What is a domain tree?

A. In Windows 2000, a domain can be a child of another domain (e.g., child.domain.com is a child of domain.com). A child domain name always includes the complete parent domain name. A child domain and its parent share a two-way transitive trust.

A domain tree exists when one domain is the child of another domain. A domain tree must have a contiguous namespace, as in the leftmost diagram in the Figure.

Click here to view image

In the rightmost diagram in the Figure, the lack of contiguous names means that the domains can’t be part of the same tree.

The tree’s name is the root domain name. In my example, the tree is root.com. Because domains are DNS names and because domains inherit the parent part of the name, if you rename part of a tree, all of the parent’s children are also implicitly renamed. For example, if you renamed the parent domain ntfaq.com to backoffice.com, the child domain sales.ntfaq.com would change to sales.backoffice.com. Although you can’t currently rename part of a tree, this problem will arise in future versions of the OS.

You can currently create domain trees only when DCPROMO promotes a server to a domain controller (DC). This restriction might change in the OS that follows Win2K.

Placing domains in a tree yields several advantages. The most useful benefit is that all members of a tree have Kerberos transitive trusts with the domain’s parent and all the domain’s children. Transitive trusts also let any user or group in a domain tree obtain access to any object in the tree. In addition, you can use one network logon at any workstation in the domain tree.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.