Active Directory Logical Structure

The logical structure of Active Directory will vary based on the needs of an organization. Logical elements include forests, trees, domains, and organizational units.


A domain in Windows 2000 is very similar to what a domain was in NT 4. For all intents and purposes, a domain is still a logical group of users and computers (objects) that forms an administrative and replication boundary. That means two things. First of all, a domain is an administrative unit. As such, an administrator from one domain is only the administrator of that domain, and not necessarily any others. Secondly, all domain controllers in the same domain must replicate with one another. We refer to this as a replication boundary. In Windows 2000, domains are named according to DNS naming conventions, instead of conventions based on Netbios. An example of an Active Directory domain name would be In Windows NT, domains had a restriction on how large they could grow, based on the size of the domain SAM database (40MB or thereabouts). As such it was often necessary to create multiple domains if a company had tens of thousands of users and computers. By comparison, multiple domains wouldn’t actually be required in such a scenario under Windows 2000, since Active Directory can contain literally millions of objects. In the same manner that a user account existed within a domain in Windows NT, the same is true in Windows 2000. A given user should be given only one account, and that account exists within only one domain, even if multiple domains exist. Active Directory does allow you to have multiple domains, forming structures referred to as trees and forests, to be discussed next.

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.