Multiple-Tree Forests


Multiple-Tree Forests

Chapter 2 discussed the characteristics of forests and trees. A forest is established when the first Active Directory domain is created, and this domain is known as the forest root . In a forest, any domains that share a contiguous namespace form a tree . After a tree has been established in a forest, any new domains added to an existing tree inherit a portion of its namespace from its parent domain. Any domains added to the forest that maintain a unique namespace form a new tree; therefore, you can have more than one tree in a single forest. Additionally, in some instances, multiple trees are required to meet the needs of a business. This section looks at the business requirements for creating multiple trees as well as the trust relationships between trees in a forest.

Business Requirements

When you are planning a domain structure, simplicity is always best. If a business does not require multiple trees, don't make things more difficult by creating an elaborate multiple-tree structure. However, sometimes multiple trees are required. Again, only a thorough assessment of the business will determine whether this is necessary. When considering a multiple-tree structure, keep the requirements discussed in the following sections in mind. If a business requires any one of the following, you might need to design a multiple-tree structure.

DNS Names

If a business is comprised of different subsidiaries or has partnered with other businesses that need to maintain their distinct public identities as well as separate (noncontiguous) DNS names, multiple trees might have to be created in a single forest.

graphics/alert_icon.gif

If an organization has subsidiaries with unique DNS domain names, the organization can create a domain tree for each namespace, maintaining the subsidiaries' individual DNS identifications.


For example, say the XYZ Corporation has a subsidiary called the ABC Corporation that needs to have a public identity separate from the main organization as well as maintain its registered DNS name . In this case, a separate tree in the forest could be created to meet the business's requirements, as shown in Figure 8.6.

Figure 8.6. A single forest that maintains two separate trees, each with its own namespace.

graphics/08fig06.gif

Central Directory Information

All trees in a single forest share the same schema, configuration container, and Global Catalog (GC). If an organization wants to have centralized administration of these and maintain a single schema, configuration container, and GC for the entire organization and all its business units, a single forest with multiple trees can be implemented.

graphics/tip_icon.gif

One of the advantages of being able to create a distinction between business units while keeping them in the same forest is that users in different trees can still easily search for objects throughout the forest because they all share a common GC.


Trusts Between Trees

When a new tree is established in a forest, a two-way transitive trust is automatically established between the two root domains. This two-way trust creates a trust path that allows users from one tree to access resources located in another tree in the same forest (the benefit of this is that a path is created throughout the Active Directory hierarchy without any administrative effort).

Looking at the example in Figure 8.6, after abc.corp is established as a new tree in the forest, a transitive trust is automatically set up between abc.corp and xyz.corp . This makes resources in the forest accessible to all users.

graphics/note_icon.gif

Keep in mind when you're designing multiple domains and multiple trees that the more domains you have, the more trust links you need in the forest and that these trust links can become points of failure. Users must be authenticated, and if the physical link is unavailable, the users cannot gain access to resources.


Now let's take a look at one more option when designing a multiple-domain structure: creating multiple forests.



MCSE Active Directory Services Design. Exam Cram 2 (Exam Cram 70-219)
MCSE Windows 2000 Active Directory Services Design Exam Cram 2 (Exam Cram 70-219)
ISBN: 0789728648
EAN: 2147483647
Year: 2003
Pages: 148

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net