So you're going along, feeling pretty good, and then it hits you: things are getting slow in your domain, or perhaps your company is growing at a rapid rate, acquiring a competitor's assets. You now must find a way to cope with these changes.
Adapting your domain to these changes is what makes Active Directory so powerful. The magic word with Active Directory is redundancy . For example, in our domain of guinea.pig, we have a single domain controller named DC01. If we were to add a second domain controller (say, DC02), any changes made to users, groups, OUs, GPOs, or most anything else on DC01 is replicated to DC02. Because we now have two servers to balance each other's loads and back one another up, our job as administrators becomes a bit less worrisome.
Sometimes it makes sense to partition your domain into separate TCP/IP subnets (called sites in Active Directory lingo) to improve network performance and divide things up a bit more logically. Perhaps you have different needs from one organization to another within your company, with one requiring much more stringent authentication standards than another. Carving your Active Directory into child domains makes this possible. Perhaps your organization is so large that you need to create an entirely new domain group , requiring its own set of security principles, users, groups, and so on (called a forest in Active Directory lingo). The wonderful thing about Active Directory is that despite this perceived chaos, each domain and forest has the ability to communicate with each other through a sophisticated system of trusts .
Are you confused ? Don't worry - we'll have this cleared up in no time. But before we start to delve into adding extra domain controllers, domains, and forests, we need to examine domain controllers in a new light.