The Microsoft Networking model embraces the domain as the basic administrative container for the network. A domain is a grouping of computers and other devices that are managed by a Windows domain controller (a domain controller being a server that is the central authority for the domain). The domain maintains its own database directory of user accounts and controls its own resources such as printers and shared files.
While a domain could potentially serve thousand of users, there is often the need to go beyond the limitations provided by a single domain and expand the scale of the network. As already mentioned, the basic unit of the logical Microsoft network structure is the domain. The next largest unit is the tree. A tree is a collection of child domains. The tree itself is defined by a root domain, which serves as the parent domain for the child domains that branch from the domain root. The first domain you create serves as the root of the domain tree. Child domains branch off of root domain as shown in Figure 9.1.
Figure 9.1. A Windows network consists of a domain tree that holds a root and optional child domains.
The largest administrative structure provided by the domain hierarchy is the forest. A forest is a collection of domain trees.
To truly understand how domains interact within trees and forests, you need to understand trust relationships. A trust is an electronic agreement between domains and means that users can log on to their domain but still get at resources in another domain, if that domain "trusts" the user's domain.
When you create child domains within a domain tree, the child domains and the parent domain all are assigned transitive trusts. A transitive trust is a two-way street between the domains. The domains trust each other so that they share each other's resources. This means that all the domains in a tree trust the other domains in tree to use their resources (such as printers, DNS servers, and so on). So, the transitive trust relationships provide a reciprocating resource sharing environment that flows down through the tree.
You create a domain in the Windows server environment by bringing a domain controller online. Domain controllers are created by installing the Active Directory on a server running Windows Server 2003. So, one type of server that you will have to deploy on your network is at least one domain controller. We take a look at some other server roles often found in a Windows domain later in this chapter.