Dr. Dobb's Journal December 1998
Workgroups versus Domains
Windows NT and Windows 95 provide two different ways of logically grouping a network full of computers. These logical groups are the containers that are listed when the Microsoft Windows Network container is enumerated.
Workgroups are purely a naming convention. There is no shared authentication information between computers, each machine maintains its own Security Account Manager (SAM), which contains the account information visible in the User Manager. Think of this like a crowded party where folks from, say, Dallas hang out in one corner and folks from Boston in another. They are all in the same room but have grouped themselves for distinction.
A domain -- not to be confused with the TCP/IP concept by the same name -- is a means of keeping distinct, replicated, and shared authentication information. The computers themselves are still in a flat namespace, but they will attempt to validate user logins based upon the systems domain membership. A domain's authentication information is stored on NT Servers designated as primary or backup domain controllers.
A workstation's SAM does not disappear when that machine is a member of a domain. However, by default, logins attempt to authenticate against the domain controller. Interactive logins can still use only the local SAM by selecting the local computer name from the "Domain" list on the login dialog.
As far as enumerating network containers is concerned, workgroups and domains are, as far as I can tell, indistinguishable. Comments to the contrary are invited since it would sometimes be useful to know when different authentication information is required when connecting via domain-based accounts. Both contain computers as connectable objects.
The information provided during an enumeration of containers is derived from an internal browse info table. The mechanisms that support this table are truly Byzantine. If you are interested in reading up on the arcana of browsing, Chapter 3 of the Window NT Server 4.0 Resource Kit Windows NT Server Networking Guide has everything that you could ever hope, or fear, to know.
The Universal Naming Convention (UNC) is a useful abstraction for connecting to resources in a Windows network. These names take the familiar form \\MACHINE though they are most often used in conjunction with a shared resource name from the target machine, for example \\MACHINE\SHARE. As in most network naming conventions, a machine name must be unique, whether using workgroups or domains. In fact, if you are using IP, you can create a valid UNC using an IP address, \\11.22.33.44\ SHARE, for example. This is very useful if, for some reason, you can't browse to the intended target host (say it with me: Byzantine).
-- F.L.
Copyright © 1998, Dr. Dobb's Journal