There are network structures you can choose from when implementing Windows NT Server.
The workgroup model can best be demonstrated by thinking of each Windows NT Server as an island. Each Windows NT Server has its own security database, resource listings and users. The Windows NT Servers do not share this information among each other nor do they request permission when clients access different servers. You can consider the workgroup model as the peer to peer implementation of Windows NT Server.
Providing centralized security is an important function of a network operating system. Windows NT Server uses a domain model as a directory service to implement security.
The domain model centralizes the security database, resource listing and users. When clients would like to access network functions, they need to be authenticated by the domain. A Primary Domain Controller or a Backup Domain Controller handles authentication and centralization. Users who are not authenticated by either of these servers will not be permitted to access Windows NT Server resources.
Each domain model will have at least one Primary Domain Controller. The main function of the Primary Domain Controller is to store security and user account database. The master copy of these databases for the domain is stored on the
The Backup Domain Controller contains a copy of the security and user database. The Backup Domain Controller’s main function is to authenticate users on a network. Any changes made to the security and user database are first made on the Primary Domain Controller and then the Backup Domain Controllers are updated.
If a Windows NT Server is a member of a domain, but is not a Primary Domain Controller or a Backup Domain, it is called a member server.
You can have multiple Windows NT Server domains on the same network. In order for users from one domain to access resources on another domain, a trust must exist between the domains. A trust can be thought of as a bridge between islands.
Trusts can be unidirectional where the bridge is only one way or they can be bi-directional where the bridge allows two-way traffic. The domain that has granted access to another domain is called the trusting domain. The domain that has been given access is called the trusted domain. On a unidirectional trust only users in the trusted domain can access resources in the trusting domain. In a bi-directional trust users from each domain can access resources in the other domain.