Windows 2000 Domains And Trees Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

According to tech terms (2005) domain contains a set of computers that can be accessed and administered with a common set of rules. For example, a company may require all local computers to be networked within the same domain so that each computer can be seen from other computers within the domain or located from a central server. Domain setting may also prevent traffic from outside access to the computers inside the network which adds an additional level of security.

Window Domain:

Acoording to Spanogle (2009) Window Domain server is a logical group of computers running versions of the Microsoft operating system windows that participate in the directory central data base.This central database (known as Active directory starting with windows 2000 also referred to as NT Directory services on Windows NT Server operating systems or NTDS) contains the user accounts and security information for the resources in that domain.Each person who uses computers within a domain receives his own unique account or user name.In a Domain the directory resides on computers that are configured as "domain controller".A windows server domain is usually more appropriate for larger businesses.

Spanogle (2009) stated that windows workgroups by contrast is the other model for grouping computers running windows in a networking environment that is ships with windows.Workgroup computers are considered to be standalone.A workgroup does not have servers and clients and it represents the peer-to-peer or client-to-client networking paradigm rather than the centralized architecture constituted by server-clients.Windows workgroups are more suitable for small or home office networks.

Windows 2000 Domains

According to Micrsoft (2001) Domain is the administrative boundaries, and in Windows 2000, a domain represents a namespace that corresponds to a DNS domain.

Microsoft (2001) also stated that the first domain created in a Windows 2000 deployment is called the root domain, it is the root of all other domains that are created in the domain tree.The structure of Windows 2000 domains is similar to the familiar structure of DNS domain hierarchies. Root domains are domains such as or; they are the roots of their DNS hierarchies and the roots of the Windows 2000 domain structure. Domains subsequently created in a given Windows 2000 domain hierarchy become child domains of the root domain. In a domain hierarchy Windows 2000 requires that domains be either a root domain or a child domain. Windows 2000 also requires that domain names be unique within a given parent domain

Microsoft (2001) narrated that the idea behind the domains is one of logical partition. Most organizations large enough to require more than one Windows 2000 domain that has a logical structure which divides responsibilities or work focus. By dividing the organization into multiple units , the administration is made up easier. Although work within the various sections may be separate and very different, the divisions collectively form a larger but logically complete entity. This concept also applies to the collection of Windows 2000 domains into one larger, contiguous namespace entity known as a tree.

Trees :

It is also called domain trees, according to Microsoft (2001) Trees are range of Windows 2000 domains that form a contiguous namespace. A domain tree is formed as soon as a child domain is created and associated with a given root domain. The creation of a domain tree enables organizations to create a logical structure within the organization and to have that structure comply with and mirror the DNS namespace.


Microsoft (2001) also stated that Forest is one or more contiguous domain tree hierarchies that form a particular enterprise. Logically, this also means that an organization that has only a single domain in its domain tree is also considered a forest. The forest model enables organizations that are not form a contiguous namespace to maintain organization-wide continuity in their aggregated domain structure. There are three major advantages of having a single forest. First, trust relationships are more easily managed (enabling users in one domain tree to gain access to resources in another tree). Second, the Global Catalog incorporates object information for the entire forest, which makes searches of the entire enterprise possible. Third, the Active Directory schema applies to the entire forest.

Window 2000 domain create when the first domain controller are created in a network.A domain cant exist without at least one domain controller and DNS domain name identifies each domain controller.Understanding domains includes understanding the domain structure,domain servers and types of domains (Burnett,2001).

Domain structure:

Trees,forests,trust and organizational units all together make up the window 2000 domain structure (Burnett,2001) .

All of the above are discussed below:


According to Burnett (2001) it is a set of one or more domains with contiguous names.Single tree is a contiguous namespace.In a contiguous namespace every domain name inherits the name of the domain ahead of it in the hierarchy.figure below shows a tree with a contiguous namespace.

Root Domain

Child Domain

Grandchild Domain

Figure, Single tree with three domains forming a contiguous namespace.

The first domain created in a domain is the tree root domain.When you create more domain in the same domain tree, it called child domains. A Domains immediately abpve a child domain in the same domain tree is its parent. Domains in a contiguous namespace have contiguous DNS domain names. The domain names form in the following ways.The domain name of the child domain appears at the left of the parent domain name. A period separates the two names, e.g,

Burnett (2001) narrated that in a tree when there are more than two domains , every domains parent name is to its right in the domain name.e.g, parent-child relationship between domains in a domain tree is a trust and naming relationship . Administration in a parent domain are not automatically administrators in a child domain and domains do not automatically inherit policies from a parent domain.


Burnett (2001) also stated that Forests are groups of trees with noncontiguous namespace.All members of the forest have transitive Kerberos trust relationships with each other as long as the windows 2000 domain running in native mode. The trees in the forest share the same configuration, schema and global catalog.A global catalog is created automatically on the first domain controller that create in the forest.It stores a complete replica of all objects in the directory for its domain hosting and a partial replica for all others domains in the forest. Figure illustrates a forest with two domain trees.

Root Domain A

Root domain B

Child Domain A

Child Domain B

Grandchild Domain A

Grandchild Domain B

Figure, One forest with two domain trees.


A trust relationship is the mechanism by which domain controller in one domain can authenticate users in other domain.In window NT 4.0 domains all trusts were non-transitive. Every trust was a one-way relationship that you had explicitly establish.To establish two separate trust relationships one for each directon in order for two domains to trust each other .

Windows 2000 permits transitive trusts within the same forest. Transitive trusts is always a two-way trusts. When you create a child domain, window 2000 automatically creates a transitive trust between the child and parent domain. However transitive trusts does not exist at all until you remove all windows NT domain controllers from the domain and then explicitly switch the window 2000 domain from mixed to native mode. This is because windows 2000 does not permit transitive trusts in mixed mode (Burnett,2001).

Organizational Units:

Burnett (2001) specified that Organizational units are similar to domains in that they are also containers for network objects, such as resources and user accounts. In contrast domains they do not require domain controllers and they do not mark security limits. Infact they create a way of providing the organization with in the domain without the need for additional domain controllers and security policies.

Window 2000 mixed and native mode:

According to Gerber (2001) when you create a new windows 2000 server domain by installing windows 2000 from scratch or by upgrading an NT server 4 server, the domain is set to mixed mode.In mixed mode windows 2000 domain controllers can communicate with NT 4 domain controllers in the same or other domains.Window 2000 domain controllers emulate NT 4 domain controllers when interacting with NT 4 domain controllers.You must leave a windows 2000 domain in mixed mode until your last NT 4 server domain controller is gone. Then you'll want to switch to native mode.

Craft (2001) also stated that Native mode domains are those that have only windows 2000 DCs and that have been changed manually to native mode. After upgrading the PDC the BDCs should be upgraded as soon as possible. This will be able to switch the domain to native mode, at which point clients and servers alike will be able to attend in the advanced features of active directory. Domain can not be switched back once it is in a native mode.

For example in a mixed mode domain is limited to a number of 40,000 objects, while in native mode this number could be at least a million.

Native mode Benefits:

Price and Fenstemacher (2008) explained that Native mode gives the best options that windows 2000 has to offer.Global and domain local groups can be nested and world security groups are available for administering large organizations easier.Native mode and higher modes allow for the following group functions and features.

*Domain local groups

*Universal groups

*Groups nesting

*Switched-off NET LOGON synchronization




DNS stands for domain name system , to get the network host TCP/IP client/server protocol used for naming system.Tulloch (2001) stated that DNS provide both a system for logically naming computers on the network and a way of resolving logical hostnames into their associated IP addresses .DNS is closely associated with window 2000 active directory and is important for two reasons:

*DNS is the naming system used for naming window 2000 domains.In window NT, domains had NetBIOS names that had nothing to do with DNS.

*DNS is also used by windows 2000 as its domain locator service.

Difference between a DNS domain and a window 2000 domain are given below.

DNS Domain:

It identifies manages part of the DNS namespace and is associated with resource records within a database file located on one or more servers of the DNS that are authoritative for that zone.

Window 2000 Domain:

A group of computers that are bounded under the common security that controls how users can access the network and shared access resources.DNS domains and window 2000 domains are named similar in windows 2000.While each domain requires an associated DNS domain to be created and configured for it, each DNS domain does not require a corresponding window 2000 domain. Its because DNS is not restricted to active directory based networks, but applies to the internet overall (Tulloch,2001).

Following are few things you can do with DNS on window 2000 server.


You can create subdomains in your DNS domain and delegate authority over those subdomains to different name servers. This allows:

*Distributed the work of maintaining DNS in an organization where there are a large number of hosts and more than a couple of name servers.

*Delegate to users in different departments the job of administering DNS for their subdomains.

Dynamic Update:

Dynamic update is a process that enables resolvers to automathically update their associated resources records on their zones primary name server.Dynamic DNS can be used with either standard or active directory integrated zones .Dynamic DNS can also used in conjuction with DHCP to make the DNS administrators job more easier (Tulloch,2001).

Load sbaring:

Tulloch (2001) discussed that DNS in window NT can use a mechanism known as round robin to load-balance access to multiple servers offering the same services.For example if you had three web servers hosting mirroring copies of the same site, you create three A record as follows. IN A IN A IN A

Then when clients contacted name server to resolve into an IP address, the server returned the IP addresses in round robin fashion: the Request for the first client receives a response to a request the next request and so on.

This is not the way it works in window 2000's version of DNS, Instead windows 2000 is trying to determine which of the three resources records is closest to the client and uses this record to resolve name (Tulloch,2001).

Domain Controllers (DCs):

The Domain Controller is the servers that provide Active Directory services to clients and users. It stores a copy of the domain's objects, along with the Active Directory schema and configuration in the so-called partitions or naming contexts. DC only stores domain partition information for the domain to which it belongs, but it stores schema and configuration partition information for the entire Active Directory.Active Directory uses a multi-master replication model where every DC is equal. There are DCs within the Forest that play an additional role in Active Directory.Flexible Single Master of Operations (FSMO) is a role that some DCs play. The Primary Domain Controller (PDC) emulator is an example of FSMO (Brovick,Hauger and Wade,2000).

Tulloch (2001) also explained that domain on which active directory is installed. Domain controller serve several purposes in windows 2000.Domain controller allows users to access the network. It provide pass through authentication to allow users to access network resources. It also allows users to search active directory to get published information about groups of users, computers and other directory objects. A domain can have one or more controllers ,but a minimum of two is recommended for fault tolerance. The number of domain controllers needed in a domain mainly on:

*The number of active users in the enterprise who need to log on to the domain.

*The number of sites that the domain spans and available bandwidth of the WAN connections.

User Authentication:

Tulloch (2001) explained that when a user on a window 2000 network wants to log on to the network from a client computer,first of all they need to find domain controller for authentication.A search used to locate the nearest domain controller that the client can use.The client then contacts this domain controller and be authenticated using either:

*Kerberos v5 authentication protocol

*NTLM authentication protocol


Domain controller with in a domain automatically replicate updates made it to all other domain controllers in the domain. This process is called multimaster replication .Domain controller in different domains do not replicate fully with each other. Otherwise the directory database in a large organization to grow too large to provide adequate performance for queries issued against them, and replication traffic can be swamp by other network traffic (Tulloch, 2001).Listen

Read phonetically

Dictionary - View detailed dictionary

Active Directory:

According to Heywood (2001) Active directory (AD) is the technological hub of window 2000 server,providing a distribted,global store for information about servers and services,clients,users,groups and applications.Although AD does not replace the windows domain to windows 2000 inherits from the windows NT,AD adds a lot of polish to the domain structure, which makes it much easier to mange multidomain enterprises.

The most obvious contribution of active directory is that it providea a hierarchical global directory (one that is available everywhere in the enterprise) which describes all the network resource in the enterprise.Active directory is not a network service,but involved in many network services.In particular because AD stores host identification and service location data in DNS.Window 2000 support for secure IP (IPSec) depends on the active directory (Heywood,2001).

Microsoft (2001) stated that Windows 2000 domains and Active Directory depend on each other and defined each other characteristics as well. The close and indivisible relationship between Windows 2000 domains and Active Directory services requires clarification of the Windows 2000 domain model and how it interacts with Active Directory services.

Designing a window 2000 active directory structure:

According to Shinder (2000) Window 2000 active directory structure is composed of two aspects, the logical structure and physical structure. The logical structure is made up of a hierarchy of forests, schemas, trees, domains and organizantional units (OU's). This logical structure helps organize the accounts and resources in the directory. The physical structure is made up of sites and domain controllers and determine when and where replication traffic will occure. The physical directory determine when and where logon and replication traffic occur.


Active directory provides features to improve security and provides support for single sign on.With active directory integration is possible and Windows 2000's support for Kerberos, an industry standard for authentication. Active directory has an impact on Public key infrastructure. With Active directory as part of Windows 2000, the PKI capability is integrated into active directory.It provides the ability to mirror and repeat certificate information. Smart cards are able to hold certificated and are able to take benefit of Active directory's PKI support ( Brovick, Hauger and Wade,2000).

ListeRead phoneticallyDictionary - View detailed dictionaryTypes of Threats to active directory

Irsfeld (2009) stated that threats are classified according to the target of the attack. This type of threat analysis is referred to by the acronym STRIDE, which is derived from the first letter of each category of threat, and also added a category of social engineering, as described below.


According to Irsfeld (2009) Spoofing attack is illicit access to network resources by unauthorized users. Spoofing involves forging the identity of a valid system user or resource to access the system, thus compromising system security.It include:

*Using false credentials.

*Changing the identity that is associated with an Active Directory object.

*Subverting a secure logon mechanism.

Tampering with Data

It cause unauthorized modification of data, resulting in loss of data integrity. Irsfeld (2009) discussed that this type of attack modifies system or user data, with or without detection, resulting in an unauthorized change to network information, network communication and sensitive files or format a hard disk. It include:

*Causing the trusted entity to modify the data improperly.

*Modifying data that should not be accessed.

*The rise of privilege attack, which allows the user to tamper with data.


Irsfeld (2009) narrated that Repudiation attack perform authorized or unauthorized action and to eliminate any evidence that could prove the identity of the attacker.It associate with users who can deny injustice without any way to prove the contrary. It include:

*Tampering with the security log to hide the identity of the attacker.

*Circumventing the logging of security events.

Information Disclosure

Information-disclosure and there is a risk if a user can access to data, intentionally or unintentionally it does not the user to see, which led to the loss of data privacy or confidential data or both (Irsfeld, 2009).

This attack as follows:

*Gaining access to data that is considered private and protected.

*Use social engineering to incorrectly reveal user identity or passwords.

*Sniffing data on a network while in transit.

Denial of Service

Irsfeld (2009) highlighted that the aim of this attack include the loss of access for legitimate users to a server or to services.In general, denial-of-service attacks occur when hackers either disables critical services on a computer or consume a lot of resources on any system resources available to legitimate users. Resources that can be deleted may include CPU cycles, disk space, memory, server connections, or network bandwidth, among others. Denial-of-service attacks as follows:

*Consuming CPU cycles by infinite or very long programmatic looping.

*Consuming excessive memory or share a file to prevent legitimate use.

*Causing a crash, restart, or error mechanism to interfere with normal use.

Elevation of Privilege

According to Irsfeld (2009) This attack illicit access to network resources or services by unauthorized users. The most severe form of an elevation-of-privilege attack is a situation in which an attacker effectively penetrates all system defenses. The attacker then becomes part of the trusted system itself and can compromise or destroy the system completely . It include:

*Improperly gaining unrestricted rights.

*Running untrusted data as native code in a trusted process.

*Spoofing a more privileged identity to get elevated privileges.


Social Engineering

Irsfeld (2009) also stated that Social engineering is any type of behavior that can be inadvertently or intentionally aids an attacker to obtain user's password. For example, someone might in the organization might:

*Write their password and place it in a location where a coworker could find it.

*Coax a fellow worker into revealing their password.

*Befriend a janitor or other worker who has physical access to domain controllers.

Active directory Architecture :

Data stored in AD consist of objects that have properties called attributes.Objects are derived from classes, which are the object templates that are defined by the schemas. We'll look at objects,attributes, classes and schemas in the following sections (Heywood,2001).


Heywood (2001) also narrated that Active directory is the directory of objects such as user accounts,groups,windows servers,domains etc.Among types of objects, many of the things that will recognize if you are working with window NT, such as user accounts and groups.But there are new types of objects as well, with no parallels in window NT domains such as organizational units.

There are two types of objects in Active directory:

Controller objects:It store other objects,including leaf objects and other container objects .(In a file system directories are container objects that can store files and other directories.)

Leaf objects: It do not store other objects.A leaf object describes the physical or logical network as the server, user account or domain.AD includes dozens of types of leaf objects .(In the file system, files are leaf objects)

Thus container objects can be nested in other container objects.Active directory hierarchy is constructed primarily of domain container objects.


Heywood (2001) has generalized that Objects have properties that are defined by their attributes. Attribute consists of a label and a value that describe specific attribute of the object. A user object has a couple dozen attributes e.g,

*First name

*Last name

*Telephone number

*Profile path

*Login script

*Remote access permissions

The idea of attributes is not all that huge, although we are used to thinking of them as properties.We manage user accounts under windows NT and is configured for each account that is used by parameters which are managed by objects such as attributes in AD.But the way the attributes come to be part of the user object is different under active directory.In window 2000 attributes are extensible characteristics of the objects they describe (Heywood,2001).


Heywood (2001) also explained that a given object is an instance of an object class.An object class serve as a template for creating new objects. Every object that is created from a classes will have the same characteristics. e.g, when you create new user account that is created a new instance of the user class.Listen

Read phonetically

Dictionary - View detailed dictionary


Unlike the parameters associated with a windows NT object, properties of a class can be modified to accommodate the needs of applications or organizations. The overall definition of the object classes in active directory database, the way objects and properties associated with objects form the database schema. An AD schema can be modified and extended e.g, to add new object types to existing objects (Heywood,2001).