Designing the Active Directory Structure |
Domain hierarchies are not easy to restructure after they have been created. For this reason, it is best not to create domains that are based on a temporary or short-lived organizational structure. For example, creating a domain that maps to a particular business unit in your organization might create work for you if that business unit is split up, disbanded, or merged with another unit during a corporate reorganization.
However, there are cases where organization-based partitioning is appropriate. Geopolitical boundaries provide a relatively stable template for partitioning, but only if the organization does not frequently move across those boundaries. Consider a domain plan for an army, where the army has different divisions spread across a number of bases. It might be common for divisions to move between bases. If the forest were partitioned according to geographic location, administrators would have to move large numbers of user accounts between domains when a division moved between bases. If the forest were partitioned according to divisions, administrators would only have to move domain controllers between bases. In this case, organization-based partitioning is more appropriate than geographic partitioning.
It is easy to add new domains to a forest; however you cannot move existing Windows 2000 Active Directory domains between forests.
Critical Decision Point After a tree root domain has been established, you cannot add a domain with a higher level name to the forest. You cannot create a parent of an existing domain; you can only create a child. For example, if the first domain in a tree is called eu.reskit.com, you cannot later add a parent domain called reskit.com. |
Demoting all of the domain controllers for a domain to the member server or standalone role will remove a domain from a forest and delete all of the information that was stored in the domain. A domain can only be removed from the forest if it has no child domains.
Windows 2000 does not provide the ability to split a domain into two domains or to merge two domains into one domain in a single operation.
Critical Decision Point It is important that you design your domain plan to require a minimum amount of partitioning changes as your organization evolves. |
It is possible to split a domain by adding an empty domain to a forest and then move objects into that domain from other domains. In the same way, it is possible to merge one domain with another domain by moving all of the objects from the source domain into the target domain. As mentioned previously, moving security principals between domains can impact end users. For more information about moving objects between domains, see "Determining Domain Migration Strategies" in this book.
Windows 2000 does not provide the ability to rename a domain in-place. Because the name of a domain is also representative of its position in a tree hierarchy, it is also true that a domain cannot be moved within a forest.
Critical Decision Point When selecting names for your domains, choose names that you believe will continue to be meaningful as your organization evolves. |
The alternative to in-place renaming is to create a new domain in the forest with the desired new name, and then move all the objects from the old domain into the new domain.