Active Directory  «Prev  Next»
Lesson 6 Domains
Objective Define the function and purposes of Windows domains.

Windows Domain Controller

As you know, the core unit of the logical structure in Active Directory is the domain. The domain serves many functions: It can act as a security boundary and as a unit of replication. Windows domains, with which you may be familiar, are also security boundaries but function very differently from Windows 2000 Active Directory domains.

Domain as Security Boundary

A domain administrator has the permissions and rights to administer within that domain only, unless the administrator is explicitly granted those rights in another domain. Furthermore, administrative authority can be granted over one or a group of organizational units within a domain, providing for much more granular administration. By contrast, in Windows NT, the domain was the smallest administrative unit, so you could not grant administrative authority to a user for part of a domain.

Domain as unit of Replication

All domain controllers in a domain participate in replication and contain a complete copy of all directory information for their domain.

How a domain behaves - Mixed Mode

Once established, a domain can function as a mixed-mode[1] or native-mode[2] domain. What does this mean?
A mixed-mode domain supports domain controllers that are running either Windows 2000 or Microsoft Windows NT. In a native-mode domain, all domain controllers run Windows 2000. After you install Active Directory and establish a domain, the domain and Active Directory are running in mixed-mode until you explicitly change it to native-mode. The SlideShow below elaborates on these domain definitions and shows how the domain functions once it has been created.


1) In a Windows network, the domain serves as a security boundary. The domain administrator has the necessary permissions and rights to administer within that domain only, unless he is explicitly granted rights in another domain.
1) In a Windows network, the domain serves as a security boundary. The domain administrator has the necessary permissions and rights to administer within that domain only, unless he is explicitly granted rights in another domain.

2) Every domain has its own security policies and relationships with other domains
2) Every domain has its own security policies and relationships with other domains.

3) Domains are also units of replication. All domain controllers in a domain participate in replication and contain a complete copy of all of the directory information for their domain.
3) Domains are also units of replication. All domain controllers in a domain participate in replication and contain a complete copy of all of the directory information for their domain.

4) Active Directory uses a multi-master replication model. All of the domain controllers in a particular domain can receive changes to information in Active Directory and replicate those changes to all of the other domain controllers in the domain.
4) Active Directory uses a multi-master replication model. All of the domain controllers in a particular domain can receive changes to information in Active Directory and replicate those changes to all of the other domain controllers in the domain.

5) After you install Active Directory and establish a domain, the domain and Active Directory are running in mixed mode. A mixed-mode domain supports domain controllers that are running Windows.
5) After you install Active Directory and establish a domain, the domain and Active Directory are running in mixed mode. A mixed-mode domain supports domain controllers that are running Windows.

6) Active Directory installs in mixed mode to provide support for existing domain controllers that have not been upgraded to the latest version of Windows.
6) Active Directory installs in mixed mode to provide support for existing domain controllers that have not been upgraded to the latest version of Windows.

7) Native mode domain, all domain controllers run Windows. However, member servers and client computers do not need to be upgraded to Windows before you convert a domain to native mode.
7) Native mode domain, all domain controllers run Windows. However, member servers and client computers do not need to be upgraded to Windows before you convert a domain to native mode.

  1. In a Windows network, the domain serves as a security boundary.
  2. Every domain has its own security policies and relationships with other domains.
  3. Domains are also units of replication
  4. Active Directory uses a multi-master replication model. All of the domain controllers in a particular domain can receive changes to information in Active Directory
  5. After you install Active Directory and establish a domain, the domain and Active Directory are running in mixed mode.
  6. Active Directory installs in mixed mode to provide support for existing domain controllers that have not been upgraded to the latest version of Windows.
  7. Native mode domain, all domain controllers run Windows.
Domain Security Boundary
The change from mixed-mode to native-mode is a one-way process; you cannot change from native-mode to mixed-mode.
In the next lesson, you will learn more about organizational units.

[1]Mixed-mode domain: You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime.
[2]Native-mode domain: A domain in which all domain controllers are running Windows 2000 (no "down-level" - domain controllers).