In Windows 2000, multiple domains may still be necessary, especially in large organizations where companies want to remain tight control over their environments, their own identities (such as different business units), and distinct administrative control. In Active Directory, a collection of domains can be created that form a hierarchy referred to as a tree. In a tree structure, domains fall into a parent/child relationship. That is, the new child domain takes on the domain name of its parent domain. For example, I might create separate domains for the European and Asian divisions of my company. If this were the case, I might end up with the tree shown below:
Note that each domain in the tree is a separate and distinct administrative unit, as well as a boundary for replication purposes. That is, if you create a user in the asia.win2000trainer.com domain, the account exists on domain controllers in that domain, and will be replicated to all other domain controllers in the asia.win2000trainer.com domain. Note also that each new child domain has a transitive two-way trust relation with its parent. This is configured automatically by Active Directory, and exists to allow users in one domain access to resources in another. Even without a direct trust, users in Asia can access resources (for which they have been given appropriate permissions) in the Europe domain and vice versa, since the trust relationship is transitive (Asia trusts its parent, who trusts Europe – therefore Europe trusts Asia and vice versa). A tree is broadly defined as a collection of domains that form a parent/child relationship and share a contiguous namespace.