UEU-co logo


Previous Page Next Page

Planning the Active Directory Hierarchy

Although it doesn’t hurt to oversimplify the Active Directory domain hierarchy and characterize it as a branching tree, it is also useful to look at the different levels in the Active Directory hierarchy as administrative containers. This would make the domain the most basic container available. (This is not to ignore the existence of the Organizational Unit, however, which is a very useful Active Directory container; Organizational Units are discussed in Hour 9, “Creating Active Directory Groups, Organizational Units, and Sites.”)

The tree, then, (in terms of the Active Directory Domain Services) is a collection of domains. All these domains share the same Global Catalog, which is the central repository for all the objects in a domain (or domain tree). This means that all the domains in the tree can get at the same set of resources, no matter which of the domains in the tree is actually hosting that resource.

When you create a new tree, you are creating a domain that is to serve as the root of the tree. Other domains added to the tree are actually child domains of the root domain (the initial domain that you create is the root—creating the root is discussed in the next section). Figure 8.1 shows a tree root domain called spinach.com. Notice that a number of child domains (such as popeye.spinach.com and wimpy.spinach.com) exist as “subdomains” of the tree root (spinach.com).

Figure 8.1. A Windows Server 2008 Active Directory domain tree.

[View full size image]

Child domains in the tree are in the same namespace as the root domain (the root supplying the root name). The child domains actually take on the root domain name as part of their complete name. This naming convention is also seen in DNS, and child domains in a DNS tree are named in a similar fashion (using the root name as part of the complete name). For more about DNS (which you might want to read before designing your Active Directory tree structure), see Hour 15, “Understanding the Domain Name Service.”

Although the tree provides an extremely large administrative and security container (you can place a large number of child domains in a tree), there is actually a larger container called a forest. A forest is a collection of trees. For example, spinach.com, a tree, could be in a forest with carrot.com, another tree.

Although these trees are managed separately and operate in their own namespaces, they can belong to the same forest; this allows the different domains in these separate trees to share the same Global Catalog. This means that trees in the same forest can share resources (and can locate resources by virtue of sharing the same Global Catalog).

By the Way

An important aspect of sharing the Global Catalog by domains in the same tree is the replication of this database of Active Directory objects. Global Catalog replication is discussed in Hour 9, in the section “Active Directory Replication and Sites.”

When you create your first Windows Server 2008 domain, you are creating both a new forest and a new tree. The next section discusses installing Active Directory Domain Services on a Windows Server 2008 installation and creating these administrative and security containers.

By the Way

A single Windows Server 2008 domain can serve thousands of users and provide many resources to those users (particularly when a number of specialized servers are used to provide these services). Only very large corporations require a root domain that has child domains in the Active Directory tree. Only the largest of organizations or corporations would require a forest of multiple trees.

Previous Page Next Page

Leave a Reply

Time limit is exhausted. Please reload the CAPTCHA.


apply_now Pepperstone Group Limited