Chapter-4

Windows Networking Concepts

 Windows workgroups and Domains

Contents :
 Organizing computers and users over a network
 The difference between workgroup and domain

 Overview of Active Directory Domain Services (AD)

 Overview of Domain Controllers (DC)

 Organizing Computers and Users over a
Network
Department of Information Technology

 Two networking models:

• Workgroup
• Domain

 The main difference among them is how the computers

and other resources on the networks are managed.
 Windows Workgroup
 A Workgroup (in Windows Networks) is a logical grouping of
networked computers that can share resources with each other.
 All computers are peers; no computer has control over another
computer, so its network type is peer-to-peer.
 Devices in the same workgroup are allowed each other access to
files, printers, or Internet connection.
 All computers must be on the same local network or subnet.
 Users can use his/her login credentials only on his or her system
and not others also known as local login.
 A workgroup is not protected by a password.
 Decentralized management
– Each device has its own dedicated storage
 More suitable for small or home-office networks (i.e. no more
than twenty computers).
Windows Workgroup..
 Windows Workgroup..

Advantages and disadvantages of workgroup networks

 Windows Domains
 A way of organized computers to share resources from the
central location and registering
Department user Technology
of Information accounts, security
principals, computers in central Database.
 Client/server network with a shared database
 Allow administrators to manage large computer network
 A server called a domain controller, is required
 Domain - Group of users, servers, and other resource
• Share centralized account and security information in a database
 Active Directory: Contains domain database with objects and
attributes and schema
• Makes it easier to organize and manage resources and security
 Windows Domains…
 Any person who registered under server domain will receive
unique user account that used to access services from the
server.
 Servers control security and permissions for all computers on
the domain using policies.
 Domain users must provide a password or other credentials
each time they access the domain.
 Users can log into from any computer to the domain without
having a local account set up on that computer.
 The computers can be on different local networks.
 Support thousands of devices across multiple networks
Windows Domain…
 Windows Domain…

Advantages and disadvantages of windows domain networks

 Comparative Analysis
Workgroup Domain
All computers are peers, No one Once the computers are under server every
computer is over the other. aspects are based on the will of the server.

Each computer should have Domain account needs a password every

user account to login or to use time to access. Once you have domain user
that computer. account you can login from any location.

Not effective for more than It can support more than 1000s of
25-30 computers Computers.

All computers should be in the They can be in Different Local Area Network
Same LAN Network or subnet. or Subnet.
 Overview of Active Directory (AD)
 Active Directory is a database that stores all organization
information and settings of objects to allow administrators
to assign policies.
 Active Directory provides a centralized control for network
administration and security developed by Microsoft for
Windows domain networks.
 AD is a database in the directory (NTDS.DIT) which is located
C:\Windows\NTDS\NTDS.DIT
 It stores the data in the form of objects.
 It uses Kerberos for authentication and LDAP to query and
modify items in the Active Directory databases.
 Advantages of Active Directory
 Active Directory simplifies life for administrators and end
users while enhancing security for organizations.
 Administrators enjoy centralized user and rights
management, as well as centralized control over computer
and user configurations through the AD Group Policy feature.
 Centralized resources and security administration.

 Single logon for access to global resources.

 Simplified resource location
 Active Directory Domains
 Domain is a container for AD objects(i.e. users, groups ,
computers…)
 Domains represent logical partitions within Active Directory
for security and directory replication
 Domains are authentication and policy boundaries
 Any domain controller can authenticate any logon in the
domain.
 AD Domain Controllers
 Server computers configured with Active Directory are known as
domain controllers.
 An AD domain must have at least one AD domain controller.
 DOMAIN CONTROLLER is responsible for all of the authentications,
authorizations, additions, deletions, modifications, grant or deny
users access to system resources via a single username and password
inside a DOMAIN.
 Computers may not be mandatory to be on the same location in
Domain controller.
 Kerberos authentication service and KDC services perform
authentication.
– Kerberos is a security mechanism built into the AD (not invented by
Microsoft but also used in other many authentication scheme as well)
– Advantage: it doesn't transfer the actual password over the network
– When user is logged on, it provides Ticket grant system (TGT).
 AD Domain Controllers…
 Best Practices suggests that having at least two domain
controllers in a domain so that access to the domain can still
be granted if one controller is down. One domain controller
must be the primary domain controller.

D
C

Windows Server
2012r2

DC
DC
 Active Directory Structure
 Domain: An administrative boundary for applying policies
to groups of objects
 Tree: a collection of related domains
 Forest: container of all AD objects
 Trust: Trusts provide a mechanism for users to gain
access to resources in another domain
 Federation: allow different domains to access their
resources in common(i.e. it is a type of transitive trust be
default)
 AD Structure (Domain, Tree)

cci.com iot.com

IT.cci.com CS.cci.com EE.iot.com ME.iot.com

IT users & Elec. Eng. dep’t
Computers users &
Computers
 AD Structure (Forest)

cci.com iot.com

IT.cci.com CS.cci.com EE.iot.com CE.iot.com

IT users & Elec. Eng. dep’t
Computers users &
Computers
 AD Structure (Trust)
Forest Forest

cci.com iot.com

IT.cci.com CS.cci.com EE.iot.com ME.iot.com

IT users & Elec. Eng. dep’t
Computers users &
Computers
 AD Structure (Federation)

cci.com iot.com

IT.cci.com CS.cci.com EE.iot.com ME.iot.com

IT users & Elec. Eng. dep’t
Computers users &
Computers

Federation allow different domains to access their resources in

common (i.e. it is not domain specific)
 Organizational unit (OU)
 An OU is a container used to organize objects within a domain
into logical administrative groups, such as domain, tree, and
forest.
 Can be used to denote a specific department, location, team
and functions ,etc.
 Contains objects like – users, groups, computers, printers,
shared folders etc.
 AD Objects

 Any Physical entity's of a network

 Objects
– User
– Group
– Computer Organizational Unit (OU)

– Site
– Printer
 AD Objects (OUs )

What Are OUs?

 Containers that can be used to group
objects within a domain
 Create OUs to:
o Apply Group Policy at OUs level
o Delegate administrative permissions
o Can contain another OUs (i.e. nested
OUs)
 Group policy Management
 Group Policy in Active Directory (AD) helps administrators
quickly manage AD users, computers, and groups.
 Group Policy settings are contained in Group Policy objects
(GPOs).
 A Group Policy Object (GPO) is a collection of settings that
control the working environment of user accounts and
computer accounts.
 Examples of GPO settings:
– file permissions,
– user rights,
– installation of software
– Configure desktop background
– Manage what website they can visit
Windows server GPMS Console
Windows server GPMS Console…