To form a Domain Tree, at least two domains must have been completely upgraded to be Next-generation domains. As described above, this simply means that all of the Domain Controllers in the domains have been upgraded. To form a domain tree, you must:
You must have special rights in both domains that allow you to perform tree operations. For purposes of illustration we will assume a simple case of two domains in a complete trust relationship. After upgrading both domains the Windows NT4 trust relationships are still in place. Users in the "Americas" domain can be granted access to resources in the "Europe" domain and vice versa.
Now we can form a simple tree. In this example we have chosen to make the "Americas" domain the root of the tree. This is called the "joined to" tree. Even though "Americas" is a single domain, it is still a "tree" in next generation Directory Service terms. In the Administrative tool within the Common Console, we select the Americas domain and identify it as the "joined to" tree. We must be logged on to the "Americas" tree with a valid account that has the necessary rights to perform tree operations. We identify the "Europe" domain as the domain that we want to "graft" onto "Americas." We will be required to supply security credentials for the "Europe" domain. Like the "Americas" domain, the credentials we supply must be sufficient to give us the right to perform tree operations in the "Europe" tree.
The actual connection of the parent domain to the child is accomplished with a special object type in the Directory, a Domain Proxy object. Domain Proxy objects are stored in a special part of the directory reserved for directory metadata. The Domain Proxy object(s) are used by the Next-generation Directory to determine the shape of the directory tree. Creation and maintenance of the metadata objects is automatic is performed by the Administrative tool. As part of the Tree Graft operation the Next-generation software automatically detects the Windows NT4 trust links between the joined-to and joined-from trees (which are single domains in this case), and replaces then with an automatic, transitive Kerberos trust. This occurs without administrative intervention.
The end result is a simple domain tree, the beginning of a Windows NT next generation Scaleable Namespace. Additional domains can be joined as children under the "Americas" or "Europe" domains, as needed, to provide the logical structure to meet the organization's needs.
