[ Go to March 1997 Table of Contents ]

Using Domain Trees

-- by Martin Heller

Until now, Windows NT domains were rather awkward and inflexible. A single domain was limited to about 26,000 users in the most common scenario. Interdomain trust relationships had to be established individually, and it was a nightmare to move groups from one domain to another.

Active Directory domains are much more flexible and scalable. Individual domains can be divided into organizational units (OUs), and domains can be combined into a tree. Individual domains can grow as large as 10 million objects, although it's better to subdivide a domain.

For instance, the domain winmag.com could contain OUs for editorial, advertising and production. It could also be combined in a domain tree with netguide.com and homepc.com, and into a larger domain tree under cmp.com. Each domain would have its own security boundary, but trust relationships and permissions would flow down the tree.

What about finding things in a complicated domain tree? That's easy. Everything that exists in a domain tree also shows up in the global catalog. Global catalog servers allow users to find any object in the domain tree.

This new design also allows for decentralized administration and enhanced security. A central administrator delegates privileges to local administrators for domains and even for OUs. Users can be created in domains, but they can also be put in specific OUs and given distinct privileges and access depending on the needs of their jobs.

Domain administration is now a drag-and-drop process. Just had a reorganization? Drag the OUs to their new domains and the correct permissions will be established automatically.

Copyright (c) 1997 CMP Media Inc.

Windows Magazine, March 1997, page 198.

[ Go to March 1997 Table of Contents ]