Domains are units of replication. All of the domain controllers in a particular domain can receive changes and replicate those changes to all other domain controllers in the domain. Each domain in Active Directory is identified by a Domain Name System (DNS) domain name and requires one or more domain controllers. If your network requires more than one domain, you can easily create multiple domains.
One or more domains that share a common schema and global catalog are referred to as a forest. The first domain in a forest is referred to as the forest root domain. For more information about forests, see Creating a new forest. If multiple domains in the forest have contiguous DNS domain names, then the structure is referred to as a domain tree. For more information, see Active Directory naming and Creating a new domain tree.
A single domain can span multiple physical locations or sites and can contain millions of objects. Site structure and domain structure are separate and flexible. A single domain can span multiple geographical sites, and a single site can include users and computers belonging to multiple domains. For more information, see Sites overview.
A domain provides several benefits:
You do not need to create separate domains merely to reflect your company's organization of divisions and departments. Within a domain, you can use organizational units for this purpose. Using organizational units helps you manage the accounts and resources in the domain. You can then assign Group Policy settings and place users, groups, and computers into the organizational units. Using a single domain greatly simplifies administrative overhead. For more information, see Organizational units.
A domain stores only the information about objects located in that domain, so by creating multiple domains, you are partitioning or segmenting the directory to better serve a disparate user base. When using multiple domains, you can scale the Active Directory directory service to accommodate your administrative and directory publishing requirements. For more information, Publishing resources.
A domain defines a scope or unit of policy. A Group Policy object (GPO) establishes how domain resources can be accessed, configured, and used. These policies are applied only within the domain and not across domains. For more information about applying GPOs, see Group Policy.
Using delegated authority in conjunction with Group Policy objects and group memberships enables you to assign an administrator rights and permissions to manage objects in an entire domain or in one or more organizational units within the domain. For more information about delegating administrative control, see Delegating administration.
Each domain has its own security policies and trust relationships with other domains. However, the forest is the final security boundary. For more information, see Creating a new forest.
By partitioning the directory this way, Active Directory can scale to very large numbers of objects.
You create a domain by creating the first domain controller for a domain. To do this, install Active Directory on a member server running Windows Server 2003 by using the Active Directory Installation Wizard. The wizard uses the information that you provide to create the domain controller and create the domain within the existing domain structure of your organization. Depending on the existing domain structure, the new domain could be the first domain in a new forest, the first domain in a new domain tree, or a child domain of an existing domain tree. For more information, see Creating a new forest, Creating a new domain tree, and Creating a new child domain.
A domain controller provides the Active Directory directory service to network users and computers, stores directory data, and manages user and domain interactions, including user logon processes, authentication, and directory searches. Every domain must contain at least one domain controller. For more information, see Domain controllers.
After you create the first domain controller for a domain, you can create additional domain controllers in an existing domain for fault tolerance and high availability of the directory. For more information, see Creating additional domain controllers.
Some reasons to create more than one domain are:
Although using a single domain for an entire network has several advantages, to meet additional scalability, security, or replication requirements you may consider creating one or more domains for your organization. Understanding how directory data is replicated between domain controllers will help you plan the number of domains needed by your organization. For more information about replication, see How replication works.
In order to remove a domain, you must first remove Active Directory from all of the domain controllers associated with that domain. Once Active Directory has been removed from the last domain controller the domain will be removed from the forest and all of the information in that domain will be deleted. A domain can only be removed from the forest if it has no child domains. If this is the last domain in the forest, removing this domain will also delete the forest.
For more information about how to remove a domain, see To remove a domain.
Caution
Before removing Active Directory from a domain controller, you should first remove any application directory partitions from that domain controller. For more information, see Application directory partitions and To create or delete an application directory partition.
Trust relationships are automatically created between adjacent domains (parent and child domains) when a domain is created in Active Directory. In a forest, a trust relationship is automatically created between the forest root domain and any tree root domains or child domains that are subordinate to the forest root domain. Because these trust relationships are transitive, users and computers can be authenticated between any domains in the forest. For more information about trust relationships, see Trust transitivity.
When upgrading a Windows NT domain to a Windows Server 2003 domain, the existing one-way trust relationship between that domain and any other domains remains intact. This includes all trusts with other Windows NT domains. If you are creating a new Windows Server 2003 domain and want trust relationships with any Windows NT domains, you must create external trusts with those domains. For more information about external trusts, see When to create an external trust.