Windows Server 2008 Active Directory – Nesting / Tree

Nesting is a useful ability that has been around in limited form since Windows NT. By nesting groups, you achieve the ability to quickly and painlessly assign permissions and rights to different users. For example, let's say you have a resource called COLORLASER and you want all full-time employees to be able to access that resource. You don't have a group called FTEs that contains all your full-timers throughout your organization, but your departmental administrators have set up a structure wherein full-time employees are put into groups and part-timers are in another. To quickly create your overall FTE group, you can take your different groups of users from each department (ACCTG_FTE, ADMIN_FTE, PRODUCTION_FTE, and SALES_FTE, for example) and put them within a new group you create called ALL_FTE. Then, you can quickly assign access rights to COLORLASER by giving the ALL_FTE group permission to use the resource. You have "nested" the departmental groups within one big group.

Different types of groups, as you saw in the previous list of groups, support different methods of nesting.
You should remember a couple of important issues regarding backward compatibility with Windows NT 4.0 and Windows 2000 and the types of group capabilities available:

AD DS cannot support universal groups until you operate at least in Windows 2000 Native functional level, as NT 4.0 supports only one level of group nesting.

A group cannot have more than 5,000 members until your forest is operating in the Windows Server 2003 forest-functional level or higher. Functional levels are covered later in this chapter, but for now, be aware of this limitation.

Trees refer to the hierarchies of domains you create within AD DS. The first AD DS domain you create is automatically designated the root of your first tree, and any domains after that are considered child domains unless you choose to create a domain at the root of a new tree. Child domains always have the root domain in their name—for example, if I create the hasselltech.local domain, any child domains must be in the format of newdomainname.hasselltech.local. In effect, you are creating what are referred to as subdomains in DNS parlance. You can create as many child domain levels as you need; children can be children of other children of other children, and so on, as long as it makes sense to you.

A neat feature of AD DS is that it automatically creates two-way trust relationships between parent and child domains, so you don't need to manually trust the domains you create. As such, my new child domain from our earlier example will automatically trust its parent domain, hasselltech.local, and the parent will trust the child—the transitive trust is created automatically. This type of trust is passed along the child domain chain, so a domain like will automatically trust,,, and

*.* Source of Information : O'Reilly Windows Server 2008: The Definitive Guide


Subscribe to Computing Tech

Enter your email address:

Delivered by FeedBurner

Add to Technorati Favorites Top Blogs