It provides authentication and authorization mechanisms as well as a framework within which other related services can be deployed AD Certificate Services, AD Federated Services, etc.

It is an LDAP compliant database that contains objects. The most commonly used objects are users, Directory services, and groups. These objects can be organized into organizational units OUs by any number of logical or business needs.

This answer refers specifically to Active Directory Domain Services. What is a domain and what is a forest? A forest is a security boundary. Objects in separate forests are not able to interact with each other, unless the administrators of each separate forest create a trust between them.

For example, an Enterprise Administrator account for domain1. If you have multiple disjoint business units or have the need for separate security boundaries, you need multiple forests. A domain is a management boundary.

Domains are part of a forest. The first domain in a forest is known as the forest root domain. In many small and medium organizations and even some large onesyou will only find a single domain in a single forest.

The forest root domain defines the default namespace for the forest. For example, if the first domain in a new forest is named domain1.

If you have a business need for a child domain, for example - a branch office in Chicago, you might name the child domain chi. The FQDN of the child domain would be chi.

You can see that the child domain's name was prepended forest root domain's name. This is typically how it works. You can have disjoint namespaces in the same forest, but that's a whole separate can of worms for a different time.

In most cases, you'll want to try and do everything possible to have a single AD domain. It simplifies management, and modern versions of AD make it very easy to delegate control based on OU, which lessens the need for child domains.

I can name my domain whatever I want, right? It does let you make bad decisions with your naming, so pay attention to this section if you are unsure. First of all, don't use made up TLDs like.

Those TLDs are not reserved. If you own mycompany. If you use mycompany. In most cases, a Domain Controller will hold a copy of the Global Catalog. A Global Catalog GC is a partial set of objects in all domains in a forest.

It is directly searchable, which means that cross-domain queries can usually be performed on a GC without needing a referral to a DC in the target domain.

If port if using SSL is queried, then a standard LDAP query is being used and objects existing in other domains may require a referral. When a user tries to log in to a computer that is joined to AD using their AD credentials, the salted and hashed username and password combination are sent to the DC for both the user account and the computer account that are logging in.DIRECTORY DISCLAIMER.

