Creating Multiple Domains, Trees, And Forests

By Author: Jasmine
Total Articles: 286
Comment this article

In Chapter 2, you learned to install 70-620 practice test Active Directory, which actually creates the initial domain, tree, and forest for an organization. However, some organizations might require multiple domains, trees, or forests for Active Directory to effectively meet their needs. This lesson shows you how to create additional domains, trees, and forests.
Group policy and access control Because group policy and access control are applied at the domain level, if your organization uses group policies or delegated administration across the enterprise or many domains, the measures must be applied separately to each domain.
Domain controller hardware and security facilities Each Windows Server 2003 domain requires at least two domain controllers to support fault-tolerance
and multimaster requirements. In addition, it is recommended that domain controllers be located in a secure facility with limited access to prevent physical access by intruders.
If a user from one domain must log on in another domain, the domain controller from the second domain must be ...
... able to contact the domain
controller in the user's original domain. In the event of a link failure, the domain controller might not be able to maintain service. More trust links, which require setup and maintenance, might be necessary to alleviate the problem.

Recall that a tree is a grouping or hierarchical arrangement of one or more Windows Server 2003 domains with contiguous names that you create by adding one or more child domains to an existing parent domain. A forest can have one or more trees. However, one tree per forest is considered ideal because it requires fewer administrative activities. Although the recommended number of trees in a forest is one, you might need to define TS windows vista more than one tree if your organization has more than one DNS name. Create a new tree only when you need to create a domain whose DNS namespace is not related to the other domains in the forest.
As mentioned in Chapter 2, one of the most important issues when configuring Active Directory concerns DNS structure. When you create additional domains in the existing forest, you should consider your existing DNS structure and how it might change. The primary consideration is determining which servers should handle name resolution for the new domain. If the parent or forest root domain DNS servers are designated to handle name resolution for the new domain, you need to ensure that the DNS zone for the new domain exists on those DNS servers. You must also configure the computers for the new domain to utilize the parent or forest root domain DNS servers as their Preferred and Alternate DNS servers.
If instead you decide to install DNS servers in the new domain to handle name resolution, then you must delegate the new domain's namespace to those DNS servers. You should also consider creating a stub domain for the delegated name space on the parent or forest root domain's DNS servers. To learn more
free Microsoft practice questions about DNS delegation and stub domains, review the topics "Delegating Zones" and "Understanding Stub Zones" in the Windows Server 2003 Help and Support Center.