Designing the Active Directory Structure

Previous Topic Next Topic

Assigning DNS Names to Create a Domain Hierarchy

Active Directory domains are named with DNS names. Because DNS is the predominant name system on the Internet, DNS names are globally recognized and have well-known registration authorities. Active Directory clients requesting to log on to the network query DNS to locate domain controllers.

In Windows NT 4.0, the domain locator was based on the network basic input/output system (NetBIOS) Name System (NBNS), and domains were identified with NetBIOS names. The server-based component of NBNS is called the Windows Internet Name Service (WINS) server. NetBIOS names are simple, single-part names, and the NetBIOS namespace cannot be partitioned. In contrast, DNS names are hierarchical, and the DNS namespace can be partitioned along the lines of the hierarchy. As a result, DNS is more scalable than NBNS and can accommodate a larger database spread over a larger network. Internet mail, which leverages DNS in a manner similar to Active Directory, is a good example of how DNS as a locator mechanism can scale to extraordinarily large networks such as the Internet.


note-icon

Note

For interoperability with computers that run earlier versions of Windows, Active Directory domains have NetBIOS names and Active Directory domain controllers register in NBNS and query NBNS when necessary. This allows clients that run earlier versions of Windows to locate Active Directory domain controllers, and allows Active Directory domain controllers and Windows NT 3.51 and Windows NT 4.0 domain controllers to locate each other.

Arranging Domains into Trees

A tree is a set of one or more Windows 2000 domains with contiguous names. Figure 9.6 presents a single tree with a contiguous namespace. Because reskit.com does not have a parent domain, it is considered the tree root domain. The child domains of reskit.com are eu.reskit.com and noam.reskit.com. A grandchild domain of reskit.com is mfg.noam.reskit.com. These domain names are contiguous because each name is only one label different than the name of the domain above it in the domain hierarchy.

Figure 9.6    Single Tree with Four Domains
Enlarge figure

Figure 9.6 Single Tree with Four Domains

A forest can have more than one tree. In a multiple tree forest, the names of the tree root domains are not contiguous, as shown in Figure 9.7. You might have multiple trees in your forest if a division of your organization has its own registered DNS name and runs its own DNS servers.

Figure 9.7    Forest with Multiple Trees
Enlarge figure

Figure 9.7 Forest with Multiple Trees

The domain hierarchy in a forest determines the transitive trust links that connect each domain. Each domain has a direct trust link with its parent and each of its children. If there are multiple trees in a forest, then the forest root domain is at the top of the trust tree and all other tree roots are children, from a trust perspective. Figure 9.8 depicts a transitive trust relationship between two trees.

Figure 9.8    Transitive Trust Relationship Between Trees
Enlarge figure

Figure 9.8 Transitive Trust Relationship Between Trees

The parent-child relationship is a naming and trust relationship only. Administrators in a parent domain are not automatically administrators of a child domain. Policies set in a parent domain do not automatically apply to child domains.

Domain Naming Recommendations

To create the domain hierarchy in a forest, assign a DNS name to the first domain, and then for every subsequent domain decide if it is a child of an existing domain or if it is a new tree root. Based on that evaluation, assign names accordingly. Some recommendations for naming domains are as follows:

Use names relative to a registered Internet DNS name.

Names registered on the Internet are globally unique. If you have one or more registered Internet names, use those names as suffixes in your Active Directory domain names.

Use Internet standard characters.

Internet standard characters for DNS host names are defined in Request for Comments (RFC) 1123 as A–Z, a–z, 0–9, and the hyphen (–). Using only Internet standard characters ensures that your Active Directory will comply with standards-based software. To support the upgrade of earlier Windows-based domains to Windows 2000 domains that have nonstandard names, Microsoft clients and the Windows 2000 DNS service will support almost any Unicode character in a name.

Never use the same name twice.

Never give the same name to two different domains, even if those domains are on unconnected networks with different DNS namespaces. For example, if the Reskit company decides to name a domain on the intranet reskit.com, it should not also create a domain on the Internet called reskit.com. If a reskit.com client connects to both the intranet and Internet simultaneously, it would select the domain that answered first during the locator search. To the client, this selection would appear random, and there is no guarantee that the client will select the "correct" domain. An example of such a configuration is a client that has established a virtual private network connection to the intranet over the Internet.

Use names that are distinct.

Some proxy client software, such as the proxy client built into Microsoft® Internet Explorer or the Winsock Proxy client, use the name of a host to determine if that host is on the Internet. Most software of this type provides, at minimum, a way of excluding names with certain suffixes as being local names, instead of assuming that they are on the Internet.

If the Reskit company wants to call an Active Directory domain on their intranet reskit.com, they would have to enter reskit.com in the exclusion list of their proxy client software. This would prevent clients on the Reskit intranet from seeing a host on the Internet called www.reskit.com, unless they provide an identical site on the intranet.

To avoid having this problem, the Reskit company could use a registered name that does not have a presence on the Internet, such as reskit-int01.com, or establish a company policy that states names ending in a specific suffix of reskit.com, for example corp.reskit.com, would never appear on the Internet. In both cases, it is easy to configure proxy client exclusion lists so that they can determine which names are on the intranet and which are on the Internet.

There are many different techniques for accessing the Internet from a private intranet. Before using any name, ensure that it can be properly resolved by clients on your intranet within your specific Internet access strategy.

Use the fewest number of trees possible.

There are some advantages to minimizing the number of trees in your forest. The following advantages could apply in your environment:

Make the first part of the DNS name the same as the NetBIOS name.

It is possible to assign a domain a DNS name and NetBIOS name that are entirely unrelated. For example, the DNS name of a domain could be sales.reskit.com, but the NetBIOS name could be "Marketing." Keep in mind that pre-Windows 2000 computers and non–Active Directory–aware software will display and accept NetBIOS names; whereas, Windows 2000 computers and Active Directory–aware software will display and accept DNS names. This can potentially lead to confusion on the part of your end users and administrators.

You should only use unmatched NetBIOS and DNS names if:

Review names internationally.

Names that have a benign or useful meaning in one language can sometimes be derogatory or offensive in another language. DNS is a global namespace; be sure to review your names globally within your organization.


note-icon

Note

If you have multiple localized versions of Windows running on your network, all computers, including Windows 2000 Professional and all versions of Windows 2000 Server, must use only Internet-standard characters in both their DNS and NetBIOS names. If you use characters other than those described above, only computers with the same locale setting will be able to communicate with each other.

Use names that are short enough to remember.

Length should not be a significant deciding factor when choosing names. Users typically interact with the global catalog and are not concerned with domain names. Typically, only administrators are exposed to domain names. Administrative tools almost always present a list of domains to choose from, and the number of cases where an administrator has to type a full name will be the exception, not the rule. In general, if you can remember all the components of a name then it is not too long.

Domain Names and Computer Names

Windows 2000 computers that are joined to a domain will, by default, assign themselves a DNS name that is made up of the host name of the computer and the DNS name of the domain the computer has joined. For example, in Figure 9.9 if the computer account for Server 1 is located in eu.reskit.com, the computer will name itself by default server1.eu.reskit.com. However, it is possible to use any arbitrary DNS suffix instead of the Active Directory domain name. For this reason, it is not necessary to name your Active Directory domains to fit a DNS structure that is already deployed in your organization. Your Active Directory domains can use any name, and your computers can retain their existing names.

Figure 9.9    Member Computers with Default and Nondefault Names
Enlarge figure

Figure 9.9 Member Computers with Default and Nondefault Names

For more information about computer naming, see "Windows 2000 DNS" in the TCP/IP Core Networking Guide.

© 1985-2000 Microsoft Corporation. All rights reserved.