The first step in creating a forest plan is to design a forest model for an organization's Active Directory infrastructure. This lesson walks you through the steps for designing a forest model, including assessing the factors in the organization's environment that impact its forest model and determining the number of forests to use.
After this lesson, you will be able to
Estimated lesson time: 20 minutes
In Active Directory, a forest is a distributed database. The database is a collection of one or more Windows 2000 domains that share a single schema, configuration container, and global catalog and are linked by implicit two-way transitive trusts. Forests help users interact with the directory and help administrators manage multiple domains.
Recall that the Active Directory schema is a list of definitions that determines the kinds of objects and the types of information about those objects that can be stored in Active Directory. The schema is a naming context that is replicated to every domain controller in the forest. A naming context is a tree of objects stored in Active Directory. The Schema Admins predefined universal group has full control of the schema.
The configuration container stores configuration objects that represent the structure of Active Directory, including display specifiers, extended rights, partitions, sites, domain controllers, services, well-known security principals, and other configuration objects. The configuration container is a naming context that is replicated to every domain controller in the forest. The Enterprise Admins predefined universal group has full control of the configuration container.
Recall that the global catalog is the central repository of information about objects in a tree or forest. It stores a full replica of all object attributes in the directory for its host domain and a partial replica for all object attributes contained in the directory of every domain in the forest. The global catalog allows users and administrators to find objects outside of the domain and across the enterprise with speed and efficiency. It also allows users to log on easily by using an abstracted (shortened) user principal name (UPN), rather than specifying the default (full domain path) UPN. For example, if the user Sherri has her user account in sls.uk.microsoft.com she must type firstname.lastname@example.org to log on. By abstracting the sls.uk.microsoft.com domain name in the domain tree, the global catalog allows her to type email@example.com when logging on.
To design the forest model needed for your organization, you must complete the following tasks:
To design a forest model for your organization, you must first consult the following business and technical environment analysis documents compiled earlier by your design team:
In addition to assessing these requirements, it is imperative that you assess any changes that may be planned for the sites or domain controller locations to address growth, flexibility, and the ideal design specifications of the organization.
Blank copies of the worksheets are located on the Supplemental Course Materials CD-ROM (\chapt02\worksheets). Completed examples of the work-sheets are located in Chapter 2, "Introduction to Designing a Directory Services Infrastructure."
Because Windows 2000 domains in a forest share a single schema, configuration container, and global catalog and are linked by two-way transitive trusts, you should strive to have only one forest for your organization. Ideally, the use of multiple forests should be temporary, and reserved for situations such as a merger, acquisition, or partnership where two or more organizations must be joined. You must realize that by defining multiple forests you will be requiring users in your organization to take a series of complex steps just to use the directory. Refer to "Implications of Using Multiple Forests," later in this lesson, for further information.
Reasons to Use Multiple Forests
Although you should strive to define only one forest for your organization, there are some situations that may warrant the use of multiple forests. You may need to consider using multiple forests if any of the following are true:
If you want to separate business units or keep specific users from accessing resources and you cannot achieve this through your domain or OU structure, a multiple forest model can be an effective tool for creating privacy and security.
Although the reasons above may indicate that you need to define multiple forests, you should always consult your design team before proceeding with a multiple forest model. Examine all options for delegating administration using domains or OUs before you define multiple forests.
Implications of Using Multiple Forests
Adding a forest increases administrative and usability costs. When determining whether to use multiple forests, keep the following administrative issues in mind:
Figure 3.1 An interforest trust relationship
When determining whether to use multiple forests, also keep the following usability issues in mind:
All of the reasons for using multiple forests involve administrative issues. However, the negative effects of a multiple forest scenario have the greatest impact on users. You should consider that the issues that are important to administrators are not the same issues that are important to users. Unless the use of multiple forests in your organization appears transparent to users, you should try not to create separate forests.
To design a forest model
Figure 3.2 shows a forest model for the A. Datum Corporation, an Internet service provider (ISP) that hosts Active Directory for some of its clients. The forests needed for the organization have only been identified. At this point, the forest has not been named, nor have domains within it been placed in a hierarchy.
Figure 3.2 Forest model for A. Datum Corporation
In this lesson you learned the steps for designing a forest model, including assessing the factors in the organization's environment that impact its forest model and determining the number of forests to use. You learned that the factors within the organization that can affect the forest model include administrative structures, IT management organization structure and administration practices, and the current administrative and security standards. In addition, changes currently planned to address growth and flexibility needs and changes that would help to meet the ideal design specifications of the organization can also affect the forest model.
You also learned that you should always strive to define only one forest for your organization. However, there are some situations that may warrant the use of multiple forests. You learned the reasons for using multiple forests and the implications of using them. Finally, you learned that you should always consult your design team before proceeding with a multiple forest model. It is important to examine all options for delegating administration using domains or OUs before you define multiple forests.