Multiple Forests

In some instances, you'll need to implement a multiple-forest environment to meet the requirements of a business. This type of model is one of the most difficult to design and administer, so when you're considering a model such as this, keep the following topics in mind:

• Business reasons

• Trusts relationships

• Schema issues

Business Reasons

Before designing an elaborate structure that includes multiple forests, be sure to assess the business to determine whether there is an actual need for more than one forest. Consider a multiple-forest structure if a business has any of the requirements discussed in the following sections.

Limited Trusts

A business's need to maintain partnerships or the presence of subsidiaries with which it needs to maintain a very limited partnership are the most common reasons you would create a multiple-forest environment. This would enable you to meet an organization's need to maintain a limited trust with another organization or its subsidiaries. Situations such as this can arise when a business establishes a limited partnership with another organization or when an organization includes subsidiaries gained through corporate acquisitions. Separate forests might need to be created for security purposes, and when multiple forests are established, the scope of the trust relationship can be limited and closely monitored .

Separate Global Catalogs

During planning, you should determine whether the business needs multiple Global Catalogs. The GC contains a listing of all the objects in the forest, but only specific attributes pertaining to each one, and all domains in a forest have access to a common GC. If a business does not want one GC for its entire organization, a multiple-forest structure must be implemented.

Separate Schema

The schema maintains a list for the entire forest of all objects that can be stored in Active Directory as well as the attributes associated with each object. A default schema policy comes with Windows 2000, but it can be modified if it does not meet your business requirements. If an organization requires different schema policies for its different business units or the administrators from the different business units cannot agree on a schema policy, multiple forests should be created.

Be sure you understand under what circumstances it is appropriate to create multiple forests. Be prepared to encounter exam questions that require you to determine whether multiple forests are necessary based on a given scenario.

Trust Relationships

By default, trusts are not automatically established between separate forests. Any intercommunication between two forests can occur only if a trust is explicitly defined.

To allow users from one forest to access resources in another forest, a one-way external trust must be created. If interaction between two forests will go both ways, two external trusts need to be defined. When you're planning for trusts between forests, also keep in mind that external trusts are not forest wide ”they pertain only to the domains specified. Referring to Figure 8.5, a one-way external trust is created between the NY domain from one forest and the Sales domain from another forest. It is a one-way trust that allows users from the NY domain access only to the resources in the Sales domain. If the NY users need access to resources located in another domain in the forest, a second external trust would have to be created.

Schema Issues

Schema policies are applied at the forest level, so all domains in a forest are affected by the same schema policy. If a business plans to make changes to the default schema policy but does not want its entire organization to be affected by changes, a multiple-forest structure must be considered . An appropriate schema policy can then be implemented for each forest.

Because schema policies are not replicated between forests, schema changes in one forest do not affect another forest.