|This article relies on references to primary sources. (January 2010)|
A Windows domain is a collection of security principals that share a central directory database. The central database is usually maintained by a proprietary Microsoft product or technology, known as Active Directory starting with Windows 2000, Active Directory Domain Services in Windows Server 2008 and Server 2008 R2, also referred to as NT Directory Services on Windows NT operating systems, or NTDS. Each person who uses computers within a domain receives his/her own unique account, or user name. This account can then be assigned access to resources within the domain.
Computers can connect to a domain easily via LAN, or via WAN using a VPN connection. Users of a domain are able to use enhanced security for their VPN connection due to the support for a certification authority which is gained when a domain is added to a network, and as a result smart cards and digital certificates can be used to confirm identities and protect stored information.
Domain controllers 
In a Windows domain, the directory resides on computers that are configured as "domain controllers." A domain controller is a Windows or Samba server that manages all security-related aspects between user and domain interactions, centralizing security and administration. A Windows Server domain is generally suited for businesses and/or organizations when more than 10 PCs are in use. A domain does not refer to a single location or specific type of network configuration. The computers in a domain can share physical proximity on a small LAN or they can be located in different parts of the world. As long as they can communicate, their physical position is irrelevant.
Where PCs running a Windows operating system must be integrated into a domain that includes non-Windows PCs, the free Open Source package Samba is a suitable alternative. Whichever package is used to control it, the database contains the user accounts and security information for the resources in that domain.
Active Directory 
Computers inside an Active Directory domain can be assigned into organizational units according to location, organizational structure, or other factors. In the original Windows Server Domain system (shipped with Windows NT 3.x/4) machines could only be viewed in two states from the administration tools; computers detected (on the network), and computers that actually belonged to the domain. Active Directory makes it easier for administrators to manage and deploy network changes and policies (see Group Policy) to all of the machines connected to the domain.
Windows Workgroups, by contrast, is the other model for grouping computers running Windows in a networking environment which ships with Windows. Workgroup computers are considered to be 'standalone' - i.e. there is no formal membership or authentication process formed by the workgroup. A workgroup does not have servers and clients, and hence represents the Peer-to-Peer (or Client-to-Client) networking paradigm, rather than the centralized architecture constituted by Server-Client. Workgroups are considered difficult to manage beyond a dozen clients, and lack single sign on, scalability, resilience/disaster recovery functionality, and many security features. Windows Workgroups are more suitable for small or home-office networks.
See also 
- Northrup, Tony. Introducing Microsoft Windows 2000 Server, Microsoft Press, 1999. ISBN 1-57231-875-9