IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
to work on a server running under the Windows NT operating system. The
operation of clients under Windows NT is not absolutely necessary.
The main advantage of this concept is central data storage and management. If
only one server is employed in a network like this, then only this server is
used to configure and hold an account for every user of the network. To be
able to use resources and services on this server via the network, a user simply
needs to log into the server. The employment of this concept can by all means
prove economically feasible in small networks.
However, if the server capacity no longer proves sufficient for fulfilling
requirements concerning processing speed and disk space, a great deal of extra
management is required when one or more servers are subsequently added to
the network. If all users are to receive the right to access all servers via the
network, corresponding user accounts must be configured and maintained on
each of the servers.
3. Domain concept
Under Windows NT, a domain is a group of computers having access to a
common security and user-account database (SAM database). This means that
users only need to log into the domain once. After that, they are able to access
all resources released for them, irrespective of which server these resources
are located on.
One domain server under the Windows NT Server operating system acts as a
primary domain controller (PDC). In addition, the domain can contain one or
more backup domain controllers (BDC), member servers - i.e. those without a
domain control functionality (also refer to the information provided further
below) - and Windows NT workstations. The domain can also contain
workstations running on other operating systems, such as Windows for
Workgroups, Windows 95 and MS-DOS.
A decision as to whether a server is to act as a primary domain controller,
backup domain controller or member server should be made before
installation, as subsequent changes are only possible if a re-installation is
performed. To provide a clearer understanding, the various types of servers
which can be found in a domain are described in more detail below:
a) Primary domain controller (PDC)
One server of a Windows NT domain must always be configured as a primary
domain controller. Use of the Windows NT Server operating system is
absolutely necessary here, as the Workstation version does not provide this
functionality. The central user-account database (SAM database) for the
domains is managed on the PDC. All changes can only be performed on this
database with the help of the user manager for domains. The primary domain
controller also processes user logins.
b) Backup domain controller (BDC)
Other servers of the domain can be configured as backup domain controllers.
Use of the Windows NT Server operating system is also absolutely necessary
here. A read-only copy of the user database of the domain is replicated
automatically on every backup domain controller. Synchronisation is
performed regularly. Backup domain controllers can also process user logins
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000