What is a domain tree?
In Windows 2000, a domain can be a child of another domain (e.g.,
child.domain.com is a child of domain.com). A child domain name always includes
the complete parent domain name. A child domain and its parent share a two-way
transitive trust.
A domain tree exists when one domain is the child of another domain. A domain
tree must have a contiguous namespace, as in the leftmost diagram in the Figure.
In the rightmost diagram in the Figure, the lack of contiguous names means
that the domains can’t be part of the same tree.
The tree’s name is the root domain name. In my example, the tree is
root.com. Because domains are DNS names and because domains inherit the parent
part of the name, if you rename part of a tree, all of the parent’s children
are also implicitly renamed. For example, if you renamed the parent domain
ntfaq.com to backoffice.com, the child domain sales.ntfaq.com would change to
sales.backoffice.com. Although you can’t currently rename part of a tree, this
problem will arise in future versions of the OS.
You can currently create domain trees only when DCPROMO promotes a server to
a domain controller (DC). This restriction might change in the OS that follows
Win2K.
Placing domains in a tree yields several advantages. The most useful benefit
is that all members of a tree have Kerberos transitive trusts with the
domain’s parent and all the domain’s children. Transitive trusts also let
any user or group in a domain tree obtain access to any object in the tree. In
addition, you can use one network logon at any workstation in the domain tree.
Security FAQ
Windows Privacy Tools - http//www.privacywindows.com
| 
