Active Directory networks are organized using four types of divisions or container structures. These four divisions are forests, domains, organizational units and sites. When you are designing your network, it is important to use these divisions to their maximum potential. Let's take a closer look at the domain division.
Domain divisions are most often used as logical containers. However, Microsoft recommends that you employ domains also as physical containers. In other words, create domains whose members are all geographically close rather than distant. This is an important design aspect since the level of traffic within a domain is considerably higher than that between one domain and another. In general, a domain with limited physical size is less likely to include expensive WAN links or pay-per-bit connections. When slow links must be included in a network design, it is often beneficial to create multiple domains connected by the slower connections.
Domains serve as containers for security policies and administrative assignments. All objects within a domain are subject to domain-wide group policies by default. Likewise, any domain administrator can manage all objects within a domain. Furthermore, each domain has its own unique accounts database. Thus, authentication is on a domain basis. Once a user account is authenticated to a domain, that user account has access to resources within that domain.
If you are migrating from a Windows NT environment to Windows 2000 or Windows 2003, there are a few additional issues to be aware of when designing domains. It is no longer necessary to create separate domains to divide administrative privileges. Within Active Directory, it is possible to delegate administrative privileges based on organizational units. Domains are no longer restricted by a 40,000-user limit. Active Directory domains can manage millions of objects. There are no longer PDCs and BDCs. Instead, Active Directory uses multi-master replication and all domain controllers are peers