Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Domains
Domains are units of replication. All of the ___domain controllers in a particular ___domain can receive changes and replicate those changes to all other ___domain controllers in the ___domain. Each ___domain in Active Directory is identified by a Domain Name System (DNS) ___domain name and requires one or more ___domain controllers. If your network requires more than one ___domain, you can easily create multiple domains.
One or more domains that share a common schema and global catalog are referred to as a forest. The first ___domain in a forest is referred to as the forest root ___domain. For more information about forests, see Creating a new forest. If multiple domains in the forest have contiguous DNS ___domain names, then the structure is referred to as a ___domain tree. For more information, see Active Directory naming and Creating a new ___domain tree.
A single ___domain can span multiple physical locations or sites and can contain millions of objects. Site structure and ___domain structure are separate and flexible. A single ___domain can span multiple geographical sites, and a single site can include users and computers belonging to multiple domains. For more information, see Sites overview.
A ___domain provides several benefits:
Organizing objects.
You do not need to create separate domains merely to reflect your company's organization of divisions and departments. Within a ___domain, you can use organizational units for this purpose. Using organizational units helps you manage the accounts and resources in the ___domain. You can then assign Group Policy settings and place users, groups, and computers into the organizational units. Using a single ___domain greatly simplifies administrative overhead. For more information, see Organizational units.
Publishing resources and information about ___domain objects.
A ___domain stores only the information about objects located in that ___domain, so by creating multiple domains, you are partitioning or segmenting the directory to better serve a disparate user base. When using multiple domains, you can scale the Active Directory directory service to accommodate your administrative and directory publishing requirements. For more information, Publishing resources.
Applying a Group Policy object to the ___domain consolidates resource and security management.
A ___domain defines a scope or unit of policy. A Group Policy object (GPO) establishes how ___domain resources can be accessed, configured, and used. These policies are applied only within the ___domain and not across domains. For more information about applying GPOs, see Group Policy (pre-GPMC).
Delegating authority eliminates the need for a number of administrators with broad administrative authority.
Using delegated authority in conjunction with Group Policy objects and group memberships enables you to assign an administrator rights and permissions to manage objects in an entire ___domain or in one or more organizational units within the ___domain. For more information about delegating administrative control, see Delegating administration.
Security policies and settings (such as user rights and password policies) do not cross from one ___domain to another.
Each ___domain has its own security policies and trust relationships with other domains. However, the forest is the final security boundary. For more information, see Creating a new forest.
Each ___domain stores only the information about the objects located in that ___domain.
By partitioning the directory this way, Active Directory can scale to very large numbers of objects.
Creating a ___domain
You create a ___domain by creating the first ___domain controller for a ___domain. To do this, install Active Directory on a member server running Windows Server 2003 by using the Active Directory Installation Wizard. The wizard uses the information that you provide to create the ___domain controller and create the ___domain within the existing ___domain structure of your organization. Depending on the existing ___domain structure, the new ___domain could be the first ___domain in a new forest, the first ___domain in a new ___domain tree, or a child ___domain of an existing ___domain tree. For more information, see Creating a new forest, Creating a new ___domain tree, and Creating a new child ___domain.
A ___domain controller provides the Active Directory directory service to network users and computers, stores directory data, and manages user and ___domain interactions, including user logon processes, authentication, and directory searches. Every ___domain must contain at least one ___domain controller. For more information, see Domain controllers.
After you create the first ___domain controller for a ___domain, you can create additional ___domain controllers in an existing ___domain for fault tolerance and high availability of the directory. For more information, see Creating an additional ___domain controller.
Planning for multiple domains
Some reasons to create more than one ___domain are:
Different password requirements between departments or divisions
Massive numbers of objects
Decentralized network administration
More control of replication
Although using a single ___domain for an entire network has several advantages, to meet additional scalability, security, or replication requirements you may consider creating one or more domains for your organization. Understanding how directory data is replicated between ___domain controllers will help you plan the number of domains needed by your organization. For more information about replication, see How replication works.
Removing a ___domain
In order to remove a ___domain, you must first remove Active Directory from all of the ___domain controllers associated with that ___domain. Once Active Directory has been removed from the last ___domain controller the ___domain will be removed from the forest and all of the information in that ___domain will be deleted. A ___domain can only be removed from the forest if it has no child domains. If this is the last ___domain in the forest, removing this ___domain will also delete the forest.
For more information about how to remove a ___domain, see Remove a ___domain.
Caution
- Removing a ___domain will result in the permanent loss of amy data contained in that ___domain. This includes all user, group, and computer accounts.
Before removing Active Directory from a ___domain controller, you should first remove any application directory partitions from that ___domain controller. For more information, see Application directory partitions and Create or delete an application directory partition.
Trust relationships between domains
Trust relationships are automatically created between adjacent domains (parent and child domains) when a ___domain is created in Active Directory. In a forest, a trust relationship is automatically created between the forest root ___domain and any tree root domains or child domains that are subordinate to the forest root ___domain. Because these trust relationships are transitive, users and computers can be authenticated between any domains in the forest. For more information about trust relationships, see Trust transitivity.
When upgrading a Windows NT ___domain to a Windows Server 2003 ___domain, the existing one-way trust relationship between that ___domain and any other domains remains intact. This includes all trusts with other Windows NT domains. If you are creating a new Windows Server 2003 ___domain and want trust relationships with any Windows NT domains, you must create external trusts with those domains. For more information about external trusts, see When to create an external trust.