How do Windows domains work?

I saw that I can make PC_A an e.g. Windows Server 2008 a domain controller simply by running dcpromo After that, I can create a user e.g. George, which is a user in the domain of controller e.g DOMAIN_ABC.

Now I go to another PC_B and if I change the DNS server (in the properties) to "see" the domain controller I created, then in that PC I can log in as DOMAIN_ABC/George although there was no account George created in that PC.
But I can not understand how this works.

I mean when I set as the DNS server machine of PC_B to be PC_A then PC_A is also the domain controller, I mean not only acting relating to Name <-> IP mapping? And then when I open PC_B and type DOMAIN_ABC/George and password and press login, what happens?
PC_B contacts PC_A and sees it is a user and accepts login although there is no account in PC_B?

Could someone please explain the concept of domains in Windows Machines?

user65971

Posted 2011-02-03T20:15:39.763

Reputation: 317

Answers

Well, to start, you missed a big step in this whole process: you need to join the PC to the domain, in order to log in as a user on the domain. You also missed the DNS role of the domain controller, generally speaking a domain controller is also going to be a DNS server (even your backup DC should also act as a backup DNS server); however these are separate roles.

When you join a PC to the domain, an entry gets added in Active Directory and another entry gets added to the forward look up zone on the DNS server (which should also be your domain controller).

So, now your DC knows that PC-A is part of domain A, and that PC-A can be found at IP*x.x.x.x, also on PC-A the full name will now be PCA.domainA.com. At this point, this computer is authenticated to allow logins from domain accounts. So, when you login for the first time as a domain user, the DC will tell the PC to add that user to the computer in the particular group that the user resides in AD.

So, if I have an account on AD that is a Domain Administrator, I will get added to the Local Administrators group on PC-A, when I login for the first time. It will actually create a local account on the PC for that authenticated user; complete with app data and all the other permissions and directories a local user would receive.

Keep in mind, this is a very basic explanation, and things like Roaming Profiles and Group Policy can affect how all of this is handled.

Supercereal

Posted 2011-02-03T20:15:39.763

Reputation: 8 643

@Kyle:So the first time a user of the domain logs to PB_B the DC is contacted.After that, since a local account is created, there is no need to contact the DC.Is this correct? – user65971 – 2011-02-03T20:40:24.053

No it will still look for the DC every time in case account changes or group policy was changed. However if the dc is not available it will login with cached credentials. – Supercereal – 2011-02-03T20:44:45.760

@user65971 Keep in mind that one of the main reasons domains exist is for centralized management if an admin wants to change a users password the computer will need to talk to the DC to get this information so it attempts to get a hold of a DC every time. But at the same time it allows the creation of a local account that will cache the credentials so users with laptops or users across a WAN that is prone to bouncing can still login when A DC is not available. – Supercereal – 2011-02-03T20:51:09.873

@kyle:I go to Control Panel>Manage Accounts of machine PC_B and the only user is local administrator.No George account!Where do you say the local account is created after first login?? – user65971 – 2011-02-04T06:52:15.330

@kyle:I am not familiar with this.If I login as George, I indeed see an account George, but how can I see it's priviliges?If I login as local administrator, I do not see a George (I am talking about Control Panel>Manage Accounts) only local admin. Could you please help me understand this?Additionally, when would I need to do in command line create login [ABC\George] from windows , create user George for login [ABC\George] etc? I think this has been done in PC_B but not sure why – user65971 – 2011-02-04T07:27:19.170

The permissions will be manageable from the Domain Controller since the domain users groups, credentials, SID ETC are all coming from the DC. Again this goes back to the centralized management. A good example would be a domain user that logs in at 10-15 different computers. An admin would not want to manage these permissions on each computer. The "user accounts" is only for managing local accounts even if the user was in the local users group (which you can do) any changes made here would ONLY affect the user on that computer. – Supercereal – 2011-02-04T13:46:36.850

If you want to see the users profile on that computer go into documents and settings and you will see the domain users profile there @user65971. You can also go into users in control panel and import them as a local user on the remote computer that can be managed by the local administrator. You may have domain user that you want to make a local admin just on PC B just go to add new user, type in the user name and domain, then the user will also be manageable from the local machine. – Supercereal – 2011-02-04T13:51:24.880

@Kyle:You say a domain user that logs in at 10-15 different computers. What does this mean?If user X logs in domain ABC by PC_A and saves a file to desktop and then logs in domain ABC by PC_B does he see the file on desktop of PC_B?Is this also the concept of domain? Have virtually 1 PC? So see the HD by any PC? This part I lost – user65971 – 2011-02-04T16:29:15.337

If the second machine belongs to the domain, then any user on that domain can log into any machine on the domain (notwithstanding certain permissions).

So your domain controller, let's say is PC_A. Your domain is ABC. So all machines on that domain will be machine.domain, or in your case, PC_A.ABC.

The second machine, PC_B, if it is added to the domain, will then become PC_B.ABC, and then any users registered in the Active Directory list of users, will be able to log into PC_A or PC_B, because the domain covers both machines.

Does that make sense?

user3463

Posted 2011-02-03T20:15:39.763

Reputation:

@Randolph:So PC_B has 2 domains? Domain ABC and domain of local (or this) PC? – user65971 – 2011-02-03T20:35:18.193

Just a little faster :P – Supercereal – 2011-02-03T20:39:09.103

No, there is only one domain ABC. But two PCs belong to one domain. Think of it like an umbrella, or a building. Everything below it belongs to one set of security rules, called an "Active Directory". that "AD" is your actual domain. – None – 2011-02-03T20:39:44.047

@Randolph:But in PC_B if I click switch user, I see I have the options to login as: ABC/George, ABC/Administrator or WWSIIT0q12/Administrator where the last part (the obscure name like WWSIIT0q12) seems to be the local PC name (I think this is what I get if I do hostname in cmd). So it seems I can log as local administrator (domain WWSIIT0q12) or administrator of domain (ABC) – user65971 – 2011-02-03T20:46:36.197

Yes, nothing is stopping you from logging in to the local machine. The advantage to logging into the domain though, gives you access to the shared resources of that domain, including files, printers, etc. – None – 2011-02-03T20:47:50.663

@Randolph:So log in the local machine is not considered login e.g. in local domain or something. No local domain concept? – user65971 – 2011-02-03T20:48:48.957

Correct. Logging into the local machine is logging in as though there is no domain. – None – 2011-02-03T20:49:33.780