A Windows 2000 domain has a few differences from a Windows NT domain. A Windows 2000 domain uses DNS domain names rather than NetBIOS names. DNS is the hierarchical naming scheme commonly used on the Internet. This method of organizing is sometimes called a namespace .

The first Windows 2000 Server in a domain can be assigned a DNS domain name, like mycompany.com. This computer would be called the root server. Unless you specifically join an existing forest, a new forest will be automatically created with mycompany.com as the forest root domain . As more child domains get added to the domain tree, their names are added to the root domain name.

Each department with its own domain would add its unique name in front of the root domain, like sales.mycompany.com or service.mycompany.com. If the sales force is divided into inside and outside sales, these child domains would also add their unique name to the front of their respective parent domains, like inside.sales.mycompany.com and outside.sales.mycompany.com.

If mycompany.com merges with yourcompany.com and we both have Windows 2000 domains, the yourcompany.com domain tree can become a member of the mycompany.com forest or vice-versa. Forests allow transitive trusts. This means that if computer A trusts computer B and computer B trusts computer C, then computer A automatically trusts computer C without having a separate trust relationship established. This works automatically throughout the entire forest, regardless of the domain.

Planning your naming scheme is one of the first considerations. You can choose to register a single domain name for use inside and outside a firewall, or you can register two separate domain names. There are advantages and disadvantages to both methods.

If you choose to use the same domain inside your network as you use for your Internet presence, you have to be very careful not to allow access to private data on the public Internet. Because of the additional security concerns, it is generally more complex to successfully manage a domain using this naming scheme.

If you choose to use a different domain name inside your network than you use for your Internet presence, it is much easier to figure out whether a resource is public or private. This makes the security a bit easier to manage.

In the Active Directory system, all network resources are called objects . Common objects include users, groups, computers, and printers. You can organize these objects into manageable groups, called Organizational Units (OU). You can then add, move, or remove objects in an OU using the Active Directory Users and Computers snap-in, which can found under the Start → Programs → Administrative Tools menu.

You can make the organizational units reflect the actual structure of your company or group objects with similar functions. Because it is easy to move objects from one OU to another, you can be flexible and creative in dividing your network’s resources without much worry of having to get it absolutely perfect the first time. An additional administrative aid is that you can assign permissions to an entire OU at once or to any individual objects within the OU.

You might consider putting all of the file servers or printers in an OU and assigning their administration to a junior system administrator. This can be accomplished using the Delegation of Control Wizard (see Figure 8-3), which can be accessed from the Active Directory Users and Computers snap-in. The wizard will walk you step by step through the delegation process. This is a great low-risk way to give junior administrators some additional responsibility.

Figure 8-3. The Delegation of Control Wizard