One common area of confusion when designing an Active Directory forest is this: you do not need to deploy two separate forests solely to support two portions of a network that require separate namespaces.
Each Active Directory domain requires a contiguous namespace, which means that the naming conventions of any child domains need to look like this:
- company.com
- east.company.com
- mktg.east.company.com
- west.company.com
- ad.west.company.com
Each of these child domains shares a contiguous namespace with the root domain, company.com. However, you can have a separate domain tree within the same forest that does not belong to the same namespace. So you could have a second domain tree within the same forest, with domain names
as follows:
- airplanes.com
- finance.airplanes.com
- dev.airplanes.com
- research.airplanes.com
- sst.research.airplanes.com
In this case, you have a single Active Directory forest that contains two domain trees: the company.com domain tree and the airplanes.com domain tree. Even though the two domain trees do not share a namespace, they can still belong to the same forest.
This will allow them to share the same schema, Global Catalogs, and directory configuration. (The argument against multiple domain trees is that, because the two domain trees are part of the same forest, they do not have the same level of isolation that multiple forests would create.) So when you are planning your Active Directory network, be sure that you are not deploying multiple forests in a situation where multiple domain trees would be more appropriate.
