Windows NT's directory, also called the SAM (or Security Accounts Manager database) contained user, group and
machine accounts. This was a single master database, which essentially means that the database can be edited at one
machine only : The Primary Domain Controller, or PDC. This database is replicated to Backup Domain Controllers (or
BDCs) on a scheduled and regular basis. The BDCs maintain a read only copy of the directory.

By contrast, Windows 2000 has a multi-master Directory service. Domain Controllers are neither Primary, nor backup, but simply controllers. Changes can be made to any instance of the database, and the replication process handles this transparently.

In Windows NT, the domain was the unit of administration, a geographic and replication boundary. This presented
designers with problems, and typically more domains were created than was required simply to address limitations in
the NT Directory structure.

In Windows 2000, the Domain can be all those things, too. But it is also possible to delegate administration within a
domain to other containers called OUs. A domain need not be an administrative boundary. Replication is handled
between sites, and a site is a geographic area. Therefore, the domain is now longer a geographic or replication
boundary.

The Windows 2000 Directory Service simplifies things for the network designer by allowing a greater degree of
flexibility. In this Unit we will look more closely at Active Directory, covering planning and design issues; implementation
and maintenance and troubleshooting.

By default, it functions as an administrative boundary, replication boundary and geographic boundary. A domain
consists of a least one domain controller, and this machine will typically be the first on the network. Any Windows 2000
server machine can be promoted to domain controller (DC) at any time using the DCPROMO command.

As the Enterprise network grows, it may be desirable to create more than one tree. In this situation, you will have built
at least the root and first domain of one tree.
As you add your next domain, you indicate that it has no appropriate parent within the current tree, and that you are
adding a new tree.
This will create a forest of trees. A forest of trees shares a common root, a common schema but has a non-contiguous
name space.
This arrangement is typical only for very large organizations, and is desirable because a certain degree of inter-
operability is required, but most administrative function needs to be kept separate.
A trust relationship binds the top-level domains together, so that com surf trusts bootkamp and vice versa. Because the
trust is a two way transitive link, then all sub domains trusts all other sub domains within the forest - so once again, a
user account anywhere in the forest could be granted access to a resource anywhere else in the forest.

With Windows 2000, the domain can be divided into Organizational Units, each of which has a separate administrator.
Then some or all of the administrative tasks can be delegated to users within the OU.
OUs can be given names, which reflect their geographic location, or departmental structure (as above) or any other