Active Directory Logical Structure |
A Windows 2000 tree is a DNS namespace: it has a single root domain and is built as a strict hierarchy; each domain below the root domain has exactly one superior, or parent, domain. The namespace created by this hierarchy, therefore, is contiguous — each level of the hierarchy is directly related to the level above it and to the level below it, if any, as illustrated in Figure 1.6.
Figure 1.6 Example of a Contiguous Tree Hierarchy
In Windows 2000, the following rules determine the way that trees function in the namespace:
Child domains can represent geographical entities (for example, the United States and Europe), administrative entities within the organization (for example, sales and marketing departments), or other organization-specific boundaries, according to the needs of the organization. Domains are created below the root domain to minimize Active Directory replication and to provide a means for creating domain names that do not change. Changes in the overall domain architecture, such as domain collapses and domain re-creation, create difficult and potentially
Note
Administrative privileges do not extend from parent domains to child domains. Privileges must be granted explicitly for each domain.
For more information about namespace design and the rationale for naming the root domain and creating child domains, see "Designing the Active Directory Structure" and "Determining Domain Migration Strategies" in the Deployment Planning Guide. For more information about administrative privileges, see "Authentication" and "Access Control" in this book.