A Review of Domains
Windows 2000 Domains are the core unit of the logical structure in Active Directory and the structure of the domain can be such that it is made up of one or more domains. Windows 2000 domains can span more than one physical location as well.
All network objects exist within a domain, and each domain stores information only about the objects it contains.
By definition, a Windows 2000 domain is an administrator-defined logical grouping of computer systems, servers and other hardware which share a common directory database.
Windows 2000 domains must have a unique name within the Active Directory forest.
Windows 2000 domains provide access to domain user accounts, domain security group accounts and domain distribution group accounts maintained by the domain administrator, or other system administrators, as appointed by the domain or enterprise administrators through delegation of authority.
A domain is also a security boundary of sorts. It is not a “total” security boundary, as Enterprise Administrators authority is able to transcend the limits of domains within a single forest, but it is to a degree when you consider things such as user and computer accounts, security identifiers, GUIDs and domain wide security settings.
You also need to consider that a domain is also an object in the Active Directory and where group policy is concerned.
Objects in the Active Directory have a Security Descriptor that stores information about the object’s owner and the groups to which the owner belongs.
The discretionary access control list (DACL) of the object, lists the security principals (users, groups, and computers) that have access to the object and their level of access.
The system access control list (SACL) lists the security principals that should trigger (if any) audit events when accessing the list.
The discretionary access control list for an object specifies the list of users and groups that are authorized to access the object and also what levels of access they have. The kinds of access that can be assigned to an object (or denied) depend on the object type. (You cannot assign the manage documents access right to a file server as this right is assigned to printers only.)
The discretionary access control list for an object consists of a list of access control entries (ACEs) which can apply to a class of objects, an object, or an attribute of an object. Each access control entry specifies the security identifier (SID) of the security principal to which the ACE applies, as well as the level of access to the object permitted for the security principal.
[NOTES FROM THE FIELD] – In plain English this means, your user account, (SID), can access a specific file on a file server or print to a printer, (object), because the permissions that are set for the object, (the access control entries (ACEs) in the discretionary access control list for the object) allow you the right to read the file or print to the printer.
In Windows 2000 domains, objects include files, folders, shares, printers, and other Active Directory objects. All security policies and settings do not cross from one domain to another and the domain administrator has absolute rights to set permissions and policies only within that specific domain. (Unless they are specifically granted administrative control in other domains or are also members of the Enterprise Administrators group.)
[NOTES FROM THE FIELD] – Much of this information is an Exam Requirement for both the 70-217 AND the 70-219 exams. Some would argue it is more so for the 217 and I would agree, but if you do not have the underpinnings from the Administration pieces of 70-217, you’ll be hard pressed to pull off the Design requirements for 70-219.
Domains are also units of replication. Domain controllers for the domain contain a replica of Active Directory and can receive changes to information in Active Directory and replicate these changes to all of the other domain controllers in the domain.