GitHubFacebookLinkedin

🌳Domain Trees

Idea of AD Domains ?

What is Domain Trees

A Domain Tree in Active Directory (AD) is a hierarchical collection of domains that share a contiguous DNS namespace and are linked through automatic two-way transitive trusts. It allows organizations to scale their directory services while maintaining logical structure and security boundaries.

  • A Domain Tree consists of:

    • A root domain (e.g., example.com).

    • One or more child domains (e.g., us.example.com, eu.example.com).

  • All domains in a tree share:

    • A common schema (object definitions).

    • A common configuration partition (replication settings).

    • A common Global Catalog (searchable directory of all objects).

Key Characteristics of Domain Trees

  • Contiguous Namespace: All domains in the tree share a common DNS root name (example.com, sales.example.com, europe.sales.example.com).

  • Parent-Child Relationships: Domains are arranged hierarchically, with a root domain at the top and child domains beneath it.

  • Trust Relationships: Automatic, transitive, two-way trusts link parent and child domains, enabling resource sharing and authentication across the tree.

  • Forest Membership: A domain tree is part of an AD forest, which may contain multiple domain trees with different namespaces.

  • Logical Structure: Domain trees are a logical organization, independent of the physical network topology, used to manage resources and security.

  • DNS Dependency: The tree relies on DNS for name resolution, with each domain corresponding to a DNS domain.

Components of Domain Trees

To understand domain trees, let’s deep dive into their key components and related elements:

  1. Domain

  • Definition: A domain is a logical grouping of network objects (users, computers, groups, OUs) that share a common security database and policies, managed by domain controllers.

  • Role in Tree: Domains are the building blocks of a domain tree, arranged in a parent-child hierarchy.

  • Example: example.com (root domain), sales.example.com (child domain).

  1. Root Domain

Idea of Root Node

  • Definition: The top-level(Tree is divided into levels 0,1,2.... ) domain(Root node of the Tree) in the tree, serving as the starting point for the namespace and hierarchy.

  • Role: The root domain (example.com) is the parent of all child domains in the Domain Tree.

  • Example: example.com is the root domain of a tree containing sales.example.com and marketing.example.com.

  1. Child Domain

Idea of Child Domains

  • Definition: A domain directly Driven/subordinate from/to the root domain or another child domain, inheriting part of its DNS name from its parent.

  • Role: Child domains (sales.example.com, europe.sales.example.com) useful for large organizations needing separate administrative control, security policies, or geographical divisions while maintaining a centralized forest structure.

  • Example: europe.sales.example.com is a child of sales.example.com, which is a child of example.com.

  1. Contiguous Namespace

    • Definition: A shared DNS naming structure where each domain’s name is a subdomain of its parent, forming a continuous hierarchy.

    • Example:

      • example.com (root)

      • sales.example.com (child)

      • europe.sales.example.com (grandchild)

    • Purpose: Ensures a consistent, globally unique naming convention, aligned with DNS standards.

  1. Domain Controllers

    • Definition: Servers that host the AD database and AD service that manage LDAP-LookUps for Data in the database for a domain and provide authentication and directory services.

    • Role in Tree: Each domain in the tree has its own domain controllers, which replicate the domain’s database within the domain but not across domains.

    • Example: dc1.example.com for example.com, dc1.sales.example.com for sales.example.com.

  1. DNS

    • Definition: The Domain Name System resolves domain names to IP addresses, critical for locating domain controllers and resources in the tree.

    • Role: Each domain in the tree corresponds to a DNS domain, with DNS servers storing records (SRV records) to support AD operations.

    • Example: DNS resolves sales.example.com to its domain controllers’ IP addresses.

  1. Schema

    • Definition: The schema defines the types of objects and attributes that can exist in the tree’s domains.

    • Scope: Shared across all domains in the forest, ensuring consistency.

    • Example: The schema allows user objects to have attributes like email or telephoneNumber.

  2. Global Catalog

    • Definition: A forest-wide database that stores a partial replica of objects from all domains in the forest, including those in the tree , the Basic idea is that is responsible for detection of Resource Context Within The Forest for allocating them in easier way.

    • Role: Facilitates cross-domain searches and authentication within the tree and forest.

    • Example: A user in sales.example.com can search for a resource in example.com via the global catalog.

Functionality of Domain Trees

Domain trees serve several critical functions within Active Directory:

  1. Hierarchical Organization

    • Purpose: Organizes domains into a logical hierarchy based on DNS names, reflecting organizational or geographic structures.

    • Example: europe.sales.example.com for the European Sales division under sales.example.com.

  2. Resource Sharing

    • Purpose: Transitive trusts enable users in one domain to access resources in another within the tree.

    • Example: A user in asia.sales.example.com accesses a shared folder in example.com.

  3. Decentralized Administration

Decentralized administration is a design principle in AD where administrative tasks are distributed to specific domains or organizational units (OUs) to reduce the workload on central IT and allow localized management. Each domain in AD, including child domains, acts as a security boundary with its own namespace and administrative scope. This means:

  • Child Domain Autonomy: Local administrators in the child domain (sales.example.com) are granted permissions to manage resources within their domain, such as creating user accounts, resetting passwords, or applying group policies. These tasks are handled without requiring intervention from the parent domain (example.com).

  • Limited Parent Domain Control: By default, administrators in the parent domain do not manage the child domain’s resources directly. For example, a parent domain admin cannot create a user account in sales.example.com unless explicitly granted permissions to do so.

  • Forest-Wide Authority: The parent domain, especially if it is the forest root domain, hosts critical components like the schema and global catalog, which apply to all domains in the forest. Forest-level administrators (e.g., members of the Enterprise Admins group) have the authority to make changes that affect all domains, including child domains.

    • Example: An Enterprise Admin in example.com could modify the AD schema, impacting sales.example.com.

  1. Scalability

AD achieves scalability through its hierarchical structure, particularly by using domain trees, which distribute the AD database across multiple domains. This distribution allows large organizations to manage complex environments efficiently by segmenting resources and administrative responsibilities.

Each domain in AD maintains its own portion of the AD database, which includes objects specific to that domain. By organizing domains into a tree structure, AD can scale to support thousands or even millions of objects across global networks, as seen in large enterprises or multinational corporations

  • Database Segmentation: Each domain in the tree maintains its own AD database partition, storing only the objects relevant to that domain. This reduces the size of the database that each domain controller must manage, improving performance.

  1. Security Segmentation

    • Purpose: Domains act as security boundaries, allowing different policies for each domain.

    • Example: research.example.com has stricter security policies than marketing.example.com.

How Domain Trees Work

A. DNS Hierarchy & Naming

  • Root Domain: example.com

  • Child Domains: us.example.com, eu.example.com

  • Subdomains: sales.us.example.com, hr.eu.example.com

B. Trust Relationships

  • Parent-Child Trusts: Automatically created when a child domain is added.

  • Transitive Trusts: Extend trust across the entire tree (e.g., example.comsales.us.example.com).

C. Authentication & Authorization

  • Kerberos Authentication: Works across domains via trust relationships.

  • Global Catalog (GC): Enables cross-domain searches (e.g., finding a user in hr.eu.example.com from us.example.com).

Domain Trees in the Context of Active Directory Forests

Domain trees are a mid-level structure within the AD hierarchy, fitting between domains (the smallest unit) and forests (the largest unit). Let’s explore their role and interaction within a forest.

  1. Role of Domain Trees in a Forest

    • Organization: Domain trees group domains with a contiguous namespace, providing a logical structure within the forest.

    • Scalability: Trees allow organizations to segment domains for administrative or geographic purposes while maintaining forest-wide integration.

    • Trust Framework: Trees leverage forest-wide trusts to enable resource sharing across domains.

  2. Logical Structure of Domain Trees in a Forest

    • Tree-Level Hierarchy: Within a tree, domains form a parent-child structure with a contiguous namespace.

    • Forest-Level Integration:

      • Each tree has its own namespace, but all trees share the forest’s schema, configuration, and global catalog.

      • Tree-Root Trusts: The root domains of different trees (example.com and anothercorp.com) have automatic, two-way, transitive trusts, linking all domains in the forest.

    • Global Catalog: Stores partial attributes of objects from all domains in the tree, enabling cross-tree searches.

    • Schema and Configuration: Shared across all domains in the tree and forest, ensuring consistency.

  3. How Domain Trees Interact in a Forest

    • Resource Sharing:

      • Transitive trusts within the tree and across the forest allow users in one domain to access resources in another.

      • Example: A user in sales.example.com accesses a file server in hr.anothercorp.com via trusts and group memberships (DL_FileAccess).

    • Authentication:

      • Kerberos authentication leverages trust paths to authenticate users across domains in the tree and forest.

      • Example: A user in europe.sales.example.com authenticates to a resource in example.com using the parent-child trust.

    • Administration:

      • Each domain in the tree has its own administrators, but Enterprise Admins in the forest root domain oversee the entire forest.

      • Example: Domain Admins in sales.example.com manage their domain, while Enterprise Admins in example.com can modify the tree or forest.

Example: Enterprise Domain Tree Structure

Forest
├── Tree 1: globalcorp.com
│   ├── globalcorp.com (Root Domain)
│   ├── na.globalcorp.com (Child Domain)
│   │   ├── Sales (OU)
│   │   │   ├── Users (OU, User: john.doe)
│   │   │   └── Groups (OU, Group: G_SalesUsers)
│   │   └── IT (OU)
│   ├── eu.globalcorp.com (Child Domain)
│   │   └── uk.eu.globalcorp.com (Grandchild Domain)
│   └── marketing.globalcorp.com (Child Domain)
└── Tree 2: acquiredcorp.com
    ├── acquiredcorp.com (Root Domain)
    └── hr.acquiredcorp.com (Child Domain)

  • Domain Tree Example: globalcorp.com Tree

    • Root Domain: globalcorp.com

      • Hosts central resources (file servers) and forest-wide roles.

      • OU: Resources, Group: DL_FileAccess (domain-local, grants access to \\fileserver.globalcorp.com\Shared).

    • Child Domain: na.globalcorp.com

      • Manages North American users and resources.

      • OU: Sales\Groups, Group: G_SalesUsers (global, includes john.doe).

    • Grandchild Domain: uk.eu.globalcorp.com

      • Manages UK-specific resources and users.

      • OU: Users, User: alice.smith.

    • Trusts:

      • Parent-child trust: globalcorp.comna.globalcorp.com.

      • Parent-child trust: eu.globalcorp.comuk.eu.globalcorp.com.

      • Transitive trust: globalcorp.comuk.eu.globalcorp.com via eu.globalcorp.com.

    • Cross-Domain Access:

      • G_SalesUsers (from na.globalcorp.com) is a member of DL_FileAccess (in globalcorp.com), granting access to the file server.

      • A user (alice.smith in uk.eu.globalcorp.com) accesses a resource in na.globalcorp.com via transitive trusts.

  • Functionality:

    • Authentication: A user in uk.eu.globalcorp.com logs in, and Kerberos uses the trust path to authenticate against a server in globalcorp.com.

    • Resource Access: john.doe in na.globalcorp.com accesses \\fileserver.globalcorp.com\Shared via G_SalesUsers membership in DL_FileAccess.

    • Administration: Domain Admins in na.globalcorp.com manage their domain, while Enterprise Admins in globalcorp.com oversee the tree.

PreviousAD DomainsNextOrganizational Units (OUs)

Last updated