Understanding Domain Trees and Forests



Each domain in the directory is identified by a DNS domain name and requires one or more domain controllers. If your network requires more than one domain, you can easily create create multiple domains.

One or more domains that share a common schema and global catalog are referred to as a forest If multiple domains in the forest have contiguous DNS domain names, as shown in the first illustration, then that structure is referred to as a domain tree

If, as shown in the second illustration, multiple domains have noncontiguous DNS domain names, then they form separate domain trees within the forest. A forest can contain one or more domain trees. The first domain in a forest is referred to as the forest root domain.



You create a domain by installing the first domain controller for a domain. During installation of the first domain controller, the Active Directory Installation wizard uses information you provide to install the domain controller and create the domain within the existing context (if any) of relationships to other domains and domain controllers. This context may be the first domain in a new forest, the first domain in a new domain tree, or a child domain of an existing domain tree.

After you install the first domain controller for a domain, you can install additional domain controllers in an existing domain for fault tolerance and high availability of the directory.

Domain naming

Domains that form a single domain tree share a contiguous namespace (naming hierarchy). Following DNS standards, the fully qualified domain name for a domain that is part of a contiguous namespace is the name of that domain appended to the names of the parent and root domains using the dot (.) character format.
For example, a domain with a NetBIOS name of "grandchild" that has a parent domain named parent.microsoft.com, would have a fully qualified DNS domain name of grandchild.parent.microsoft.com.

Domain trees associated in a forest share the same Active Directory schema and directory configuration and replication information, but do not share a contiguous DNS domain namespace.

The combination of domain trees and forests provides you with flexible domain naming options. Both contiguous and noncontiguous DNS namespaces can be included in your directory.

Trust relationships

For Windows 2000 computers, account authentication between domains is enabled by two-way, transitive trusts based on the Kerberos V5 security protocol.

Trust relationships are automatically created between adjacent domains (parent and child domains) when a domain is created in a domain tree. In a forest, a trust relationship is automatically created between the forest root domain and the root domain of each domain tree added to the forest. Because these trust relationships are transitive, users and computers can be authenticated between any domains in the domain tree or forest.

When upgrading a Windows pre-Windows 2000 domain to Windows 2000, the existing one-way trust relationships between that domain and any other domains are maintained. This includes all trusts with pre-Windows 2000 domains. If you are installing a new Windows 2000 domain and want trust relationships with any pre-Windows 2000 domains, you must create external trusts with those domains.

0 comments: