Posted by arlene

Partitioning the Active Directory into Domains

When you install Windows Server and create a new domain, you are given several choices that decide how the domain will fit into an Active Directory tree. You can create a new forest or become part of an existing forest and create a new tree, making this new domain the first domain in the new tree. Or you can make the new domain a child domain in a domain tree that already exists in the forest.

Each domain in the domain tree is a security boundary in the Active Directory, just as it is in previous versions of Windows NT. However, you no longer have to create one- or two-way trust relationships between domains for users to be granted access rights and privileges in other domains that are in the same domain tree.

When a Windows domain joins a domain tree, a two-way transitive trust relationship, based on the Kerberos security authentication method, is automatically established between the child domain and its parent domain in the tree. Because the trust relationship is transitive (two-way), there is no need to manually configure additional trust relationships with other domains that exist in the domain tree. This means that after your domain is created and joined to a domain tree, your users can be granted access rights to resources in any other domain in the tree without the need to further create a complicated set of trust relationships with other domains.

Each domain in the tree holds the portion of the Active Directory database that represents the objects found in that domain. However, the namespace is contiguous throughout the tree. Each domain controller in the domain holds a complete replica of the directory for that domain. And, to help reduce network traffic and administrative overhead, you can create additional replicas of the domain’s portion of the directory and place it close to users in other domains that frequently access the resources in your domain. You only need to create an additional domain controller. This may seem similar to the primary domain controller/backup domain controller mechanism that Windows NT 4.0 uses. However, you no longer have to promote a backup domain controller (a BDC) to become a primary domain controller should the PDC fail. Instead, any peer domain controller can handle all authentica tion requests, and other Active Directory requests, within a domain, without operator intervention.

A Domain Is Still a Domain

The domain in Windows Server is still a security boundary, just like it was in Windows NT. Domain administrators can still take command and exert their authority over all users and resources in the domain. From that perspective, nothing has changed.

However, the management of your relationships with other domains is now much easier. The two- way transitive trust relationships are set up automatically, so you don’t have to coordinate managing this with other administrators throughout the network. If you upgrade from a previous version of Windows NT, all your groups and users are migrated into the Active Directory under your same domain. You can manage them as you always have, although there are new tools (using the MMC interface) that are used instead.

Active Directory Trees and Forests

As discussed earlier in this section, a domain tree is a collection of domains that have a contiguous namespace, whereas trees in a forest can have a noncontiguous namespace. Contiguous namespace means that the object in each child domain in the tree has the name of its parent domains prefixed to its distinguished name. This also means that the names used to identify each child domain will have the names of the parents prefixed. The domain tree starts at the top and flows down the tree, rather than from the bottom up.

In the domain tree, the most senior parent in the tree is the acme.com domain. Beneath that are three child domains. This tree could be further expanded by adding additional child domains to any of the domains in the tree. The way you construct the fully qualified domain name for a domain positions it in the tree structure.

In the best of all possible worlds, each enterprise would have exactly one domain tree and one large contiguous namespace. However, in this rapid-paced business world, nothing remains the same for long, including business organizational units. Corporate mergers and acquisitions, for example, can bring in large numbers of users and resources that must be incorporated quickly into the network structure. In this situation, it might not be possible to easily include the acquired assets into the naming structure.

However, you can still join two disparate domain trees. You can’t put them into the same tree because the naming for all objects would not be contiguous. You can, however, join domain trees into a structure called a forest.

A forest is like a domain tree, but the namespace does not have to be contiguous throughout the forest. The directory schema is still common for all domains, and you can establish trust relationships between the trees. Users can still use a single logon to access resources in domains that reside in different domain trees.

Possibly related posts: (automatically generated)
What Is a Domain Tree? What Is a Forest? continue…

• What Is a Domain Tree? What Is a Forest?
• Windows NT Domain Controllers and Member Servers
• The Active Directory Schema continue...
• Active Directory Service Interfaces (ADSI)
• The Active Directory Service and Windows Server 2003
• What Role Will Your Server Perform?
• Active Directory Groups
• What Role Will Your Server Perform?
• Installing Active Directory on a Windows Server 2003 Computer
• The Active Directory and Dynamic DNS continue...