Multiple-Tree ForestsChapter 2 discussed the characteristics of forests and trees. A forest is established when the first Active Directory domain is created, and this domain is known as the forest root . In a forest, any domains that share a contiguous namespace form a tree . After a tree has been established in a forest, any new domains added to an existing tree inherit a portion of its namespace from its parent domain. Any domains added to the forest that maintain a unique namespace form a new tree; therefore, you can have more than one tree in a single forest. Additionally, in some instances, multiple trees are required to meet the needs of a business. This section looks at the business requirements for creating multiple trees as well as the trust relationships between trees in a forest. Business RequirementsWhen you are planning a domain structure, simplicity is always best. If a business does not require multiple trees, don't make things more difficult by creating an elaborate multiple-tree structure. However, sometimes multiple trees are required. Again, only a thorough assessment of the business will determine whether this is necessary. When considering a multiple-tree structure, keep the requirements discussed in the following sections in mind. If a business requires any one of the following, you might need to design a multiple-tree structure. DNS NamesIf a business is comprised of different subsidiaries or has partnered with other businesses that need to maintain their distinct public identities as well as separate (noncontiguous) DNS names, multiple trees might have to be created in a single forest.
For example, say the XYZ Corporation has a subsidiary called the ABC Corporation that needs to have a public identity separate from the main organization as well as maintain its registered DNS name . In this case, a separate tree in the forest could be created to meet the business's requirements, as shown in Figure 8.6. Figure 8.6. A single forest that maintains two separate trees, each with its own namespace.
Central Directory InformationAll trees in a single forest share the same schema, configuration container, and Global Catalog (GC). If an organization wants to have centralized administration of these and maintain a single schema, configuration container, and GC for the entire organization and all its business units, a single forest with multiple trees can be implemented.
Trusts Between TreesWhen a new tree is established in a forest, a two-way transitive trust is automatically established between the two root domains. This two-way trust creates a trust path that allows users from one tree to access resources located in another tree in the same forest (the benefit of this is that a path is created throughout the Active Directory hierarchy without any administrative effort). Looking at the example in Figure 8.6, after abc.corp is established as a new tree in the forest, a transitive trust is automatically set up between abc.corp and xyz.corp . This makes resources in the forest accessible to all users.
Now let's take a look at one more option when designing a multiple-domain structure: creating multiple forests. |