A hierarchical grouping of Microsoft Windows 2000 domains created by adding one or more child domains to an existing parent domain. Domain trees are used to make a domain’s network resources globally available to users in other domains.
In a domain tree, all domains share their resources and security information to act as a single administrative unit. A user who logs on anywhere in a domain tree can access file, printer, and other shared resources anywhere in the tree if he or she has appropriate permissions. A domain tree has only one Active Directory, but each domain controller in a tree maintains only the portion of Active Directory that represents the objects in that particular domain.
Domains in a domain tree are joined using two-way transitive trusts. These trusts enable each domain in the tree to trust the authority of every other domain in the tree for user authentication. This means that when a domain joins a domain tree, it automatically trusts every domain in the tree.
For child domains to be part of a domain tree, they must share a contiguous namespace with the parent domain. The namespace of a Windows 2000 domain is based on the Domain Name System (DNS) naming scheme. For example, in the illustration, the child domains northwind.carpoint.com and adventure.carpoint.com share the same namespace as the parent domain carpoint.com. In this example, carpoint.com is also the name of the root domain - the highest-level parent domain in the tree. The root domain must be created first in a tree.
Graphic D-37. Domain tree.
All domains in a domain tree have their directory information combined into a single directory: Active Directory. Each domain provides a portion of its directory information to an index on the domain controllers. By searching this index, users can locate and access shared resources, applications, and even users anywhere in the domain tree.
Two or more domain trees that do not share a contiguous namespace can be combined into a domain forest.