General discussion

Locked

Workgroup vs Domain

By Shanghai Sam ·
We currently have several locations with small W98 peer to peer workgroups. All pc's involved log on to our Windows NT 4.0 server each time they reboot. If a workgroup looses connectivity to our WAN, the pc's can still share resources because the File and Print sharing in W98 is set to "share-level". We are now beginning to install Windows 2000 Professional on the pc's in small "workgroups" . Is it possible to configure W2000 Prof in a similar fashion ?? From the reading I have done, it seemsas though you must choose between joining a domain or a workgroup.....not both. So, if I configure the pc's to join a domain and add a computer account and share resources to domain users........when we loose connectivity the user cannot be validated and therefore cannot see other's resources. What are the disadvantages of creating a workgroup and not joining the domain ?? Can I still log on to the Exchange server ?? Is there a better way ??

This conversation is currently closed to new comments.

5 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Workgroup vs Domain

by shoe4rent In reply to Workgroup vs Domain

You can use a workgroup and a domain from the local 2k computer. Logon to the domain by default, if the domain is not available then you log on locally and you are in the workgroup.

You basically get the same thing as you do now with the 98 workgroup.

Collapse -

Workgroup vs Domain

by Shanghai Sam In reply to Workgroup vs Domain

Answer 1 is okay as far as it goes, BUT (don't you just hate the buts) things are quite as simple as with Win 98.
1. Win2K peer-to-peer networking (using workgroups) is slightly more complicated than with Win 98. In Win 98, you have an option of using either share-level access control (single shared password for each shared resource), or user-level access control (user/group access list for shared resources on each computer). Win2K uses the equivalent of user-level access control only.
2.Changing from domain to workgroup and back: this can be a painful process in Win2K. When you are set to have domain membership, that membership is based on 2 things: your user account and a computer account for the computer trying to access the domain. Without both, there is no access. When Win2k attempts to log-on to the domain, it expects to find a domain controller to authenticate both the computer account (this computer is authorized on this domain), and a user account (this user is authorized to access this domain). If a doamin controller is not found, log-on is not successful.
The only way to access the computer is to have either a user account on the computer or permission to use the computer (vs. domain) administrator account. However all this does is allow you to use the computer. It can't see any workgroup because it is set to have membership in a domain.
If you want to gain access to resources shared in the workgroup, you need to change the membership from domain to workgroup (of course this requires local administrative rights). And of course this must be done on all computers affected by the loss of connectivity. But wait, it gets "better."
When you are able to reconnect to the domain, you have to reverse the process. However, it's not just as simple as changing membership from workgroup back to domain (which of course also requires local admin privileges).
(cont.)

Collapse -

Workgroup vs Domain

by timwalsh In reply to Workgroup vs Domain

Had to repost this because the system timed out.
Answer 1 is okay as far as it goes, BUT (don't you just hate the buts) things are quite as simple as with Win 98.
1. Win2K peer-to-peer networking (using workgroups) is slightly more complicated than with Win 98. In Win 98, you have an option of using either share-level access control (single shared password for each shared resource), or user-level access control (user/group access list for shared resources on each computer). Win2K uses the equivalent of user-level access control only.
2. Changing from domain to workgroup and back: this can be a painful process in Win2K. When you are set to have domain membership, that membership is based on 2 things: your user account and a computer account for the computer trying to access the domain. Without both, there is no access. When Win2k attempts to log-on to the domain, it expects to find a domain controller to authenticate both the computer account (this computer is authorized onthis domain), and a user account (this user is authorized to access this domain). If a doamin controller is not found, log-on is not successful.
The only way to access the computer is to have either a user account on the computer or permission to use the computer (vs. domain) administrator account. However all this does is allow you to use the computer. It can't see any workgroup because it is set to have membership in a domain.
If you want to gain access to resources shared in the workgroup, you need to change the membership from domain to workgroup (of course this requires local administrative rights). And of course this must be done on all computers affected by the loss of connectivity. But wait, it gets "better."
(cont.)

Collapse -

Workgroup vs Domain

by timwalsh In reply to Workgroup vs Domain

(cont.)
When you are able to reconnect to the domain, you have to reverse the process. However, it's not just as simple as changing membership from workgroup back to domain (which of course also requires local admin privileges).
The computer account used for membership in a domain actually has 2 parts: 1 on the domain controller and 1 on the local computer. Normally when you change membership from domain to workgroup both sides of the account computer account are removed. When you lost connectivity and changed membership only the local part was removed. When you re-establish connectivity with the domain and attempt to rejoin the domain with a computer named "George", the domain controller comes back and says "I can't do that, there's already a computer named "George" in the domain (the DC doesn't realize that "George" was ever removed from the domain.
So you have 2 choices at this point: change the name of the computer, or get the domain administrator to delete the old computer account on the DC and wait for this change to be synchronized among all DCs. And of course this has to be done on all computers affected.
(Getting tired yet?!)
(cont.)

Collapse -

Workgroup vs Domain

by timwalsh In reply to Workgroup vs Domain

(cont.)
Now, can you still access domain resources from a workgroup? -- the answer is yes BUT (you knew that was coming didn't you!), you have to present credentials (user ID and password) recognized by the domain. The key here is you still have to have domain accounts for each user as well as user accounts on all computers in the workgroup that share resources (do yourself (and your users) a favor and make the local user accounts match the domain account). The easiest way to present domain-recognized credentials is to map a shared drive from the WAN and set it to reconnect at log-on. BUT (there are always buts), because you cannot browse the network (you aren't part of the domain), you must know the the Fully-Qualified Domain Name (FQDN) for the share. The FQDN takes the format \\servername\sharename or \\serverIPaddress\sharename (going the IP address route usually presents fewer problems).
Exchange is easy to access regardless of whether membership is domain or workgroup. An Exchange mailbox is tied to a domain user account. If you log-on to a domain, the domain credentials have already been authenticated. If you aren't logged on to the domain, Exchange will probably ask for username, domain, and password to establish credentials.
Sorry this is so long winded, but your question needed more thana 2 sentence answer. Hope this helps.

Back to Windows Forum
5 total posts (Page 1 of 1)  

Related Discussions

Related Forums