Active Directory Domain Hierarchy

In Windows 2000, a domain defines an administrative boundary for a collection of objects that are relevant to a specific group of users on a network. A domain is an administrative boundary because administrative privileges do not extend to other domains and because each domain has a security policy that extends to all security accounts within the domain. Active Directory stores information about objects in one or more domains.

Domains can be organized into parent-child relationships to form a hierarchy. A parent domain is the domain directly superior in the hierarchy to one or more subordinate, or child, domains. A child domain also can be the parent of one or more child domains, as shown in Figure 1.1.


Figure 1.1 Example of a Domain Hierarchy

This hierarchical structure is a change from the flat domain structure of Microsoft® Windows NT® version 4.0 and Microsoft® Windows NT® version 3.51. The domain hierarchy of Windows 2000 allows you to search multiple domains in one query because each level of the hierarchy has information about the levels that are immediately above it and below it. This hierarchy information eliminates the need for you to know the location of a particular object in order for you to find it. In Windows NT 4.0 and earlier, you must know both the domain and the server where the object is located in order to find it.

For more information about Active Directory searches, see "Name Resolution in Active Directory" in this book.