Domains

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Domains

Domains are units of replication. All of the domain controllers in a particular domain can receive changes and replicate those changes to all other domain controllers in the domain. Each domain in Active Directory is identified by a Domain Name System (DNS) domain name and requires one or more domain controllers. If your network requires more than one domain, you can easily create multiple domains.

One or more domains that share a common schema and global catalog are referred to as a forest. The first domain in a forest is referred to as the forest root domain. For more information about forests, see Creating a new forest. If multiple domains in the forest have contiguous DNS domain names, then the structure is referred to as a domain tree. For more information, see Active Directory naming and Creating a new domain tree.

A single domain can span multiple physical locations or sites and can contain millions of objects. Site structure and domain structure are separate and flexible. A single domain can span multiple geographical sites, and a single site can include users and computers belonging to multiple domains. For more information, see Sites overview.

A domain provides several benefits:

  • Organizing objects.

    You do not need to create separate domains merely to reflect your company's organization of divisions and departments. Within a domain, you can use organizational units for this purpose. Using organizational units helps you manage the accounts and resources in the domain. You can then assign Group Policy settings and place users, groups, and computers into the organizational units. Using a single domain greatly simplifies administrative overhead. For more information, see Organizational units.

  • Publishing resources and information about domain objects.

    A domain stores only the information about objects located in that domain, so by creating multiple domains, you are partitioning or segmenting the directory to better serve a disparate user base. When using multiple domains, you can scale the Active Directory directory service to accommodate your administrative and directory publishing requirements. For more information, Publishing resources.

  • Applying a Group Policy object to the domain consolidates resource and security management.

    A domain defines a scope or unit of policy. A Group Policy object (GPO) establishes how domain resources can be accessed, configured, and used. These policies are applied only within the domain and not across domains. For more information about applying GPOs, see Group Policy (pre-GPMC).

  • Delegating authority eliminates the need for a number of administrators with broad administrative authority.

    Using delegated authority in conjunction with Group Policy objects and group memberships enables you to assign an administrator rights and permissions to manage objects in an entire domain or in one or more organizational units within the domain. For more information about delegating administrative control, see Delegating administration.

  • Security policies and settings (such as user rights and password policies) do not cross from one domain to another.

    Each domain has its own security policies and trust relationships with other domains. However, the forest is the final security boundary. For more information, see Creating a new forest.

  • Each domain stores only the information about the objects located in that domain.

    By partitioning the directory this way, Active Directory can scale to very large numbers of objects.

Creating a domain

You create a domain by creating the first domain controller for a domain. To do this, install Active Directory on a member server running Windows Server 2003 by using the Active Directory Installation Wizard. The wizard uses the information that you provide to create the domain controller and create the domain within the existing domain structure of your organization. Depending on the existing domain structure, the new domain could be the first domain in a new forest, the first domain in a new domain tree, or a child domain of an existing domain tree. For more information, see Creating a new forest, Creating a new domain tree, and Creating a new child domain.

A domain controller provides the Active Directory directory service to network users and computers, stores directory data, and manages user and domain interactions, including user logon processes, authentication, and directory searches. Every domain must contain at least one domain controller. For more information, see Domain controllers.

After you create the first domain controller for a domain, you can create additional domain controllers in an existing domain for fault tolerance and high availability of the directory. For more information, see Creating an additional domain controller.

Planning for multiple domains

Some reasons to create more than one domain are:

  • Different password requirements between departments or divisions

  • Massive numbers of objects

  • Decentralized network administration

  • More control of replication

Although using a single domain for an entire network has several advantages, to meet additional scalability, security, or replication requirements you may consider creating one or more domains for your organization. Understanding how directory data is replicated between domain controllers will help you plan the number of domains needed by your organization. For more information about replication, see How replication works.

Removing a domain

In order to remove a domain, you must first remove Active Directory from all of the domain controllers associated with that domain. Once Active Directory has been removed from the last domain controller the domain will be removed from the forest and all of the information in that domain will be deleted. A domain can only be removed from the forest if it has no child domains. If this is the last domain in the forest, removing this domain will also delete the forest.

For more information about how to remove a domain, see Remove a domain.

Caution

  • Removing a domain will result in the permanent loss of amy data contained in that domain. This includes all user, group, and computer accounts.

Before removing Active Directory from a domain controller, you should first remove any application directory partitions from that domain controller. For more information, see Application directory partitions and Create or delete an application directory partition.

Trust relationships between domains

Trust relationships are automatically created between adjacent domains (parent and child domains) when a domain is created in Active Directory. In a forest, a trust relationship is automatically created between the forest root domain and any tree root domains or child domains that are subordinate to the forest root domain. Because these trust relationships are transitive, users and computers can be authenticated between any domains in the forest. For more information about trust relationships, see Trust transitivity.

When upgrading a Windows NT domain to a Windows Server 2003 domain, the existing one-way trust relationship between that domain and any other domains remains intact. This includes all trusts with other Windows NT domains. If you are creating a new Windows Server 2003 domain and want trust relationships with any Windows NT domains, you must create external trusts with those domains. For more information about external trusts, see When to create an external trust.