I'll have a go .... :)
A Windows domain is an authentication-and-authorisation space, defined
by a database of all usernames known within that space, together with
their passwords, group memberships and much more related stuff. The
username database (held as a set of files of course) is managed by one
or more servers dedicated to the task of processing logon attempts,
verifying passwords, authorising filesystem access requests, etc.
This type of server is known as a domain controller (or domain server
if you like).
The domain will also contain, in general, many workstations used by
the end-users, and a number of servers holding files, services and
other objects available for the use of the users. The files and
services have permission settings which define which users can access
them and in which ways. The permission settings reference the
usernames defined in the username database.
Any machine (workstation or server) needing to make use of the
username database must be "joined to the domain" (which means
exchanging keys, so that secure communication can occur); we call such
machines "members of the domain" .... member servers, member
workstations. In a medium to large organisation there are usually
quite a few member servers dedicated to file serving, some to web
serving, some to print serving, and a few to more esoteric tasks (SQL,
DNS, DHCP, WINS [does that still exist ?], etc. etc.).
You could refer to these servers as fileservers, webservers,
printservers, SQLservers, DNS servers, etc. .... you see the pattern
here ? :-)
You /can/ combine some of these server roles (including domain
controller) in one physical server, but you must be careful about
performance, especially in geographically dispersed networks. Note
that all access requests must ultimately effectively be processed and
approved by the domain controllers, which can make them pretty busy
machines - so that job is often done by dedicated servers.
There may also be other Windows servers owned by the organisation,
which are not members or controllers of the domain - these servers are
known as stand-alone servers, and their users will not share the same
username & password database as is used within the domain.
Steve> Are there any guidelines for this sort of stuff?
Yes. In the Microsoft world, typically the sysadmins all go on [gulp]
"MCSE" (Microsoft Certified System Engineer) training programmes,
where all this stuff is taught in some detail - including how to
estimate performance requirements from expected user population &
required data flows, and thus how to arrive at an effective network
and domain design. Usually you discover that you need an unbelievable
number of servers, and that the cost of server licenses and "client
access licenses" (an iniquitous concept) is likely to bankrupt your
employer ;-) .... After your boss has had a heart attack, you think
about Samba ....
I don't know whether or not there are FOSS-world courses which teach
the same (CIFS/SMB/AD) concepts.
You can also find any number of $50 text books on the subject
("Windows Active Directory") in any decent bookstore.
Active Directory Cookbook, 4th Edition
Solutions for Administrators & Developers
(but they will usually be focused on Microsoft products).
BTW: if you don't already know about it, you really should also try to
learn as much of the stuff on this website as you possibly can :
It's more about the protocols, rather than domain design - but still
important for a sysadmin (and it's by one of the Samba team).
[I hope this helped ... maybe you already know all this stuff, and I
didn't understand your question .. it was fun trying anyway :)]