π³Domain Trees
Idea of AD Domains ?
What is Domain Trees
A Domain Tree in Active Directory (AD) is a hierarchical collection of domains that share a contiguous DNS namespace and are linked through automatic two-way transitive trusts. It allows organizations to scale their directory services while maintaining logical structure and security boundaries.
A Domain Tree consists of:
A root domain (e.g.,
example.com).One or more child domains (e.g.,
us.example.com,eu.example.com).
All domains in a tree share:
A common schema (object definitions).
A common configuration partition (replication settings).
A common Global Catalog (searchable directory of all objects).
Key Characteristics of Domain Trees
Contiguous Namespace: All domains in the tree share a common DNS root name (
example.com,sales.example.com,europe.sales.example.com).Parent-Child Relationships: Domains are arranged hierarchically, with a root domain at the top and child domains beneath it.
Trust Relationships: Automatic, transitive, two-way trusts link parent and child domains, enabling resource sharing and authentication across the tree.
Forest Membership: A domain tree is part of an AD forest, which may contain multiple domain trees with different namespaces.
Logical Structure: Domain trees are a logical organization, independent of the physical network topology, used to manage resources and security.
DNS Dependency: The tree relies on DNS for name resolution, with each domain corresponding to a DNS domain.
Components of Domain Trees
To understand domain trees, letβs deep dive into their key components and related elements:
Domain
Definition: A domain is a logical grouping of network objects (users, computers, groups, OUs) that share a common security database and policies, managed by domain controllers.
Role in Tree: Domains are the building blocks of a domain tree, arranged in a parent-child hierarchy.
Example:
example.com(root domain),sales.example.com(child domain).
Root Domain
Definition: The top-level(Tree is divided into levels 0,1,2.... ) domain(Root node of the Tree) in the tree, serving as the starting point for the namespace and hierarchy.
Role: The root domain (
example.com) is the parent of all child domains in the Domain Tree.Example:
example.comis the root domain of a tree containingsales.example.comandmarketing.example.com.
Child Domain
Definition: A domain directly Driven/subordinate from/to the root domain or another child domain, inheriting part of its DNS name from its parent.
Role: Child domains (
sales.example.com,europe.sales.example.com) useful for large organizations needing separate administrative control, security policies, or geographical divisions while maintaining a centralized forest structure.Example:
europe.sales.example.comis a child ofsales.example.com, which is a child ofexample.com.
Contiguous Namespace
Definition: A shared DNS naming structure where each domainβs name is a subdomain of its parent, forming a continuous hierarchy.
Example:
example.com(root)sales.example.com(child)europe.sales.example.com(grandchild)
Purpose: Ensures a consistent, globally unique naming convention, aligned with DNS standards.
Domain Controllers
Definition: Servers that host the AD database and AD service that manage LDAP-LookUps for Data in the database for a domain and provide authentication and directory services.
Role in Tree: Each domain in the tree has its own domain controllers, which replicate the domainβs database within the domain but not across domains.
Example:
dc1.example.comforexample.com,dc1.sales.example.comforsales.example.com.
DNS
Definition: The Domain Name System resolves domain names to IP addresses, critical for locating domain controllers and resources in the tree.
Role: Each domain in the tree corresponds to a DNS domain, with DNS servers storing records (SRV records) to support AD operations.
Example: DNS resolves
sales.example.comto its domain controllersβ IP addresses.
Schema
Definition: The schema defines the types of objects and attributes that can exist in the treeβs domains.
Scope: Shared across all domains in the forest, ensuring consistency.
Example: The schema allows user objects to have attributes like
email or telephoneNumber.
Global Catalog
Definition: A forest-wide database that stores a partial replica of objects from all domains in the forest, including those in the tree , the Basic idea is that is responsible for detection of Resource Context Within The Forest for allocating them in easier way.
Role: Facilitates cross-domain searches and authentication within the tree and forest.
Example: A user in
sales.example.comcan search for a resource inexample.comvia the global catalog.
Functionality of Domain Trees
Domain trees serve several critical functions within Active Directory:
Hierarchical Organization
Purpose: Organizes domains into a logical hierarchy based on DNS names, reflecting organizational or geographic structures.
Example:
europe.sales.example.comfor the European Sales division undersales.example.com.
Resource Sharing
Purpose: Transitive trusts enable users in one domain to access resources in another within the tree.
Example: A user in
asia.sales.example.comaccesses a shared folder inexample.com.
Decentralized Administration
Decentralized administration is a design principle in AD where administrative tasks are distributed to specific domains or organizational units (OUs) to reduce the workload on central IT and allow localized management. Each domain in AD, including child domains, acts as a security boundary with its own namespace and administrative scope. This means:
Child Domain Autonomy: Local administrators in the child domain (
sales.example.com) are granted permissions to manage resources within their domain, such as creating user accounts, resetting passwords, or applying group policies. These tasks are handled without requiring intervention from the parent domain (example.com).Limited Parent Domain Control: By default, administrators in the parent domain do not manage the child domainβs resources directly. For example, a parent domain admin cannot create a user account in sales.example.com unless explicitly granted permissions to do so.
Forest-Wide Authority: The parent domain, especially if it is the forest root domain, hosts critical components like the schema and global catalog, which apply to all domains in the forest. Forest-level administrators (e.g., members of the Enterprise Admins group) have the authority to make changes that affect all domains, including child domains.
Example: An Enterprise Admin in example.com could modify the AD schema, impacting sales.example.com.
Scalability
AD achieves scalability through its hierarchical structure, particularly by using domain trees, which distribute the AD database across multiple domains. This distribution allows large organizations to manage complex environments efficiently by segmenting resources and administrative responsibilities.
Each domain in AD maintains its own portion of the AD database, which includes objects specific to that domain. By organizing domains into a tree structure, AD can scale to support thousands or even millions of objects across global networks, as seen in large enterprises or multinational corporations
Database Segmentation: Each domain in the tree maintains its own AD database partition, storing only the objects relevant to that domain. This reduces the size of the database that each domain controller must manage, improving performance.
Security Segmentation
Purpose: Domains act as security boundaries, allowing different policies for each domain.
Example:
research.example.comhas stricter security policies thanmarketing.example.com.
How Domain Trees Work
A. DNS Hierarchy & Naming
Root Domain:
example.comChild Domains:
us.example.com,eu.example.comSubdomains:
sales.us.example.com,hr.eu.example.com
B. Trust Relationships
Parent-Child Trusts: Automatically created when a child domain is added.
Transitive Trusts: Extend trust across the entire tree (e.g.,
example.comβsales.us.example.com).
C. Authentication & Authorization
Kerberos Authentication: Works across domains via trust relationships.
Global Catalog (GC): Enables cross-domain searches (e.g., finding a user in
hr.eu.example.comfromus.example.com).
Domain Trees in the Context of Active Directory Forests
Domain trees are a mid-level structure within the AD hierarchy, fitting between domains (the smallest unit) and forests (the largest unit). Letβs explore their role and interaction within a forest.
Role of Domain Trees in a Forest
Organization: Domain trees group domains with a contiguous namespace, providing a logical structure within the forest.
Scalability: Trees allow organizations to segment domains for administrative or geographic purposes while maintaining forest-wide integration.
Trust Framework: Trees leverage forest-wide trusts to enable resource sharing across domains.
Logical Structure of Domain Trees in a Forest
Tree-Level Hierarchy: Within a tree, domains form a parent-child structure with a contiguous namespace.
Forest-Level Integration:
Each tree has its own namespace, but all trees share the forestβs schema, configuration, and global catalog.
Tree-Root Trusts: The root domains of different trees (
example.comandanothercorp.com) have automatic, two-way, transitive trusts, linking all domains in the forest.
Global Catalog: Stores partial attributes of objects from all domains in the tree, enabling cross-tree searches.
Schema and Configuration: Shared across all domains in the tree and forest, ensuring consistency.
How Domain Trees Interact in a Forest
Resource Sharing:
Transitive trusts within the tree and across the forest allow users in one domain to access resources in another.
Example: A user in sales.example.com accesses a file server in
hr.anothercorp.comvia trusts and group memberships (DL_FileAccess).
Authentication:
Kerberos authentication leverages trust paths to authenticate users across domains in the tree and forest.
Example: A user in
europe.sales.example.comauthenticates to a resource inexample.comusing the parent-child trust.
Administration:
Each domain in the tree has its own administrators, but Enterprise Admins in the forest root domain oversee the entire forest.
Example: Domain Admins in sales.example.com manage their domain, while Enterprise Admins in example.com can modify the tree or forest.
Example: Enterprise Domain Tree Structure
Domain Tree Example: globalcorp.com Tree
Root Domain:
globalcorp.comHosts central resources (file servers) and forest-wide roles.
OU: Resources, Group:
DL_FileAccess(domain-local, grants access to\\fileserver.globalcorp.com\Shared).
Child Domain:
na.globalcorp.comManages North American users and resources.
OU: Sales\Groups, Group: G_SalesUsers (global, includes john.doe).
Grandchild Domain:
uk.eu.globalcorp.comManages UK-specific resources and users.
OU: Users, User:
alice.smith.
Trusts:
Parent-child trust:
globalcorp.comβna.globalcorp.com.Parent-child trust:
eu.globalcorp.comβuk.eu.globalcorp.com.Transitive trust:
globalcorp.comβuk.eu.globalcorp.comviaeu.globalcorp.com.
Cross-Domain Access:
G_SalesUsers (from
na.globalcorp.com) is a member of DL_FileAccess (inglobalcorp.com), granting access to the file server.A user (alice.smith in
uk.eu.globalcorp.com) accesses a resource inna.globalcorp.comvia transitive trusts.
Functionality:
Authentication: A user in
uk.eu.globalcorp.comlogs in, and Kerberos uses the trust path to authenticate against a server inglobalcorp.com.Resource Access: john.doe in
na.globalcorp.comaccesses\\fileserver.globalcorp.com\Sharedvia G_SalesUsers membership in DL_FileAccess.Administration: Domain Admins in
na.globalcorp.commanage their domain, while Enterprise Admins inglobalcorp.comoversee the tree.
Last updated