Previous Page | Next Page

  1. Introduction
  2. Windows 2000 Professional
  3. Windows 2000 Server
  4. Windows 2000 Advanced Server
  5. Windows 2000 Datacenter Server
  6. Application Support
  7. System Operation
  8. Disks and Volumes
  9. Filesystems
  10. Configuration Files
  11. Security
  12. Network Support
  13. Access Management
  14. Processes
  15. AD Structure
  16. AD Objects
  17. AD Object Naming
  18. AD Schema
  19. AD Sites
  20. Domains
  21. AD Functions
  22. AD Replication
  23. DNS
  24. AD Security
  25. AD Installation
  26. AD Configuration
  27. AD Performance
  28. Installation
  29. Installation Options
  30. Unattended Installation
  31. Software Distribution
  32. Remote Installation Service
  33. Language
  34. Accessibility
  35. File Attributes
  37. Distributed File System
  38. Control Panel
  39. Active Directory Tools
  40. Computer Management Console Tools
  41. MMC Tools
  42. Network Tools
  43. Network Monitor
  44. System Performance Monitoring
  45. Tools
  46. Managing Services
  47. Connections
  48. TCP/IP
  49. DHCP
  50. Printing
  51. Routing
  52. IPSec
  53. ICS
  54. Fault Tolerance
  55. Backup
  56. System Failure
  57. Services
  58. Remote Access
  59. WINS
  60. IIS
  61. Certificate Server
  62. Terminal Services
  63. Web Services
  64. Authentication
  65. Accounts
  66. Permissions
  67. Groups
  68. User Rights and Auditing
  69. Auditing
  70. User Profiles
  71. Policies
  72. Group Policies
  73. Miscellaneous
  74. Terms
  75. Credits

Windows 2000 Domains

Domain Structure and Relationships


  • Domain tree - A hierarchial group of one or more domains with one root domain. Only one domain is required to make a tree.
  • Parent domain - One domain above another in a domain tree.
  • Child domain - One domain below another in a domain tree. The child inherits the domain name of its parent in a DNS hierarchial naming convention. Example: "".
  • Forest root domain The first domain created in a forest.
  • Tree root - The first domain created in a tree.

Trusts and Trust Relationships

Trust relationship is a description of the user access between two domains consisting of a one way and a two way trust. Terms:

  • One way trust - When one domain allows access to users on another domain, but the other domain does not allow access to users on the first domain.
  • Two way trust - When two domains allow access to users on the other domain.
  • Trusting domain - The domain that allows access to users on another domain.
  • Trusted domain - The domain that is trusted, whose users have access to the trusting domain.
  • Transitive trust - A trust which can extend beyond two domains to other trusted domains in the tree.
  • Intransitive trust - A one way trust that does not extend beyond two domains.
  • Explicit trust - A trust that an administrator creates. It is not transitive and is one way only.
  • Cross-link trust - An explicit trust between domains in different trees or in the same tree when a descendent/ancestor (child/parent) relationship does not exist between the two domains.

Windows 2000 only supports the following types of trusts:

  • Two way transitive trusts
  • One way non-transitive trusts.

This means the two way non transitive trust supported by Windows NT is no longer supported. The way to deal with this is to create two one way trusts in Windows 2000.


The program "dcpromo.exe" is used to make a Windows 2000 domain member server a domain controller or demote it from domain controller status back to a member server. It can be used to add a domain controller for an existing domain or create a domain controller for a new domain.


  • Forest root controller - The first domain controller created when Active Directory is first installed on any computer if there are no previously installed controllers available on the network.

Active Directory Trusts

Windows NT 4.0 does not support transitive trusts. All windows 2000 Active Directory trusts are transitive by default with trusts existing between parents and children. Transitive trusts do not exist between children even if they are of the same parent. Transitive trusts extend up and down through parents to children to grandchildren and so on. Administrators may create explicit trusts between any two domains.

It is good policy for the administrator to set up a root domain with the administrator account. This will allow all child domains to be controlled from that domain.

Domain Controller Data Replication

Replicated data between domain controllers contains:

  • Schema
  • Configuration data - Forest, tree, and domain information.
  • Domain data - Information about all domain objects sent to domain controllers in the domain.

Domain Controllers

Windows NT uses a Primary Domain Controller (PDC) and Backup Domain Controllers (PDC) to control the operations of its domains. The BDC or BDCs back up the operations of the PDC in the event that it fails. Data is constantly replicated between these controllers. Windows 2000 has changed this method of controlling the domain.

Windows 2000 may be operated in one of two modes:

  • Native mode - In this mode Active Directory interfaces only with Windows 2000 domain controllers and directory service client software. Windows 2000 is more efficient in native mode. In this case, the PDC emulator will get password changes faster.
  • Mixed mode - Used to support domains where there are still Windows NT domain controllers. Mixed mode occurs when Active Directory interfaces with NT 4.0 BDCs or ones without Windows 2000 Directory Service client software. In mixed mode, computers without Windows 2000 client software must contact the PDC emulator to change user account information

A domain cannot be changed from native mode to mixed mode. An NT domain controller cannot be added to a Windows 2000 network runing in native mode.

Upgrading from Win NT to Win 2000 Domains

  1. Upgrade the PDC in the master domain that will be the root domain. Upgrade the PDC to Windows 2000.
  2. Use mixed mode for active directory.
  3. Upgrade BDCs and servers to Windows 2000.
  4. Update client computers in the domain to Windows 2000 or install Directory Service Client on them.
  5. Follow the same procedure for each succeeding domain down through the domain tree.
  6. Once all updates are complete, the multiple domains may be merged into one or reconfigured using Windows 2000 tools.

When the NT Domain controller is upgraded to Windows 2000, the following changes are made:

  • The PDC computer account is placed in the domain controller's AD container object.
  • Computer acccounts are placed in the Computers AD container object.
  • User acccounts, global groups, local groups, and created groups are placed in the Users AD container object.
  • Default groups are put in the Builtin AD container object.

Adding a Computer to a Domain


  1. Know the DNS domain name such as "".
  2. Have a computer account or administration privileges to create a computer account.
  3. The DNS server and domain controller must be working.

    Adding a Child Domain

    Before adding a child domain, create a DNS subdomain first.