Active Directory's
logical structure is built around the concept of domains. Domains were introduced in Windows NT 3.x and 4.0.
However, in Active Directory, domains have been updated significantly from the flat and inflexible structure imposed by Windows NT. An Active Directory domain is made up of the following components:
- An X.500-based hierarchical structure of containers and objects
- A DNS domain name as a unique identifier
- A security service, which authenticates and authorizes any access to resources via accounts in the domain or trusts with other domains
- Policies that dictate how functionality is restricted for users or machines within that domain
A
domain controller (DC) can be authoritative for one and only one domain. It is not possible to host multiple domains on a single DC. For example, DispersedNet has already been allocated a DNS domain name for its company called dispersednet.com, so it decides that the first Active Directory domain that it is going to build is to be named dispersednet.com.
However, this is only the first domain in a series that may need to be created, and dispersednet.com is in fact the root of a
domain tree.
The dispersednet.com domain itself is automatically created as the root node of a
hierarchical structure called a domain tree. This is literally a series of domains connected together in a hierarchical fashion, all using a contiguous naming scheme.
If DispersedNet were to add domains called Europe, Asia, and Americas, then the names would be
- europe.dispersednet.com,
- asia.dispersednet.com, and
- americas.dispersednet.com.
Each domain tree is called by the name given to the root of the tree; hence, this domain tree is known as the dispersednet.com tree.
You can see that in the setup of DispersedNet we now have a
contiguous set of domains that all fit into a tree. Even if we had only one domain, it would still be a
domain tree with one domain.