Forests
Whereas the namespace for an Active Directory tree is contiguous, the namespace for an Active Directory forest is discontiguous.
A discontiguous namespace is based on different root DNS domain names. A discontiguous namespace is used with multiple trees in a forest. For example, the tree root for Help and Learn, Inc. is helpandlearn.com. Help and Learn, Inc. acquires another company named Marshallsoft. Marshallsoft uses Active Directory with a root DNS domain name of marshallsoft.com. Because the two organizations have different root DNS domain names, their combined Active Directory environment consists of two trees in a forest.
A forest can consist of a forest root domain (described next) and multiple trees below (see Figure 3.7).
NOTE
The first domain created in Active Directory is a forest root domain.
It is important to decide how the forest root domain will be used:
If the forest root domain is used as a regular domain (that is, there are user and groups accounts, as well as resources in the domain), you must consider that members of the Domain Administrators group for this domain are by default members of the Enterprise Administrators and Schema Administrators groups for the forest. This might pose a security issue because they are the most powerful groups within the forest.
Using a dedicated forest root domain provides a number of benefits. First, the security threat posed by the Enterprise Administrators and Schema Administrators group is minimized. Because the scope of the forest root domain is limited (the only user accounts in the domain will be created for forest administration only), better control of these groups is provided. Lastly, replication traffic for the domain is minimal.
CAUTION
It is important to implement a fault-tolerance policy for the forest root domain. This can involve the use of multiple domain controllers (which should be included in any domain) as well as implementing RAID (Redundant Array of Inexpensive Disks) and tape backup on domain controllers. Implementing RAID will minimize the risk of failure in the event of a hard drive failure. Tape backup allows you to restore a domain controller in the event of a failure.
If a forest root domain is lost and cannot be recovered by tape backup, the Enterprise Administrators and Schema Administrators groups will be permanently lost. A forest root domain cannot be reinstalled or delegated to another domain. As a result, the Active Directory forest will be, for all purposes, inoperable.
Figure 3.7 The hierarchy of an Active Directory forest.
Creating Forests
A forest is a group of Active Directory domains. A forest provides for simpler management of multiple domains, while also simplifying the user's experience within the directory. Users and administrators interact with Active Directory through a common forest.
An Active Directory forest must have the following characteristics:
-
Single SchemaThe schema in Active Directory defines how objects are constructed and which attributes are used in all domains in the forest. The schema is replicated to every domain controller within the forest. Only members of the Schema Administrators group can modify the schema.
-
A Single Global CatalogThe global catalog is used for searching or logging on to the directory. A limited set of attributes from every object in the directory is copied to the global catalog. This allows for more efficient use of directory information, because all attributes are not used in the search, only select attributes that are most commonly used. Users log on to the directory using their User Principal Name. The User Principal Name resembles an Internet e-mail address. It consists of two parts, username@domainname. The username portion is simply the user's logon name, whereas the domain name portion is the DNS name of the Active Directory domain where the user's account is located. As a result, the User Principal Name uniquely identifies the user in the directory.
-
A Single Configuration ContainerThe Configuration Container stores Active Directory configuration objects for the entire forest. These objects contain information such as directory partitions, sites, services, and any directory-enabled applications. The naming context for the Configuration Container is cn=configuration, dc=forestRootDomain. Any changes to the Configuration Container are replicated to all domain controllers in the forest. The Enterprise Administrators group has full control of the Configuration Container.
-
Complete Trust Domain ModelActive Directory by default creates two-way transitive trust relationships between all domains in the forest. As a result, users and groups from any domain can be incorporated in access control lists. Unlike earlier versions of Windows NT, Active Directory's default behavior eliminates the need to manually create trusts between domains.
CAUTION
It is very important to strictly limit the membership of the Schema Administrators group.