Understanding Domains
Applies To: Windows Server 2008
Domains are units of replication. All the domain controllers in a particular domain can receive changes and replicate those changes to all the other domain controllers in the domain. Each domain in Active Directory Domain Services (AD DS) is identified by a Domain Name System (DNS) domain name. Each domain requires one or more domain controllers. If your network requires more than one domain, you can easily create multiple domains.
One or more domains that share a common schema and global catalog are referred to as a forest. The first domain in a forest is referred to as the forest root domain. If multiple domains in the forest have contiguous DNS domain names, the structure is referred to as a domain tree.
A single domain can span multiple physical locations or sites and contain millions of objects. Site structure and domain structure are separate and flexible. A single domain can span multiple geographical sites, and a single site can include users and computers that belong to multiple domains.
A domain provides several benefits:
You can organize objects.
You do not have to create separate domains merely to reflect your company's organization of divisions and departments. Within a domain, you can use organizational units (OUs) for this purpose. Using OUs helps you manage the accounts and resources in the domain. You can then assign Group Policy settings and place users, groups, and computers into the OUs. Using a single domain greatly simplifies administrative overhead. For more information, see Managing Organizational Units.
You can publish resources and information about domain objects.
A domain stores information only for objects that are located in that domain. Therefore, by creating multiple domains you are partitioning or segmenting the directory to better serve a disparate user base. When you use multiple domains, you can scale AD DS to accommodate your administrative and directory publishing requirements.
Delegating authority eliminates the need for a number of administrators with broad administrative authority.
By using delegated authority in conjunction with Group Policy objects and group memberships, you can assign an administrator rights and permissions to manage objects in an entire domain or in one or more OUs within the domain.
Security policies and settings (such as user rights and password policies) do not cross from one domain to another.
Each domain has its own security policies and trust relationships with other domains. However, the forest is the final security boundary.
Each domain stores only the information about the objects that are located in that domain.
By partitioning the directory this way, AD DS can scale to very large numbers of objects.