1.3 Domains

Similar to a Windows NT Server 4.0 domain, a Windows 2000 domain is a security boundary. This means that a domain boundary limits the scope of access control and policy rules implemented within the domain.

A domain is also a partition of the AD. In this respect, a domain is a partition of the data and the namespace held in the AD. In fact, the AD is the sum of all domains within an enterprise. In other words, the AD is composed of one or more domains linked together. As the namespace within the AD is hierarchical, the domain structure in Windows 2000 is made up of a series of parent-child relationships between the different domains. This is very different from the trust relationships that connected domains in earlier versions of Windows NT Server 4.0. Figure 1.3 illustrates a Windows 2000 domain.

Figure 1.3: Windows 2000 domain.

Windows NT 4.0 uses a single master replication model in which all changes are made at a single primary domain controller (DC), them replicated out to the backup DCs. The AD allows Windows 2000 to use a multimaster replication model, which means that an administrator can use any DC in a Windows 2000 domain to manage resources. The need to connect to the primary DC is therefore eliminated. The Windows NT SAM database (DB) is limited to a size of approximately 60 MB, which in turn limits the size of a domain to the number of accounts that can be stored...