Posted by arlene

The Active Directory gives you one single enterprise-wide namespace. This namespace is used for accounts, resource objects, application configuration information, and so on. What you decide to store in the directory, beyond the default objects set up by the installation process, is up to you. namespace can be global, provided you organize your domains into a domain tree.

A domain tree is nothing more than a method of organizing the domains in your enterprise into structure so that they all share a common directory schema and a contiguous namespace. Althoug domain tree is a structure formed by a collection of domains, a forest is a collection of domains The namespace in the forest does not have to be contiguous, as it does in the tree, so a forest can be to link disparate domain trees in the organization so that trust relationships still can be used to a single user logon in the network.

To understand what a domain tree or a forest is, you must know what it is replacing in the Windows NT networking scheme.

Domain Models—May They Rest in Peace

In Windows NT, the domain was used to group users and resources with a common security policy to simplify administrative tasks. In large organizations, a single domain was not sufficient to hold all the users and resources, and was not an efficient method of administering user rights and privileges or resource protections. Because of this, multiple domains were created and linked in what is termed a trust relationship. This trust relationship allowed users from one domain to be granted access rights to resources in another trusting domain.

A trust relationship in earlier versions of Windows NT could be a one-way or a two-way relationship. In a one-way trust relationship, one domain would trust the users that had been authenticated by another domain. The administrator in the trusting domain could grant users (or groups of users) from the trusted domain access rights in the local trusting domain. In a two-way trust relationship, the relationship existed in both directions. The trust relationship is not transitive. That is, if domain A has a trust relationship that allows its users to be assigned rights in domain B, and if domain B has a trust relationship that allows its users to be assigned rights to resources in domain C, a user in domain A cannot be granted rights in domain C by use of these trust relationships. That would require that domain A establish a separate trust relationship with domain C.

The way domains were organized into user or resource domains, and how the trust relationships were set up, led to the development of several domain models that could be used, depending on the size of your enterprise and the methods used to administer them. These were the single domain, multiple domain, master domain, and multiple-master domain models.

Because the domain essentially was the boundary for the security accounts manager (SAM) database,

you had two basic choices. You could put all your user accounts into a single master domain, and then grant them access rights to objects in resource domains, or you could put users into separate domains, depending on your organization, and maintain a complicated set of trust relationships and administrative policies.

The headache associated with managing multiple trust relationships—and moving users to and fro when reorganizations occurred—is one of the major drawbacks of the SAM-based domain models.

Possibly related posts: (automatically generated)
What Is a Domain Tree? What Is a Forest?

• What Is a Domain Tree? What Is a Forest? continue...
• Windows NT Domain Controllers and Member Servers
• The Active Directory Schema continue...
• Active Directory Service Interfaces (ADSI)
• The Active Directory Service and Windows Server 2003
• What Role Will Your Server Perform?
• What Role Will Your Server Perform?
• Active Directory Groups
• Migration Considerations: Centralized Versus Decentralized Management
• Installing Active Directory on a Windows Server 2003 Computer