Windows 2000 Active Directory Domains

Domain Organization

     A computer running Windows 2000 Server manages each domain. Such a computer is known as a domain controller. A domain controller manages all security-related interactions between users and the domain.

     A domain tree is a hierarchical arrangement of Windows 2000 domains that share common namespace. When you add a domain to an existing tree, you make it a sub-domain of a domain in the tree. This sub-domain is called a child domain, and the domain to which it is added is known as its parent domain. A domain tree is created when a new domain is added as the child of an existing domain.

     A forest is a group of trees that do not share a common name, but do share a common configuration. By default, the name of the root tree, the first tree created in the forest, is used to refer to a given forest.

     The primary purpose for joining multiple domain trees of non-contiguous namespace into a forest is to share resources. These resouces range from data to printers.

     The Forest Root Domain is the first domain created in a forest. The Forest Root Domain name is the name used to refer to the forest. This domain contains the Enterprise and Schema Admin groups.

All of the domains within a single AD forest have several features in common. Specifically, they share the following features:

Schema

     The schema is the AD structure that defines how the information within the data store will be structured. In order for the information stored on various DCs to remain compatible, all of the DCs within the entire AD environment must share the same schema. Imagine the schema to be similar to a Microsoft Access database where an employees phone number must be entered as a number instead of a letter. That configuration is the schema of the database.

Global Catalog

     Sharing information between domains in large network environments can be costly in terms of network and server resources. The Global Catalog (GC) serves as a repository for information about a subset of all of the objects within all Active Directory domains within a forest. So for example, if a user wanted to find all color printers in her corporation, instead of asking each DC in a domain which may be thousands of miles away and multiple hops, all the user has to do is query the nearest Global Catalog Server. Administrators can determine what types of information should be added to the defaults in the Global Catalog.

Other Information

     There are some roles and functions that must be managed for the entire forest. When dealing with multiple domains, you must configure certain domain controllers to perform functions for the entire Active Directory environment. This information can be found under Domain Controllers.

Domain Trusts

     Trust relationships facilitate the sharing of security information and network resources between domains. A transitive two-way trust is automatically created in a tree structure between domains in a Windows 2000 forest.

Domains a.dom.com and b.dom.com have a two-way transitive trust. Domains b.dom.com and c.dom.com also have a two-way transitive trust. Domains a.dom.com and c.dom.com have transitive trust, or through b.dom.com, implicit trust. You can also break the implicit trusts if needed. The term transitive is referring to the implicit trust that results between the two-way trusts of each domain node.

     You can also create direct trusts between two domains that implicitly trust each other. Such trusts are sometimes referred to as shortcut trusts, and can improve the speed at which resources are accessed across many different transitively trusting domains. It cuts the traversal of domain trusts between one domain and another domain.

     One-way trusts can be created between domains, that is, domain A will trust domain B but domain B does not trust domain A. This can be useful if security reasons prevent a two-way trust between domains.

To verify a trust with NETDOM.EXE:

	c:\>netdom.exe trust trusting_domain /domain:trusted_domain /verify

To revoke a trust with NETDOM.EXE:

	c:\>netdom.exe trust trusting_domain /domain:trusted_domain /remove

A non-transitive trust can be used to create a trust between a Windows 2000
domain and a Windows NT4 domain, it can also be used to create a trust
between two domains within different forests.

When creating an AD forest, you must have at least one domain present when
creating a new domain of non-contiguous namespace. The first domain will be
the root domain and will destroy the entire forest structure if it were ever
entirely removed. For this reason, the root domain should consist of at least
two Domain Controllers.

To join a Domain, you must specify the name of a valid domain and provide
the username and password of a user who has rights to add a computer to the
domain. You must also have a domain server and DNS server online.