Understanding Active Directory

ITworld.com |  Networking

Domains and domain trees

Windows 2000 domains are similar to NT domains; they define administrative boundaries on a network, as well as replication and security boundaries. Note that Windows NT/2000 domains are somewhat different from DNS domains. A Windows NT/2000 domain is a container for objects and resources, whereas a DNS domain is a tree or subtree within the DNS namespace.

Windows 2000 domains, which contain objects and OUs, are named according to DNS naming conventions. (Although DNS domain names do usually correspond to Windows 2000 domain names, the two should not be confused.)

Typically, domain names will correspond to your company's name in some way. For example, if you are the administrator of the Abigco Corporation, which has a DNS domain of Abigco.com, the first domain in Active Directory will most likely be called Abigco.com as well.

Domain trees

Grouping domains together creates a domain tree -- a group of domains that share a common namespace (see Figure 2). By using trees to structure your network, you can logically break your enterprise into separate, manageable entities. The number of domains you'll create depends upon many factors, including politics, administrative delegation, bandwidth between sites, etc.

Refer to our previous example, where we used the domain name Abigco.com. If you added another domain to the Abigco.com tree, it would be named by default Newdomain.abigco.com. A parent/child relationship has been created, where the parent of the Newdomain.abigco.com domain is Abigco.com and the child of the Abigco.com domain is Newdomain.abigco.com.

When you add domains to a tree, two-way transitive trusts are automatically established. A trust is a logical relationship between domains that allows one domain to honor the logon authentications of another.

Figure 2. Active Directory trees

Trusts are considered two-way because parent and child domains trust each other automatically -- as soon as you create Newdomain.abigco.com, it trusts Abigco.com, and vice versa, without any further effort on your part. Under NT 4.0, you would've had to have created two trusts -- one for each domain.

Trusts are transitive because child domains added to a tree automatically trust their parent's parent. For example, the new domain Test.newdomain.abigco.com (a child of Newdomain.abigco.com), automatically trusts Abigco.com. The definition of transitive applies -- if A trusts B, and B trusts C, then A trusts C.

Next week, we'll move up the AD hierarchy, with an exploration of forests, sites, and replication.

Join us:






Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question