Active Directory Logical Structure

Previous Topic Next Topic

Tree: Implementation of a Domain Hierarchy and DNS Namespace

A Windows 2000 tree is a DNS namespace: it has a single root domain and is built as a strict hierarchy; each domain below the root domain has exactly one superior, or parent, domain. The namespace created by this hierarchy, therefore, is contiguous — each level of the hierarchy is directly related to the level above it and to the level below it, if any, as illustrated in Figure 1.6.

Figure 1.6    Example of a Contiguous Tree Hierarchy
Enlarge figure

Figure 1.6 Example of a Contiguous Tree Hierarchy

In Windows 2000, the following rules determine the way that trees function in the namespace:

Child domains can represent geographical entities (for example, the United States and Europe), administrative entities within the organization (for example, sales and marketing departments), or other organization-specific boundaries, according to the needs of the organization. Domains are created below the root domain to minimize Active Directory replication and to provide a means for creating domain names that do not change. Changes in the overall domain architecture, such as domain collapses and domain re-creation, create difficult and potentially IT-intensive support requirements. A good namespace design should be capable of withstanding company reorganizations without the need to restructure the existing domain hierarchy.


note-icon

Note

Administrative privileges do not extend from parent domains to child domains. Privileges must be granted explicitly for each domain.

For more information about namespace design and the rationale for naming the root domain and creating child domains, see "Designing the Active Directory Structure" and "Determining Domain Migration Strategies" in the Deployment Planning Guide. For more information about administrative privileges, see "Authentication" and "Access Control" in this book.

© 1985-2000 Microsoft Corporation. All rights reserved.