Building Blocks

Now that we've shown how objects are structured and referenced, let's look at the core concepts behind Active Directory.

Domains and Domain Trees

Active Directory's logical structure is built around the concept of domains introduced in Windows NT 3.x and 4.0. However, in Active Directory, domains have been updated significantly from the flat and inflexible structure imposed by Windows NT. An Active Directory domain is made up of the following components:

  • An X.500-based hierarchical structure of containers and objects

  • A DNS domain name as a unique identifier

  • A security service, which authenticates and authorizes any access to resources via accounts in the domain or trusts with other domains

  • Policies that dictate how functionality is restricted for users or machines within that domain

A domain controller (DC) can be authoritative for one and only one domain. Currently, it is not possible to host multiple domains on a single DC. For example, Mycorp Company has already been allocated a DNS domain name for their company called, so they decide that the first Active Directory domain that they are going to build is to be named However, this is only the first domain in a series that needs to be created, and is in fact the root of a domain tree.

The domain itself, ignoring its contents, is automatically created as the root node of a hierarchical structure called a domain tree. This is literally a series of domains connected together in ...

Get Active Directory, 3rd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.