Designing the Active Directory Structure |
The following are some of the key characteristics of a Windows 2000 domain that you will need to consider when you begin creating your domain structure plan:
An Active Directory forest is a distributed database, where the partitions of the database are defined by domains. A distributed database is a database that is made up of many partial databases spread across many computers, instead of a single database on a single computer. Splitting a database into smaller parts and placing those parts where the data is most relevant allows a large database to be distributed efficiently over a large network.
As in Windows NT 4.0, servers running Windows 2000 that host a domain database are called domain controllers. A domain controller can host exactly one domain. You can make changes to objects in the domain on any domain controller of that domain. All of the domain controllers in a particular forest also host a copy of the forest Configuration and Schema containers.
Each domain database contains security principal objects, such as users, groups, and computers. Security principal objects are special in that they can be granted or denied access to the resources on a network. Security principal objects must be authenticated by a domain controller for the domain in which the security principal objects are located. Authentication is done to prove the identity of the objects before they access a resource.
Each domain has a domain administrators group. Domain administrators have full control over every object in the domain. These administrative rights are valid within the domain only and do not propagate to other domains.
Group Policy that is associated with one domain does not automatically propagate to other domains in the forest. For a Group Policy from one domain to be associated with another domain, it must be explicitly linked.
A small set of security policies that apply to domain user accounts can only be set on a per-domain basis:
For more information about security policy for domain user accounts, see "Authentication" in the Microsoft® Windows 2000 Server Resource Kit Distributed Systems Guide.
A domain is identified by a DNS name. You use DNS to locate the domain controller servers for a given domain. DNS names are hierarchical, and the DNS name of an Active Directory domain indicates its position in the forest hierarchy. For example, reskit.com might be the name of a domain. A domain named eu.reskit.com can be a child domain of reskit.com in the forest hierarchy.