The most basic component in Active Directory, domains are used to implement directory security and manage resources. User accounts are administered in a domain, whereas member servers and other resources use domain security to determine who is granted access to their resources. An Active Directory domain controller can host only one domain. The domain controller holds a read/write copy of the domain security database.
When creating a Windows 2000 domain, there are a number of items that will need to be considered, all of which are described next.
It is important to realize that a domain is simply a partition of the Active Directory forest. These partitions can also be referred to as boundaries. This is described in more detail in the next section, "Administrative Boundaries."
The Active Directory database can be distributed across domain controllers, resulting in fault tolerance and more efficient access for the database. Although not as flexible, AD domains are comparable to NDS replications in that they are used to partition the directory database.
Any administrative rights granted to groups and users within a domain are only valid within that domain. For example, the Domain Administrators group by default is granted Full Control access to the domain. Members of that group cannot administer other domains where they are not in the Domain Administrators group.
The same principle applies to Group Policy Objects (GPO). GPOs do not take effect in domains they were not created in. Active Directory does allow GPOs from differing domains to be explicitly linked, however.
Domain Security Policies
Security policies are determined on a per-domain basis. These policies include the Password Policy, the Account Lockout Policy, and the Kerberos Ticket Policy.
The Password Policy determines important security parameters related to user passwords. Some of these parameters include password length, password history, and password expiration.
The Account Lockout Policy determines how intruder lockout is implemented in the domain.
The Kerberos Ticket Policy defines the lifetime of a Kerberos ticket. A Kerberos ticket, like the access token previously found in Windows NT, is used for authentication and object access.
When creating a domain, there are a number of things you must consider and determine before creation:
Select a forest root domain. One of the first decisions to be made when creating an Active Directory Domain is to select the forest root domain. The forest root domain is the first domain created in a forest.
If the domain to be created is the first Active Directory domain, by default it will create a new forest and become the forest root domain.
If the domain to be created will join an existing Active Directory forest, you need to specify the forest root domain. It is important to note that the Domain Administrators group for the forest root domain will be able to modify the membership of both the Enterprise Administrators and Schema Administrators groups.
Select a DNS domain name for the domain to be created.
If the domain will be the tree root domain of a new forest, simply specifying the DNS domain name will suffice.
If the domain will be joining an existing tree, the domain name must be part of the DNS namespace described earlier in this chapter. In other words, it must be contiguous with the tree root domain's hierarchy (see Figure 3.5).
Figure 3.5 Creating a new Active Directory domain in an existing tree.
Implement the DNS infrastructure. Recall that DNS is a required component in Active Directory. When creating an Active Directory domain, the Active Directory setup program (DCPROMO) will verify that there is a DNS infrastructure available. If the infrastructure is not in place, you can tell DCPROMO to install and configure a DNS server automatically. Also note that once you create the DNS namespace, it cannot be changed. If you need to change your DNS namespace, you will need to run DCPROMO and remove Active Directory. You would then need to recreate the DNS namespace and reinstall Active Directory.
Creating Multiple Domains
The limitations found in Windows NT 4 domains, such as limited database size, are not issues in Windows 2000. As a result, Microsoft recommends that one domain be used for Active Directory.
However, there are situations in which you need to create more than one domain.
Security requirementsThe most common reason for implementing multiple domains is the existence of differing security requirements. It is important to remember that security policies are determined on a per-domain basis. For example, the Password Policy determines the password length for the entire domain. If your organization requires that some users have a longer password length than others, you need to create a separate domain for these users.
Autonomous situationsMultiple domains also need to be created for autonomous situations. Members of the Domain Administrators group are granted full control access to all objects in a domain. If a portion of your organization does not want its data to be comprised by members of the Domain Administrators group, you can create another domain and give administrative control to those members of the organization.
Replication requirementsRemember that Microsoft recommends the use of a single domain in a forest? Although it is a great idea when it comes to administering the directory, domain controllers in a single large domain can become burdened by replication traffic. In a single domain in a forest, every object in the forest is replicated to every domain controller in the forest. This results in inefficient use of network bandwidth and domain controller processing resources. By breaking the large single domain into smaller, more manageable pieces, you can better control replication traffic. Only objects in that domain are replicated to that domain's domain controllers.
Existing Windows NT Domain StructureAnother reason that you might choose to have multiple domains is to retain an already existing Windows NT domain structure. However, unless one of the two previous situations (security requirements and replication requirements) are still valid after an upgrade to Windows 2000 and Active Directory, most organizations benefit more from the consolidation of domains than the preservation of the prior Windows NT domain structure.
Networks incorporating headquarters with branch offices and WAN links can benefit from the use of multiple domains.