The Benefits Of Having Multiple Domains Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

The main purpose of this report is to describe the structure of a multidomain environment and to discuss also its configuration and management in Windows Server 2008 R2. Outline the new features and capabilities of Windows Server 2008 operates in a multidomain environment, include discussion of topics such as: trees and forests, trusts, Global Catalog Servers, time synchronization, replication, group management

2. Domain

Is a group of machines that a partition is an Active Directory forest used to control where in the forest replication of domain data occurs and share a database set of forest information called Global Catalog (GC) servers ( ).

2.1. The Benefits of Having Multiple Domains

Usability: gives multiple points of entry can be good if could have different domains to lead to differently themed sites for different user experiences.

Cost Saving: the ability to have more than one domain running on a single environment.

Efficiency and Scalability: Start-ups in particular can benefit from this cost-saving and efficient feature by only having to run a single environment for their applications until they have the need to scale up.

3. Configuration of a Multiple-domain.

Domain can be either a single or multiple-machine configuration that communicates with each other. Each domain can share services and data, but is administered separately.

Multiple domains can be connected, allowing clients in one domain transparent access to services physically located in remote domains.

3.1. Multi-domain Environments

Give IT operations clarity over ICT infrastructure, services and business, making it easy to share data between IT domains, IT Service Management identifying how services are connected to underlying physical and logical infrastructure components.

Establish trusts between two domains in different forests, and the names can be resolved between the domains, all elements of an infrastructure can be entered in the database and given attributes.

3.2. Multi-domain configuration management

The configuration management tools per domain, allowing greater precision when creating relationships between Configuration items from different domains, provided per domain, Network, Connectivity, Services, Organizational, etc

3.3. Multi-Domain Security Management and Features

Distributed more security and control the security management into multiple domains environments with many different network Domains. These are the best solution for enterprises with many branches, partners and networks

3.3.1. Transition from Single to Multi-Domain IP Security Management

Convert an existing security management into a multi-domain security management environment by adding Check Point Multi-Domain Management Software Blades.

Fig1. Multi Domain security Management

Multi-Domain Secured Communications Components

Set up certificate authorities for each management domain and the multi-domain system to secure and private communications between gateways and their management domains, and the multi-domain system.

Trusted Communication between Multi-domain Systems and Related Applications: The SIC protocol secures all communication and administrative authentication between multi-domain components, servers and SmartConsole applications.

Global Security Policy: Can be assigned to all managed domains and assign them to multiple domains.

Global Objects: shared objects at a central location and deploy them globally across multiple domains.

Global IPS Policy: manage IPS policies across multiple domains from a central location.

Cross-domain Objects: Search for network objects across multiple management domains.

Centralized Monitoring: Monitor all multi-domain system components and gateways from a central location.

Domain Independent Log Server: Collect and store security gateway logs for each domain in a separate, independent log server.

Multi-domain Dashboard: Assign global policies to different management domains and create and manage administrators and Graphical User Interface (GUI) clients, and control all management domains from a single, centralized console.

Granular Administrator Controls: Administrators can be assigned to specific domains and multiple administrators can be allowed to work on different management domains simultaneously.

Hierarchical Administrator Role Support: Give administrators different aspects of the multi-domain system.

Access for Multiple Simultaneous Administrators: Allow multiple administrators to work on different management domains simultaneously.

Multiple Authentication Methods for Administrators

Choose internal certificate authority, such as RADIUS, TACACS, and RSA, for administrator authentication.

Redundancy and Backup: Synchronize multi-domain management databases between multiple multi-domain servers. Backup your virtual management domain using standard security management.

Domain High-availability: Synchronize domain databases between many multi-domain servers.

Export/Import of Multi-domain System and Domains: specific domain, for maximum backup and recovery options.

Integrated into Check Point Software Blade Architecture: The Multi-Domain and Global Policy Software Blades can be easily and rapidly activated on existing Check Point security management servers saving time and reducing costs by leveraging existing security infrastructure.

4. Domain in Forests

A forest can contain one or more domain container objects, all share a common logical structure, global catalog, directory schema, and directory configuration, as well as automatic two-way transitive trust relationships.

are also the security boundaries of the logical structure, can be structured to provide data and service autonomy and isolation in an organization in ways that can both reflect site and group identities and remove dependencies on the physical topology.

4.1. Domain and Forest Structure

A forest consists of a structure of domain containers that are used to store information about objects on the network. Forest provide the structure by which domain containers can be segregated into one or more unique Domain Name System (DNS) namespace hierarchies known as domain trees.

Domain containers are considered the core functional units in the forest structure. Each domain container in a forest is used primarily to store and manage Active Directory objects, most of which have a physical representation.

4.2. Forest-to-Forest Trusts

Combining of AD domains into a forest offers two main features:

All domains automatically trust gives us back the first benefits of a single forest;

Two forests that trust each other do not share a global Catalog; the forest trusts will not let applications that are GC-to see the trusting forests one single overall directory.

4.3. Structures of Building Multidomain in Forests

Offer the benefits of automatic trust relationships, the child domains must contain the names of the parent domains and all of the domain names must fit into a nice hierarchy.

4.4. Domains as Containers within a Forest

Each time you create a new domain container in a forest, a two-way, transitive trust relationship is automatically created between the new domain and its parent domain, and security services located in every domain container located in that forest. Domain containers hold subordinate containers such as organizational units.

Domain Containment Structure Within a Forest

Fig2. Objects are stored within logical Structure

4.4. Forest Root Domain

Every domain controller in a forest root is used to locate the configuration and schema directory partitions, and every copy of these partitions has the same distinguished name on every domain controller. The following operations occur when you create the forest root domain:

The Schema container and the Configuration container are created.

The Active Directory Installation Wizard assigns the PDC emulator, RID master, domain naming master, schema master, and infrastructure master roles to the domain controller

4.5. Forests as Domain Containers that Trust Each Other

All domain containers in a forest share a common Global Catalog, directory schema, and directory configuration, as two-way transitive trust relationships. Because all of the domain containers are inherently joined through two-way transitive trusts, all authentication requests made from any domain in the forest to any other domain in the same forest will be granted. All security principals that are located in domain containers within a forest inherently trust each other.

Forest root and tree root domains define the DNS namespace for their subordinate domains; the namespace for each root domain must be unique.

Root Domains and DNS Namespaces

Fig3 Domain Containers, Root Domains and DNS Namespaces within a Forest

5. Domains in Units of Policy

The policies settings are domain- wide apply only to the scope of a domain.

Domain is not the smallest unit of policy that can be assigned to organizational units; it is the most commonly used unit when splitting administrative duties between departments and subsidiaries located in different geographical locations.

The policies associated with a GPO are applied only within the domain and not across domains.

A GPO can be associated with one or more Active Directory containers, such as a site, domain, or organizational unit.

Using delegated authority in conjunction with GPOs and group memberships allows one or more administrators to be assigned rights and permissions to manage one or more organizational units within the domain.

Delegation of Domains to Domain Admins

Fig4: Multiple Domains Admin Require Different Policies

6. Domains as Units of Replication

Domain is the smallest unit of replication that can be administered within an Active Directory forest. This is because all objects that are located within a domain container, also referred to as domain data, are replicated to other domain controllers within that same domain controllers located over a wide area network (WAN) or local area network (LAN) connection.

Active Directory multi-master replication manages the transfer of domain objects to the appropriate domain controllers automatically, keeping domain data up-to-date among all domain controllers in the domain, regardless of location.

Active Directory replication transfers updates according to directory partition. Directory partitions are used to help organize how replication occurs within a forest.

Delegation of Domains to Domain Admins

Fig5 Replication of Domain Data within Each Domain in the Forest

Active Directory uses four distinct directory partition types to store and copy four different types of data.

The three forest-wide partitions are:

Configuration Partition: is replicated to each domain controller in the forest, describes the topology of the forest, and domain controller settings, and including list of all domains, trees, and forests and the locations of the domain controllers and Global Catalogs.

Schema partition: is replicated to each domain controller in the forest, all object and attribute data that can be stored in the directory. Active Directory domain controllers include a default schema that defines many object types, such as user and computer accounts, groups, domains, organization units, and security policies. Authorized users can alter the schema objects protected by access control lists.

Application directory partitions: are usually created by the applications that will use them to store and replicate data, can contain any type of object, except security principals. One of the benefits of an application directory partition is, for redundancy, availability, and the data can be replicated to different domain controllers in a forest.

 All forest replication is Multi-Master with three domain-wide and two forest-wide operations master roles. Forest-wide replication requires domain controllers and three other components of the Active Directory physical structure to be in place for optimal performance. These components are forest-wide operations master roles, sites, and global Catalogs.

7. Domain Trees

Is a DNS namespace has a single root domain and is built as a strict hierarchy; each domain below the root domain has exactly one parent, domain.

In Active Directory, the trees functions rules determine in the namespace are:

The name of the tree is the DNS name of the domain at the root of the tree.

The names of domains created beneath the root domain are always contiguous with the name of the tree root domain.

The DNS names of the child domains of the tree root domain reflect this organization;

Create a new domain tree to the root domain of the initial tree, and a trust relationship is established between the root domain of the new tree and the forest root domain.

Because a trust relationship is transitive and two-way, the root domain of the third tree also has a two-way trust relationship with the root domain of the second tree.

The following operations occur when you create a new tree root domain in an existing forest:

Location of a domain controller in the forest root domain and synchronization of domain system time of the source domain controller.

Creation of a tree-root trust relationship between the tree root domain and the forest root domain, and creation of the trusted domain object (TDO) in both domains. The tree-root trust relationship is two-way and transitive.

7. Trust Relationships

Trust Relationships is a relationship established between two domains that allow users in one domain to be recognized by a domain controller in the other domain.

Trusts let users' access resources in the other domain, and let administrators manage user rights for users in the other domain.

A trust relationship is created automatically between the forest root domain and the root domain of each domain tree added to the forest, with the result that complete trust exists between all domains in an Active Directory forest.

All domain trusts in an Active Directory forest are two-way and transitive and are have the following attributes:

Two-way: When you create a new child domain, the child domain automatically trusts the parent domain, and vice versa.

Transitive. Reaches beyond the two domains in the initial trust relationship.

Transitive Trusts Facilitate Cross-Domain Access

Fig6. Transitive Trusts Facilitate Cross-Domain Access to Resources with a Single Logon

8. Global Catalogs

The global Catalog is hosted on one or more domain controllers in the forest; and is created automatically on the first domain controller in the forest. It contains a partial replica of every domain directory partition in the forest. These partial replicas include replicas of every object in the forest, including the attributes required to locate a full replica of the object.

Applications and clients can query the global catalog to locate any object in a forest, domain controllers can be configured to serve as Global Catalogs.

A Global Catalog serves has the following roles:

Enables user searches for directory information about objects throughout all domains in the forest

Resolves user principal names (UPNs) during authentication, when the authenticating domain controller does not have information about the account

Supplies universal group membership information in a multiple domain environment

Validates references to objects in other domains in the forest


Multi-domain System differentiates itself on many levels. Using various features, such as its fast, synchronized multi-contextualized visuals, it empowers IT departments with tools that not only federate and store information like R2-D2, but also leverage that knowledge to better serve business needs when navigating an ever-changing landscape - like a veteran London cabbie. With the considerable challenges posed by today's demands on ICT infrastructure management, it's a wonder how IT departments can "hold that tiger" without it.