The robust domain trees provided by next generation Windows NT Directory Services offer far greater administrative flexibility than the single-tree organizational structure of other directory services. Although single-tree domains can be built with next generation Windows NT Directory Services, a better administrative option is to build a tree of domains, each with its own security boundary.
A hierarchy of domains allows for finer granularity of administration without compromising security. Permissions can flow down the tree, with users being granted permissions (as well as granting permissions to others) on an organizational unit basis. This domain-tree structure easily accommodates organizational change with pruning, grafting, and merging.
Each domain in a domain tree has a copy of the directory service holding all objects for that domain and metadata about the domain tree such as the schema, list of all domains in the tree, location of global catalog servers, and so forth. Since a single directory service store does not have to hold all objects for all domains, very large trees can be built without compromising performance.