Multiple domains give added security
Kevin R. Sharp

Every domain controller (DC) holds all the passwords for all the users in the domain. Think about that before you put a DC in a small branch office with a receptionist, three sales people and a front door lock you wouldn't trust to protect your DVD collection.

Most companies will get along just fine with a Win2k network built on a single domain. You can delegate administrative duties by breaking the network into Organizational Units. You can simplify user support through the use of Groups. You can even connect to branch offices via low bandwidth lines by configuring machines into sites and telling Active Directory which connections between sites need to be used with care.

The simplest way to support a small branch office is to install a server, promote it to DC status, and use that single local DC to support the small staff. Before you commit to that architecture, though, take off your network administrator's hat and put on your network security hat. Each DC in an AD network contains a replicated copy of the AD that every other DC contains. That means the DC you are about to install in an unsecured storefront in Nowhereville contains every password for every user in the domain. Sure the passwords are encrypted, but so were the passwords in Windows NT and it's easy to find programs to download that will read an NT SAM. I'm not sure if there is a widely available "cracker" capable of attacking the AD files and producing clear text, but I sure wouldn't bet my job on it.

If you've got unsecured offices, consider isolating those offices from the rest of the network by assigning them their own domains. It's a little more work to administer, but it will make sleeping a lot easier.

For details on configuring and administering multiple domains, read: http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/WINDOWS2000/en/server/help/sag_SEconceptsDomArch.htm.

Kevin Sharp is a registered professional engineer, writer, and yoga teacher living in Tucson, Arizona, and gains his expertise from a variety of professional activities. His writing interests have produced books and articles on the economic impact of technology on manufacturing and distribution organizations.