ForestConcepts

A forest is the largest entity in Active Directory. A forest consists of one or more trees joined together at their root domains by trusts. Each tree consists of one or more domains arranged in hierarchical fashion and also joined by trusts. All trees and domains in a forest share a common schema, configuration, and global catalog.

When you promote your first WS2003 domain controller, you automatically create a forest with a single domain. This first domain is the root domain of your first tree and the forest root domain of your entire forest. When you create additional WS2003 domains, you can choose whether to:

• Add the new domain to an existing tree of your forest

• Make the new domain the root domain of a new tree in your forest

• Create an entirely new forest

Namespace

While a tree has a contiguous DNS namespace, the namespace within a forest doesn't have to be contiguous. The root domain of each tree in a forest must have its own unique DNS name to identify it within the forest. However, the forest itself is uniquely identified with respect to other forests by the DNS name of its forest root domainthat is, the DNS name of the first domain created in the forest. For example, let's say that the Canadian company MTIT Enterprises (whose DNS domain name is mtit.com ) decides to start a separate, worldwide operation called MTIT Enterprises Worldwide, whose domain name will be different (e.g., mtitworld.com ). In this case the forest root domain and the root domain of the first tree could be mtit.com with subsidiaries vancouver.mtit.com and toronto.mtit.com , while the root domain of the other tree would be mtitworld.com with subsidiaries mexico .mtitworld.com , france.mtitworld.com , and so on.

You mght implement a multiple-tree forest if your company were very large and had multiple public identities. For example, you might create a multiple-tree forest if your company has one or more distinct subsidiaries in different locations or if your company and another company have recently merged, established joint ventures , or formed high-level partnerships. If two companies, which have already implemented a multiple-tree forest, merge with each other, you can now create transitive trusts between the roots of the two forests in order to grant users in one forest access to resources in the other forest. See Trusts later in this chapter for more information.

Forest Functional Level

In WS2003 forests can be configured to run in one of three different functional levels:

Windows 2000 (default for new forests)

Supports domain controillers running WS2003, W2K, and NT.

Windows Server 2003 interim

Supports domain controllers running WS2003 and NT. This is a special domain functional level that exists only when you upgrade an NT-based network directly to WS2003.

Windows Server 2003

Supports only domain controllers running WS2003.

By default, when you create a new forest its forest functional level is W2K, which gives it the greatest degree of interoperability with NT/2000 domain controllers. You can raise the forest functional level to Windows Server 2003 if you have no more W2K domain controllers, but you can't undo this operation afterward. When you raise the forest functional level to Windows Server 2003, the following additional features are supported to simplify the administration of your network:

• Transitive trusts can be created between two forest roots so that all domains in one forest can trust all domains in the other forest.

• Per-value replication of attributes is enabled to reduce replication traffic when groups are modified.

• Deactivated schema classes and attributes can be redefined.

In addition, the new domain rename tool Rendom can restructure forests running in the WS2003 forest functional level.

Kerberos Authentication Within a Forest

When a user in one domain wants to access resources across a forest, the Kerberos v5 authentication protocol is used. Kerberos is a shared-secret authentication protocol in which both the client requesting access and a trusted intermediary called the Key Distribution Center (KDC) both share knowledge of the user's password. (Passwords are stored in Active Directory.) Kerberos thus uses mutual authentication in which both the user and the network services providing authentication must be mutually authenticated with each other to proceed. Every WS2003 domain controller is configured to run the Kerberos Key Distribution Center service and is thus a KDC.

Kerberos is the default WS2003 authentication service. It is more complex than NTLM (also called Challenge/Response or Windows Integrated) authentication, which is the earlier authentication protocol used by NT and which WS2003 uses for authenticating downlevel (Windows NT/98/95) clients that don't have the new Directory Services Client software installed on them. NTLM stored password information in the SAM database and authenticated only the client, not the network service providing authentication.

As an example, let's say a user on a client computer in vancouver.mtit.com wants to access resources on a server in mexico.mtitworld.com , which is part of the same forest. The process by which client authentication occurs happens automatically and is completely transparent to the user. Here is how it works (I've left out a few steps for simplification).

1. The client submits the user's credentials to the KDC in its local domain, vancouver.mtit.com , to receive a Kerberos session ticket.

2. The client presents the session ticket to the KDC in the root domain, mtit.com , of the local tree, which then grants the client a second session ticket for the root domain, mtitworld.com , in the remote tree.

3. The client presents the second session ticket to the KDC in the mtitworld.com domain, which then grants the client a third session ticket for the mexico.mtitworld.com domain in the remote tree.

4. The client finally presents the third session ticket to the KDC in the mexico.mtitworld.com domain, which then grants the client access to the shared resources on the server that the client wants to access.

From this scenario you can see why it's good to try to "flatten" your domains in WS2003 and use only a single domain if that is at all possible: the more domains and trees you have in your enterprise, the more network bandwidth will be consumed by Kerberos authentication traffic.