Tree: Implementation of a Domain Hierarchy and DNS Namespace

A Windows 2000 tree is a DNS namespace: it has a single root domain and is built as a strict hierarchy; each domain below the root domain has exactly one superior, or parent, domain. The namespace created by this hierarchy, therefore, is contiguous — each level of the hierarchy is directly related to the level above it and to the level below it, if any, as illustrated in Figure 1.6.


Figure 1.6 Example of a Contiguous Tree Hierarchy

In Windows 2000, the following rules determine the way that trees function in the namespace:

  • A tree has exactly one name. The name of the tree is the DNS name of the domain at the root of the tree.

  • The names of domains created beneath the root domain (child domains) are always contiguous with the name of the tree root domain.

  • The DNS names of the child domains of a tree's root domain reflect this organization; therefore, the children of the root domain called "somedomain" are always children of that domain in the DNS namespace (for example, child1.somedomain, child2.somedomain, and so forth).

Child domains can represent geographical entities (for example, the United States and Europe), administrative entities within the organization (for example, sales and marketing departments), or other organization-specific boundaries, according to the needs of the organization. Domains are created below the root domain to minimize Active Directory replication and to provide a means for creating domain names that do not change. Changes in the overall domain architecture, such as domain collapses and domain re-creation, create difficult and potentially IT-intensive support requirements. A good namespace design should be capable of withstanding company reorganizations without the need to restructure the existing domain hierarchy.

note-icon Note

Administrative privileges do not extend from parent domains to child domains. Privileges must be granted explicitly for each domain.

For more information about namespace design and the rationale for naming the root domain and creating child domains, see "Designing the Active Directory Structure" and "Determining Domain Migration Strategies" in the Deployment Planning Guide . For more information about administrative privileges, see "Authentication" and "Access Control" in this book.