Creating a Domain Plan

The following are some of the key characteristics of a Windows 2000 domain that you will need to consider when you begin creating your domain structure plan:

Partition of the Forest

An Active Directory forest is a distributed database, where the partitions of the database are defined by domains. A distributed database is a database that is made up of many partial databases spread across many computers, instead of a single database on a single computer. Splitting a database into smaller parts and placing those parts where the data is most relevant allows a large database to be distributed efficiently over a large network.

Service by Domain Controller Servers

As in Windows NT 4.0, servers running Windows 2000 that host a domain database are called domain controllers. A domain controller can host exactly one domain. You can make changes to objects in the domain on any domain controller of that domain. All of the domain controllers in a particular forest also host a copy of the forest Configuration and Schema containers.

Unit of Authentication

Each domain database contains security principal objects, such as users, groups, and computers. Security principal objects are special in that they can be granted or denied access to the resources on a network. Security principal objects must be authenticated by a domain controller for the domain in which the security principal objects are located. Authentication is done to prove the identity of the objects before they access a resource.

Boundary of Administration and Group Policy

Each domain has a domain administrators group. Domain administrators have full control over every object in the domain. These administrative rights are valid within the domain only and do not propagate to other domains.

Group Policy that is associated with one domain does not automatically propagate to other domains in the forest. For a Group Policy from one domain to be associated with another domain, it must be explicitly linked.

Security Policy for Unique Domain User Accounts

A small set of security policies that apply to domain user accounts can only be set on a per-domain basis:

  • Password policy. Determines the rules that must be met, such as password length, when a user sets a password.

  • Account lockout policy. Defines rules for intruder detection and account deactivation.

  • Kerberos ** ticket policy. Determines the lifetime of a Kerberos ticket. A Kerberos ticket is obtained during the logon process and is used for network authentication. A particular ticket is only valid for the lifetime specified in the policy. When tickets expire, the system automatically tries to obtain a new ticket.

For more information about security policy for domain user accounts, see "Authentication" in the Microsoft ® Windows   2000 Server Resource Kit Distributed Systems Guide .

DNS Domain Names

A domain is identified by a DNS name. You use DNS to locate the domain controller servers for a given domain. DNS names are hierarchical, and the DNS name of an Active Directory domain indicates its position in the forest hierarchy. For example, might be the name of a domain. A domain named can be a child domain of in the forest hierarchy.