Jump to content
RESET Forums (homeservershow.com)

So exactly what is a domain - and should I be scared of them?


jem101
 Share

Recommended Posts

Ever since it was announced that Windows Home Server was effectively an ex-product and Microsoft was touting Server 2012 Essentials as a possible replacement for this product, there has been a great deal of discussion of various forums regarding domains. I have heard on some podcasts and read considerable amounts on this subject some of which have been confusing if not downright incorrect.

What I haven't come across is a simple and straightforward explanation of what a domain actually is, so I thought I might take the time to post a brief description of domains and why they need not be as frightening as some would have it.

In a nutshell a domain is simply a set of computers or devices that share a common security context.

There that wasn't so hard was it?

What's that? You think my explanation wasn't quite descriptive enough? OK then let's go back to first principles, lets call it Loging In - 101

Suppose I buy or setup a brand new Windows 7 PC, as par tot the setup I'm required to name the computer - let's call it LivingRoom (no spaces allowed in the name) and I'm also asked to give a username (let's say I simply decide to enter John), and optionally a password which I leave blank - I'm the only one to use the machine. When I restart the PC, it goes straight to the desktop and why not, there is only one user account with no password set. Actually though, although you don't see it, Windows is actually logging me into the PC using my username and password. The important thing is that behind the scenes the username which the computer is using is not just 'John' it is actually LivingRoom\John.

The name of the Computer is prepended to the username to give the full account details - this is the context of the login credentials or in other words, where the account details are actually obtained from. In this case everything is local to the machine, this is where the list (if you like) of allowed usernames and passwords are stored.

Now suppose my wife also wants to use the computer - she needs to have her own email setup, desktop background etc. So I, as an administrator, setup a new user account on the computer called 'Emma' and again don't bother with a password. This time when restarting the computer, I'm presented with either a list of allowed user accounts (which is simpler) or maybe a box asking to enter the username and password, which is slighty more secure. I enter either my name or my wife's and our respective desktops are displayed. If I want to increase the security a bit more, then I might decide that I want to enforce the use of passwords, in which case we would need to enter them.

So now we have two separate accounts which are actually;

LivingRoom\John and LivingRoom\Emma on this single PC and everything is ok.

The problems start to arise as soon as you introduce another computer or server or NAS box onto the network. Let's say I get another Windows 7 PC, it has to have a different name- how about 'Kitchen' and again I setup two user accounts on it for myself and my wife. The new Kitchen PC doesn't know anything about users setup on the LivingRoom PC, I have to do all the setting up again.

Now suppose I want to share some music which is on the LivingRoom PC and play it on the Kitchen PC. I set up the proper folder to share and give it permissions so that both John and Emma can access it. I go to the Kitchen PC, log in as 'John' and find that I don't have rights to access the share. What's happened is that on the Kitchen PC my account is actually called Kitchen\John which has no connection to the LivingRoom\John account on the LivingRoom PC. It doesn't know who I am.

I need to go back to the LivingRoom PC and add my Kitchen\John account to the allowed shares and also I better add Emma's account details as well otherwise I'll get moaned at. Later on I get a NAS box to store movies and again it won't know anything about users on other devices, so I'll need to add security permissions on it, oh and my eldest daughter wants to be able to use both PCs to do homework so I need to setup an account for her (on both machines) and change the security permissions on all the shares on all the devices. It's not too bad if there are no passwords involved, but if there are and you decide to change your password or one machine, none of the others will know about it, you will need to manually change it on all of them as well as changing the security details in the shares - otherwise you will suddenly find you can no longer connect to the folders.

A few weeks later, I get another machine for the Study and have to go through all the same setups again, and then the PC in the Kitchen dies and I have to replace the Hard drive and set it all up again etc. etc. etc.

This is the problem with the Workgroup model as it's called - all of the security contexts are local to the device, one PC doesn't know or care about the other, changes are not send around to other devices - the onus is on the users to keep everything in check.

In a domain model things are different, every users, account name (there login name), password and membership of any groups is kept on one central server called a 'domain controller' or DC.

So let's suppose that I setup a new 2012 Essentials server - it'll ask me for a domain name. Let's say I simply call it 'MyDomain', it will also want a name for the Administrator (which can't actually be the word 'administrator') account and it really will insist on a password for this. Let's say I call the account 'Chief' and the password is simply 'password' (actually the password must be more complex than this using uppercase and number/symbols etc but for this discussion we'll keep it simple).

So I set everything up and add, me, my wife and my daughter to the list of users on the server. I use the same names and the same passwords (Essentials will insist that everyone has proper passwords now), and setup the connector on the LivingRoom PC. On reboot, it asks me to log in which I do so logging in as John with my password and find that all of my stuff has gone. It's just as if I had never logged into the PC before. And indeed in a way I haven't

As part of the process the connector has added the PC to the domain, now when I log in I need to give it domain level credentials and behind the scenes my username has changed and is now Mydomain\John which as far as the LivingRoom PC is concerned is a new user. The PC is now not looking at itself for account details and passwords but rather to the domain controller's central list. Presumably I would like all my stuff back and this is where is transfer wizard comes in but that's another story. So I do this to all of the PCs in my house, and move all of the shared music etc. to the server shares and all is well. From now on when you enter your account details and passwords into a PC you are not logging into the PC as such but rather logging into the domain as a whole. Notice that the username now contains the domainname as part of it not the server name or the local PC name

The nice part comes when one of us decides to change our passwords, the change is actually made on the DC so every other machine knows about it, share permissions don't change and the user can log onto any computer using the new password. Even better when I want to add another user, say my younger daughter, I do it once on the server, add her account to the proper groups and she can immediately log into any machine on the network with her own account and password and access any server share which she has permissions to.

At the risk of sounding a bit like an Apple fanboy, 'it just works'.

This is the basis of how domains work. This central management gives a far greater degree of control over the PCs and allows for quite some spectacular tricks. There is a feature called 'Folder Redirection' where the contents of your desktop, my documents etc. are moved to shares on the server and are made available to you on any machine on the domain. It's as if your My Documents etc. are following you around, what's even better is that they are actually on the server which is likely to be more secure.

 

Admittedly it can be a bit of a leap to get your head around the ideas behind domain-level authentication and the fact that a great deal of what you can do with domains really isn't applicable to the home user but I hope that this very brief description of what a domain actually is and how it works will dispel some of the fears that people have expressed about it. The domain security model is absolutely central to the way that Windows servers work, everything is geared to working with that model and you really do mess around with it at your peril - which is why attempts to force 2012 Essentials to behave more like a Workgroup server generally end in tears.

Best Wishes

John

  • Like 1
Link to comment
Share on other sites

One of the biggest advantages of using a domain is being able to control the overall health of your network. Machines that do not meet a certain level of healthiness can actually be quarantined from other network resources until that level of health is achieved. These are other resources that need to be deployed but once you see what you can do with the domain as opposed without it, I think the fear factor will go away.

 

I think one of the biggest drawbacks people have is the default password policy of complexity and having to change it every 30-45 days. This is easily enough changed to make those attributes act like your normal Workgroup settings to meet the family acceptance factor.

Link to comment
Share on other sites

I smell a Microsoft employee... :huh:

 

For the record, I think the the $425 is the scariest part of this whole S2012E to replace WHS2011 thing... its just not feasible in a home environment, and really is laughable that Microsoft considers it so. just my .02

Link to comment
Share on other sites

I have yet to see any of the blogs or official statements where SBSE has been recommended for the Home Environment. It is a small business product.

Link to comment
Share on other sites

I smell a Microsoft employee... :huh:

 

For the record, I think the the $425 is the scariest part of this whole S2012E to replace WHS2011 thing... its just not feasible in a home environment, and really is laughable that Microsoft considers it so. just my .02

 

Recommened by MS or not, 425.00 is way beyond what I would ever consider paying for software. I feel 2012 Essentials is the logical step for WHS 2011 users to make, but only 2011 users who have technet subscriptions.

 

Personally, when my parents V1 retires next year it will not be replaced with a MS product. Not out of anger, but because they don't offer a product anymore that fits their needs. 2011 is not an option as I would like to get away from a product who's future is over. Instead, I will just pick them up a NAS. When the time comes to replace my ex487 whs 2011 machine, I too will go the NAS route.

 

Back on topic. Domains are pretty cool in what you can do. I undestand now how when at the software company I used to work for, I could log into any computer and work from that computer. Hmm.

Link to comment
Share on other sites

Nice explanation and thanks for taking the time to write that up. Admittedly I have much to learn about DC but I am enjoying the path down that road.

Link to comment
Share on other sites

Glad to have been of some help. And no I'm certainly not a MS employee, personally I prefer using Macs but I work in the IT industry which is dominated by Windows PCs and server infrastructure and over a decade of experience of working with them, I do know how they all tick - so to speak.

 

But the above posters are right in one respect, MS can't and don't expect the home user to rush out and get a copy of a $425 server OS (it's anyone's guess of course what it'll cost us over here in the UK). What MS want is for everyone to use cloud storage which naturally they will need to pay for monthly - ideally to Microsoft! I've made the same arguement as to why MS seem determined to kill off media center, the reason is of course that once Windows is purchased, Microsoft make precisely nothing more from it. On the other hand using a solution based on the x-box means Gold memberships and a continuing revenue stream.

 

However there is a small group of enthusiasts who like to have and will probably continue to want to have some kind of centralised home storage. If you happen to also have a Technet subscription then using Essentials is a distinct possibility - although of dubious legality! It would be a shame if some of those people who were in a position to do so were put off of using it solely because of fear of the domain security model, yes it is a bit hard to get used to but it really isn't the lurking boogyman than some seem to assume.

 

So I hope that my post (and the other one where I explained why you really, really shoudn't try to make 2012 Essentials into a Workgroup system, unless of course you have masochistic tendencies in which case please go ahead!) has, at least began to explain what a domain is and why it behaves the way it does. If I've managed to get even a few people who were prepared to dismiss 2012 Essentials out of hand purely through concern over domains, then I'll be happy.

 

Best wishes

 

John

Link to comment
Share on other sites

They are definitely trying to push all of us to a cloud model with monthly charges. My WHS box.....is my cloud.

Link to comment
Share on other sites

They are definitely trying to push all of us to a cloud model with monthly charges. My WHS box.....is my cloud.

 

Which I find odd because the cloud really isn't the future until internet isp provide significantly faster service at lower costs. That and remove the data caps. It's silly to think you would ever steam a HD movie from the cloud. Right now as we speak, my PS3 is downloading a HD movie from the PSN store. it will take about 4 hours to download. We have Comcast 20/3 internet service. That "HD" movie from the PSN is about 6gb, where as the Bluray movie would have been about 25gb. So not only is the quality of the movie not great, it takes 4 hours to retrieve.

 

If all my documents, music, videos, pictures are stored centrally in the cloud vs on the WHS, waiting for them to open (download) would just be annoying. I already think it takes too long to open a music file or open pictures stored on the WHS. Besides, no matter what, I can always access my data on the WHS locally if/when I have no interet connection.

 

The cloud maybe the future someday, but it is a long ways off.

Edited by jeffla
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...