Information Technology Reference
In-Depth Information
4. Click the
New Trust
button to start the New Trust Wizard. Note the types of trusts you can
create with the wizard, and then click
Next
.
5. At this point, you enter the name of the forest with which you want to create a trust. However,
for this step to work, the DNS server in your domain must be able to resolve the other forest
name. This capability requires additional configuration of your DNS server, which is covered
in Chapter 9. For now, click
Cancel
, and then click
Cancel
again. Close Active Directory
Domains and Trusts.
As discussed in Chapter 3, an Active Directory tree is a grouping of domains that share a
common naming structure. A tree can consist of a single domain or a parent domain and one or
more child domains, which can also have child domains of their own. An Active Directory tree
is said to have a contiguous namespace because all domains in the tree share at least the last two
domain name components: the second-level domain name and the top-level domain name. For
example, coolgadgets.com has a second-level domain name of coolgadgets and a top-level
domain name of com.
Organizations operating under a single name internally and to the public are probably best
served by an Active Directory forest with only one tree. However, when two companies merge
or a large company splits into separate business units that would benefit from having their own
identities, a multiple tree structure makes sense. As you've learned, there's no major functional
difference between domains in the same tree or domains in different trees, as long as they're part
of the same forest. They're all covered by the same transitive two-way trust afforded by the forest
structure. The only operational difference is the necessity of maintaining multiple DNS zones
(discussed in Chapter 9).
Designing the Domain Structure
The domain is the primary identifying and admin-
istrative unit in Active Directory. A unique name is associated with each domain and used to
access network resources. A domain administrator account has full control over objects in the
domain, and certain security policies apply to all accounts in a domain. Additionally, most repli-
cation traffic occurs between domain controllers within a domain. Any of these factors can influ-
ence your decision to use a single or multidomain design. Most small and medium businesses
choose a single domain for reasons that include the following:
•
Simplicity
—The more complex something is, the easier it is for things to go wrong. Unless
your organization needs multiple identities, separate administration, or differing account
policies, keeping the structure simple with a single domain is the best choice.
•
Lower costs
—Every domain must have at least one domain controller and preferably two
or more for fault tolerance. Each domain controller requires additional hardware and soft-
ware resources, which increases costs.
•
Easier management
—Many management tasks are easier in a single-domain environment:
• Having a single set of administrators and policies prevents conflicts caused by differing
viewpoints on operational procedures and policies.
• Object management is easier when personnel reorganizations or transfers occur. Moving
user and computer accounts between different OUs is easier than moving them between
different domains.
• Managing access to resources is simplified when you don't need to consider security
principals from other domains.
• Placement of domain controllers and global catalog servers is simplified when your
organization has multiple locations because you don't need to consider cross-domain
replication.
•
Easier access to resources
—A single domain provides the easiest environment for users
to find and access network resources. In a multi domain environment, mobile users who
Search WWH ::
Custom Search