows 2000 records in the Directory. When a user logs on to a computer in the domain, a domain controller checks the Directory for the user name, password, and logon restrictions to authenticate the user. When a domain has multiple domain controllers, they periodically replicate their Directory information.
• Member servers running Windows 2000 Server. A member server is a server that isn't configured as a domain controller. A member server doesn't store Directory information and can't authenticate users. Member servers provide shared resources such as shared folders or printers.
• Client computers running Windows 2000 Professional. Client computers run a user's desktop environment and allow the user to gain access to resources in the domain.

In this lesson, you learned about Windows 2000 workgroups and domains. A Windows 2000 workgroup is a logical grouping of networked computers that share resources, such as files and printers. Workgroups are referred to as peer-to-peer networks because all computers in the workgroup can share resources as equals (peers), without a dedicated server. Security and administration aren't centralized in a workgroup because each computer maintains a list of user accounts and resource security information for that computer.

A Windows 2000 domain is a logical grouping of network computers that share a central directory database that contains user accounts and security information for the domain. This directory database is known as the Directory and is the database portion of Active Directory directory services, which is the Windows 2000 directory service. In a domain, security and administration are centralized because the Directory resides on domain controllers, which manage all security-related aspects of user/domain interactions. To create a domain, at least one computer must be running a Windows 2000 server product and must have Active Directory directory services installed on it.