The first Windows 2000 domain that you create is the root domain, which contains the configuration and schema for the forest. Additional domains are added to the root domain to form the tree structure or the forest structure, depending on the domain name requirements.

Some reasons to create more than one domain are:

Trees

A tree is a hierarchical arrangement of Windows 2000 domains that share a contiguous namespace.

When you add a domain to an existing tree, the new domain is a child domain of an existing parent domain. The name of the child domain is combined with the name of the parent domain to form its DNS name.

For example, Contoso, Ltd., whose current Active Directory domain is contoso.com, has acquired two new companies, one in China and one in Japan. They decide to add two new domains to their existing domain tree rather than creating OUs in the existing domain in order to allow administration of the domains in the respective languages. The resulting domains-china.contoso.com and japan.contoso.com-form a contiguous namespace, the root of which is contoso.com. The administrator can grant permissions for resources to accounts from any of the three domains in the tree.

Forests

A forest is a group of trees that do not share a contiguous namespace. The trees in a forest share a common configuration, schema, and global catalog. By default, the name of the root tree, or the first tree that is created in the forest, is used to refer to a given forest.

Each tree in a forest has its own unique namespace. For example, Contoso, Ltd. creates a separate company called Northwind Traders. Contoso, Ltd. decides to create a new Active Directory domain name for Northwind Traders, called nwtraders.com. Although the two companies do not share a common namespace, by adding the new Active Directory domain as a new tree in an existing forest, the two companies will be able to share resources and administrative functions.

Trust Relationships

Active Directory supports two forms of trust relationships: one-way, non-transitive trusts and two-way, transitive trusts.

One-Way, Non-Transitive Trusts

In a one-way trust relationship, if domain A trusts domain B, domain B does not automatically trust domain A.

In a non-transitive trust relationship, if domain A trusts domain B and domain B trusts domain C, domain A does not automatically trust domain C.

Windows NT networks use one-way, non-transitive trust relationships. You manually create one-way, non-transitive trust relationships between existing domains. In a large network, this form of trusts imposes a large amount of administrative overhead.

Active Directory supports one-way, non-transitive trusts for connections to Windows NT networks. You can also establish one-way, non-transitive trusts between Active Directory domains. For example, if you want to allow an external business partner to have access to resources in a particular domain while working on a joint project, you might create a one-way, non-transitive trust between the internal and external domains.

Two-Way, Transitive Trusts

In a two-way trust relationship, if domain A trusts domain B, then domain B automatically trusts domain A.

In a transitive trust relationship, if domain B trusts domain A and domain C trusts domain A, then domain B automatically trusts domain C and domain C automatically trusts domain B.

If a two-way, transitive trust exists between two domains, you can grant permissions to resources in one domain to user and group accounts in the other domain, and vice versa. Two-way, transitive trust relationships are the default between Windows 2000 domains.