Active Directory networks are organized using four types of divisions or container structures. These four divisions are forests, domains, organizational units and sites. When you are designing your network, it is important to use these divisions to their maximum potential. Let's take a closer look at the domain division.
Domain divisions are most often used as logical containers. However, Microsoft recommends that you employ domains also as physical containers. In other words, create domains whose members are all geographically close rather than distant. This is an important design aspect since the level of traffic within a domain is considerably higher than that between one domain and another. In general, a domain with limited physical size is less likely to include expensive WAN links or pay-per-bit connections. When slow links must be included in a network design, it is often beneficial to create multiple domains connected by the slower connections.
Domains serve as containers for security policies and administrative assignments. All objects within a domain are subject to domain-wide group policies by default. Likewise, any domain administrator can manage all objects within a domain. Furthermore, each domain has its own unique accounts database. Thus, authentication is on a domain basis. Once a user account is authenticated to a domain, that user account has access to resources within that domain.
If you are migrating from a Windows
This was first published in April 2003