All About W2K

Well, OK, if you need an in-depth look at Windows 2000, you won’t find it here. But after living like a hermit for several weeks studying this behemoth -- and while it’s still reasonably fresh in my mind -- I want to take a stab at a brief outline of the Microsoft system.

The concept of domains is fundamental. Windows 2000 expands the original concept of Windows NT domains by adding Domain Trees, Forests, Transitive Trusts, OUs, Sites, GPOs, dynamic DNS with Active Directory to keep track of it all, and Microsoft Management Console to manage it all.

Similar to Windows NT, a Windows 2000 Domain is a security boundary. Domains control access to various objects using Access Control Lists (ACLs), and Domain Administrators have absolute control over all this. According to Microsoft, a Windows 2000 domain can handle roughly 10 million objects, but 1 million is more practical.

Objects inside a domain -- such as users, groups, shares, printers, and computers -- can be organized into containers called Organizational Units (OUs). Each organization will have its own OU structure, and domain administrators can then grant or deny permissions to OUs in any way that makes sense. Windows 2000 also provides hundreds of options to completely control the user environment by applying various Group Policy Options (GPOs) to an OU. Using GPOs, an administrator can deploy application software, manage users’ desktop environments, and delegate certain administrative functions.

Users are also organized into security groups and distribution groups. Security groups are similar to Windows NT groups, but with a few added twists. Distribution groups are mainly for future e-mail systems.

Here is where things can get confusing, at least for a skinny bald guy from Minnesota. A user is a member of one or more security groups, and also belongs to an OU, all of which belongs to a domain. Here’s how to keep it straight: Users and groups operate on objects. OUs are logical groupings of objects, and are operated upon. In other words, groups and users do things, while OUs and objects have things done to them.

Now it gets really interesting. Domains can be organized into hierarchical arrangements called trees, and multiple trees form a forest. Domains in a tree are related by transitive trusts. This means that if domain A trusts domain B, and domain B trusts domain C, then domain A also trusts domain C. This all happens automatically. Enterprise administrators can also manually set up non-transitive trusts between domains in separate trees of the same forest.

Each domain has at least one domain controller, and all domain controllers in a domain are now equal partners. Each domain controller keeps a replicated copy of everything it needs to describe all objects in its domain. Each forest also has at least one Global Catalog server that has pieces of all Active Directory objects for all domains in the forest -- that’s how all the domains in a forest know about each other.

Active Directory keeps track of all this, and servers use the LDAP protocol to communicate with each other. The Active Directory is really a database of metadata, describing objects and attributes for each object. Administrators can use Active Directory to publish shares, printers, and any other object that may be of interest to an organization.

Replication starts with a site, which consists of one or more IP subnets connected by a high-bandwidth, reliable network connection. While domains, trees, and forests are logical groupings, sites are physical groupings. A site may contain members of many domains in a forest, and a domain may span several sites. All domain controllers within each domain in a site automatically replicate with each other every few minutes, while the Domain Administrator controls the schedule of replication across sites. The details around replication still give me a headache.

Active Directory, in turn, depends on a completely revamped, dynamic DNS service to keep track of all the domain controllers and other naming issues. Note that Active Directory depends on any DNS service that supports a new -- to me -- SRV record type, and Microsoft strongly recommends that DNS servers handling Windows 2000 domains also support dynamic updates. Naturally, Microsoft’s new dynamic DNS service gladly supports all this. With dynamic DNS, DHCP servers now update DNS servers when they assign new IP address leases. WINS and NETBIOS are still here for compatibility with older systems.

Then there is the Microsoft Management Console (MMC). Instead of discrete programs to perform various management functions, Windows 2000 includes one MMC program and dozens of snap-ins, configurable as the domain administrator sees fit. With MMC and GPOs, the domain administrator can set up custom system administration interfaces for various groups of users and delegate authority over selected objects in whatever manner makes sense.

That’s the whirlwind tour. The next step -- go hands on to make these abstract concepts come alive. --Greg Scott, Microsoft Certified Systems Engineer (MCSE), is Chief Technology Officer of Infrasupport Etc. Inc. (Eagan, Minn.). Contact him at