Understanding domains

A domain provides several benefits:

• Organizing objects.

  Using organizational units within a domain helps you manage the accounts and resources in the domain.

• Publishing resources and information about domain objects.

Using multiple domains, you can scale the Active Directory directory service to accommodate your administrative and directory publishing requirements.

A domain stores only the information about objects located in that domain, so by creating multiple domains, you are partitioning or segmenting the directory to better serve a disparate user base.

• Applying a Group Policy object to the domain consolidates resource and security management.

  A domain defines a scope or unit of policy. A Group Policy object establishes how domain resources can be accessed, configured, and used. These policies are applied only within the domain and not across domains. For more information about applying Group Policy objects, see Group Policy

• Delegating authority eliminates the need for a number of administrators with sweeping administrative authority.

  Using delegated authority in conjunction with Group Policy objects and group memberships enables you to assign an administrator rights and permissions to manage objects in an entire domain or in one or more organizational units within the domain. For more information about delegating administrative control, see Delegating administration

  For information about groups, see Understanding Groups

  Because a domain is an administrative boundary, administrative permissions for a domain are limited to the domain by default. For example, an administrator with permissions to set security policies in one domain is not automatically granted authority to set security policies within any other domain in the directory.

To create a domain, you must promote one or more computers running Windows 2000 Server to be domain controllers. A domain controller provides the Active Directory directory service to network users and computers, stores directory data, and manages user-domain interactions, including user logon processes, authentication, and directory searches. Every domain must contain at least one domain controller.

For more information about domain controllers, see Domain controllers To promote a computer running Windows 2000 Server to a domain controller, see Install a domain controller