6.1.6.3. Domains

A domain refers to a logical environment that logically organizes multiple computers in a network for centralized management. A domain is the core management unit for organizing and storing resources. In a domain, there is at least one domain controller. The domain controller stores the user accounts and security database of the entire domain.

6.1.6.3.1. Domain structure

6.1.6.3.1.1. Domain Tree

Domain trees (Trees) consist of multiple domains that share the same table structure and configuration, forming a contiguous namespace.

6.1.6.3.1.2. Forest

A forest is a complex AD instance consisting of one or several domains, each domain tree has its own unique namespace.

6.1.6.3.2. Domain Controllers

The directory of ADDS is stored in the domain controller (Domain Controller). There can be multiple domain controllers in a domain. The status of each domain controller is almost equal and has almost the same database.

After a user account is added to a domain controller, the account is automatically replicated to the databases of other domain controllers.

AD database has a multi-master replication model (Multi-master Replication Model) and a single-master replication model (Sing-master Replication Model).

The multi-host mode can directly update the AD objects in any domain controller, and replicate the updated objects to other domain controllers. Most of the data is replicated in the multi-host mode.

Single-master replication mode means that a domain controller called the Operations Master is responsible for receiving requests to change data and replicating the data to other domain

6.1.6.3.3. Trust

A trust relationship needs to be established between the two domains to access resources in the corresponding domains.

6.1.6.3.3.1. Domain trust types

Active Directory trust methods can be divided into the following types:

  • Tree-Root Trust
    • two-way transfer

  • Parent-Child Trust
    • Transferable, two-way pedestrian

  • Forest Trust
    • If two forests create a trust relationship, all domains in the forests trust each other

    • A trust relationship between two forests cannot be automatically extended to other forests

  • Realm Trust
    • ADDS domains can create trusts with non-Windows Kerberos domains

  • External Trust
    • An external trust can be used to create a trust relationship between domains located in two forests

  • Shortcut Trust
    • Can reduce the time to authenticate users

6.1.6.3.4. OU

An Organizational Unit (OU) is a container object that organizes objects in a domain into logical groups to help administrators manage them. OUs contain users, computers, workgroups, printers, security policies, and other organizational units.