Active Directory  «Prev 

Windows Domains using Forests and Trees

Question: What Are Domains and Forests?
The Logical Structure of Active Directory
Active Directory stores network object information and implements the services that make this information available and usable to users. Active Directory presents this information through a standardized, logical structure that helps you establish and understand the organization of domains and domain resources in a useful way. This presentation of object information is referred to as the logical structure because it is independent of the physical aspects of the Active Directory infrastructure, such as the domain controllers required for each domain in the network.
Benefits of the Logical Structure
The logical structure provides a number of benefits for deploying, managing, and securing network services and resources. These benefits include:
  1. Increased network security. The logical structure can provide security measures such as autonomy for individual groups or complete isolation of specific resources.
  2. Simplified network management. The hierarchical nature of the logical structure simplifies configuration, control, and administration of the network, including managing user and group accounts and all network resources.
  3. Simplified resource sharing. The logical structure of domains and forests and the relationships established between them can simplify the sharing of resources across an organization.
  4. Low total cost of ownership. The reduced administration costs for network management and the reduced load on network resources that can be achieved with the Active Directory logical structure can significantly lower the total cost of ownership.
An efficient Active Directory logical structure also facilitates the system integration of features such as Group Policy, enabling desktop lockdown, software distribution, and administration of users, groups, workstations, and servers. In addition, the logical structure can facilitate the integration of services such as Exchange 2000, public key infrastructure (PKI), and domain-based distributed file system (DFS).

Hierarchical Arrangement of Windows Domains

A tree is a hierarchical arrangement of Windows domains that share a continuous namespace.

When you add a domain to an existing tree, the new domain is a child domain of an existing parent domain. The name of the child domain is combined with the name of the parent domain to form its DNS name.

A forest is a group of trees that do not share a contiguous namespace. The trees in a forest share a common configuration, schema, and global catalog.

By default, the name of the root tree, or the first tree that is created in the forest, is used to refer to a given forest, is used to refer to a given forest. Each tree in a forest has its own unique namespace.

In order for you to decide how to administer a forest, you need to determine the kind of trust relationship your trees or domains will have. By default, all root domains within a forest have a two-way transitive trust relationship with one another.

Active Directory supports two forms of trust relationships: 1) one-way, non-transitive trusts and 2) two-way transitive trusts. One-way, non-transitive trusts must be explicitly created by the administrator. If you have Windows Server 2016 domains coexisting with Windows domains on your network, the trust relationship between the Server and Windows domains are always explicitly one-way non-transitive trusts.

In a one-way non-transitive trust relationship, if domain green trusts domain yellow, domain yellow does not automatically trust domain green

Windows networks use one-way, non-transitive trust relationships. You manually create these relationships between existing domains. In a large network, this imposes a lot of administrative overhead. Active Directory supports one-way non-transitive trusts for connections to Windows networks and between Active Directory domains.

In a two-way transitive trust relationship, if domain green trusts domain blue, then domain blue automatically trusts domain green.

If a two-way transitive trust exists between two domains, you can grant permissions to resources in one domain to user and group accounts in the other domain, and vice versa. Two-way, transitive trust relationships are the default between Windows domains.