Microsoft Windows Server 2008: Active Directory Domain Security Changes

This chapter reviews Microsoft Windows Server 2008's Active Directory. The domain serves as the administrative boundary of Active Directory. It is the most basic component that can functionally host the directory; the domain is used as a container of computers, users, groups, and other object containers. Objects within the domain share a common directory database partition, replication boundaries and characteristics, security policies, and security relationships with other domains. Administrative rights granted in one domain are valid only within that domain. This also applies to Group Policy Objects, but not necessarily to trust relationships. Security policies such as password Policy, Account Lockout Policy, and Kerberos ticket Policy are defined on a per-domain basis. The domain is also the primary boundary defining the DNS and NetBIOS namespaces. The DNS infrastructure is a requirement for an Active Directory domain and should be defined before creating the domain.