Windows NT uses a domain model to provide centralized administration in a large network. A domain in Windows NT is a collection of computers that share a common user-account database and security policy across physical and divisional boundaries. You can store user, group, and resource data for an entire organization on one main computer, called a primary domain controller (PDC). Backup domain controllers (BDCs), which contain read-only copies of the security database, provide fault tolerance for the domain. Trusts can be set up among domains so that users can access resources across domain boundaries.
In Windows NT, user, group, and computer accounts are stored in a Security Accounts Manager (SAM) database, which is part of the registry of a domain controller. Within one domain, the SAM is replicated from a PDC to BDCs and is used to authenticate users. All Windows NT stand-alone servers and workstations have their own SAM, which authenticates users when they log on locally. On a stand-alone server and workstation, the local account is different from the domain account.
Domains in Windows NT are different from domains found on intranets and the Internet, which use a hierarchical naming system to identify computers. An example of an Internet domain is widgets.microsoft.com where widgets points to an individual site, microsoft is a subdomain that identifies a company, and com is a top-level domain. Domain Name System (DNS) servers resolve domain names to the Internet Protocol (IP) addresses of individual hosts.
Windows 2000 provides Active Directory for centrally administering accounts and policies. Windows 2000 combines the Windows NT domain model with a hierarchical domain model. In Active Directory, a collection of computers, called a domain, share a common directory database, which is stored on a domain controller. Since all domain controllers have a writable copy of the account database, you do not have to specify PDCs and BDCs as you do in Windows NT. Like Windows NT, however, each domain has its own security policies and security relationships with other domains and represents a single security boundary.
Active Directory is made up of one or more domains, each of which can span more than one physical location. When using DNS, a domain is any tree or subtree within the DNS name space. Therefore, DNS domains can correspond to Active Directory domains.
For more information on domains, see Windows Help.