Applies To: Windows Server 2008 R2, Windows Server 2012
Domains are units of replication. All the ___domain controllers in a particular ___domain can receive changes and replicate those changes to all the other ___domain controllers in the ___domain. Each ___domain in Active Directory Domain Services (AD DS) is identified by a Domain Name System (DNS) ___domain name. Each ___domain requires one or more ___domain controllers. If your network requires more than one ___domain, you can easily create multiple domains.
One or more domains that share a common schema and global catalog are referred to as a forest. The first ___domain in a forest is referred to as the forest root ___domain. If multiple domains in the forest have contiguous DNS ___domain names, the structure is referred to as a ___domain tree.
A single ___domain can span multiple physical locations or sites and contain millions of objects. Site structure and ___domain structure are separate and flexible. A single ___domain can span multiple geographical sites. A single site can include users and computers that belong to multiple domains.
A ___domain provides several benefits:
You can organize objects.
You do not have to create separate domains merely to reflect your company's organization of divisions and departments. Within a ___domain, you can use organizational units (OUs) for this purpose. Using OUs helps you manage the accounts and resources in the ___domain. You can then assign Group Policy settings and place users, groups, and computers into the OUs. Using a single ___domain greatly simplifies administrative overhead. For more information, see Managing Organizational Units.
You can publish resources and information about ___domain objects.
A ___domain stores information only for objects that are located in that ___domain. Therefore, when you create multiple domains, you are partitioning or segmenting the directory to better serve different parts of your user base. When you use multiple domains, you can scale AD DS to include very large numbers of objects to accommodate your administrative and directory publishing requirements.
Delegating authority eliminates the need for a number of administrators with broad administrative authority.
By using delegated authority in conjunction with Group Policy objects and group memberships, you can assign an administrator rights and permissions to manage objects in an entire ___domain or in one or more OUs within the ___domain.
Security policies and settings (such as user rights and password policies) do not cross from one ___domain to another.
Each ___domain has its own security policies and trust relationships with other domains. However, the forest is the final security boundary.