Windows 2000 Domains
Domain Structure and Relationships
- Domain tree - A hierarchial group of one or more domains with one root domain. Only one domain is required to make a tree.
- Parent domain - One domain above another in a domain tree.
- Child domain - One domain below another in a domain tree. The child inherits the domain name of its parent in a DNS hierarchial naming convention. Example: "child.parent.root.com".
- Forest root domain The first domain created in a forest.
- Tree root - The first domain created in a tree.
Trusts and Trust Relationships
Trust relationship is a description of the user access between two domains consisting of a one way and a two way trust. Terms:
- One way trust - When one domain allows access to users on another domain, but the other domain does not allow access to users on the first domain.
- Two way trust - When two domains allow access to users on the other domain.
- Trusting domain - The domain that allows access to users on another domain.
- Trusted domain - The domain that is trusted, whose users have access to the trusting domain.
- Transitive trust - A trust which can extend beyond two domains to other trusted domains in the tree.
- Intransitive trust - A one way trust that does not extend beyond two domains.
- Explicit trust - A trust that an administrator creates. It is not transitive and is one way only.
- Cross-link trust - An explicit trust between domains in different trees or in the same tree when a descendent/ancestor (child/parent) relationship does not exist between the two domains.
Windows 2000 only supports the following types of trusts:
- Two way transitive trusts
- One way non-transitive trusts.
This means the two way non transitive trust supported by Windows NT is no longer supported. The way to deal with this is to create two one way trusts in Windows 2000.
The program "dcpromo.exe" is used to make a Windows 2000 domain member server a domain controller or demote it from domain controller status back to a member server. It can be used to add a domain controller for an existing domain or create a domain controller for a new domain.
- Forest root controller - The first domain controller created when Active Directory is first installed on any computer if there are no previously installed controllers available on the network.
Active Directory Trusts
Windows NT 4.0 does not support transitive trusts. All windows 2000 Active Directory trusts are transitive by default with trusts existing between parents and children. Transitive trusts do not exist between children even if they are of the same parent. Transitive trusts extend up and down through parents to children to grandchildren and so on. Administrators may create explicit trusts between any two domains.
It is good policy for the administrator to set up a root domain with the administrator account. This will allow all child domains to be controlled from that domain.
Domain Controller Data Replication
Replicated data between domain controllers contains:
- Configuration data - Forest, tree, and domain information.
- Domain data - Information about all domain objects sent to domain controllers in the domain.
Windows NT uses a Primary Domain Controller (PDC) and Backup Domain Controllers (PDC) to control the operations of its domains. The BDC or BDCs back up the operations of the PDC in the event that it fails. Data is constantly replicated between these controllers. Windows 2000 has changed this method of controlling the domain.
Windows 2000 may be operated in one of two modes:
- Native mode - In this mode Active Directory interfaces only with Windows 2000 domain controllers and directory service client software. Windows 2000 is more efficient in native mode. In this case, the PDC emulator will get password changes faster.
- Mixed mode - Used to support domains where there are still Windows NT domain controllers. Mixed mode occurs when Active Directory interfaces with NT 4.0 BDCs or ones without Windows 2000 Directory Service client software. In mixed mode, computers without Windows 2000 client software must contact the PDC emulator to change user account information
A domain cannot be changed from native mode to mixed mode. An NT domain controller cannot be added to a Windows 2000 network runing in native mode.
Upgrading from Win NT to Win 2000 Domains
- Upgrade the PDC in the master domain that will be the root domain. Upgrade the PDC to Windows 2000.
- Use mixed mode for active directory.
- Upgrade BDCs and servers to Windows 2000.
- Update client computers in the domain to Windows 2000 or install Directory Service Client on them.
- Follow the same procedure for each succeeding domain down through the domain tree.
- Once all updates are complete, the multiple domains may be merged into one or reconfigured using Windows 2000 tools.
When the NT Domain controller is upgraded to Windows 2000, the following changes are made:
- The PDC computer account is placed in the domain controller's AD container object.
- Computer acccounts are placed in the Computers AD container object.
- User acccounts, global groups, local groups, and created groups are placed in the Users AD container object.
- Default groups are put in the Builtin AD container object.
Adding a Computer to a Domain
- Know the DNS domain name such as "server.department.company.com".
- Have a computer account or administration privileges to create a computer account.
- The DNS server and domain controller must be working.
Adding a Child Domain
Before adding a child domain, create a DNS subdomain first.