Active Directory Logical Structure


In Windows 2000, multiple domains may still be necessary, especially in large organizations where companies want to remain tight control over their environments, their own identities (such as different business units), and distinct administrative control. In Active Directory, a collection of domains can be created that form a hierarchy referred to as a tree. In a tree structure, domains fall into a parent/child relationship. That is, the new child domain takes on the domain name of its parent domain. For example, I might create separate domains for the European and Asian divisions of my company. If this were the case, I might end up with the tree shown below:

Figure: Active Directory Tree

Note that each domain in the tree is a separate and distinct administrative unit, as well as a boundary for replication purposes. That is, if you create a user in the domain, the account exists on domain controllers in that domain, and will be replicated to all other domain controllers in the domain. Note also that each new child domain has a transitive two-way trust relation with its parent. This is configured automatically by Active Directory, and exists to allow users in one domain access to resources in another. Even without a direct trust, users in Asia can access resources (for which they have been given appropriate permissions) in the Europe domain and vice versa, since the trust relationship is transitive (Asia trusts its parent, who trusts Europe – therefore Europe trusts Asia and vice versa). A tree is broadly defined as a collection of domains that form a parent/child relationship and share a contiguous namespace.

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.