Forests and Domains: Introduction to file hierarchy
Thursday, October 22nd, 2009
surender asked:
Active Directory possesses a hierarchical structure, which includes three levels namely forests, trees and domains. The highest
structure is forest and offers the one point access to whole of the administrative part; within forest the next is tree that comprises of
more than one domain; and at last is domain which is the individual entities to be managed like printers.
Hence, a domain is a collection of computers and resources that share a common security database, called as the Active Directory
database. Each domain in Active Directory is identified by a Domain Name System (DNS) domain name and requires one or more
domain controllers. If user’s network requires more than one domain, he can easily create multiple domains.
A domain tree or tree is formed by grouping one or multiple domains whereby each domain in the tree shares a contiguous
namespace and a hierarchical naming structure. A forest on the other hand is the grouping of one or more domain trees. Trees in a
forest have the naming structures of their associated domains.
A domain provides several benefits:
• Organizing objects; within a domain, you can use organizational units for this purpose.
• Publishing resources and information about domain objects
• Applying a Group Policy object to the domain consolidates resource and security management.
• Delegating authority eliminates the need for a number of administrators with broad administrative authority.
• Security policies and settings do not cross from one domain to another. However, the forest is the final security boundary.
• Each domain stores only the information about the objects located in that domain.
The Root Domain
When you create the first domain in a forest, that domain becomes the root domain. The root domain has many unique components
and features that the remainder of the domains added to the same forest do not have. The root domain is the only domain that
contains the following groups and roles:
• Enterprise Admins group
• Schema Admins group
• Schema Master role
• Domain Naming Master role
Domain Design Factors
The factors which typically affect the domain design are:
• Geographical factors
• WAN link costs
• Business Requirement Factors
• Domain Name Strategy
Forest Design Factors
The various factors that should be considered when planning the design of the forest are:
• The structure of the organization
• Identify operation requirements
• Legal factors
• Cost factors
• Namespace factors
The Single Domain Forest Model
A single domain model is the easiest to administer and the least expensive to maintain. It consists of a forest that contains a single
domain. This domain is the forest root domain and it contains all of the user and group accounts in the forest.
A single domain forest model reduces administrative complexity by providing the following advantages:
• Any domain controller can authenticate any user in the forest.
• All domain controllers can be global catalogs; therefore, you do not need to plan for global catalog server placement.
In a single domain forest, all directory data is replicated to all geographic locations that host domain controllers. While this model is
the easiest to manage, it also creates the most replication traffic of the two domain models.
Disadvantages of a single forest model:
• It does not include test environments.
• As there is only one forest, any changes that are made to the forest affect all the domains within the environment.
• User has to control enterprise components that are shared over all domains.
Multiple Domain/forest model
The benefits of using multiple forest model are:
• Businesses can operate independently from one another within the larger organization.
• Isolated schemas and configuration directory partitions enable you to define forest autonomy at the schema level and configuration
level.
• For each business, user can define a separate DNS hierarchy.
• Test environments can be implemented.
But, to maintain the multiple forest model, user requires greater synchronization and implementation between forests. Also, it has a
far greater design, hardware and administrative cost than that of a single forest implementation.
EUGENE
Active Directory possesses a hierarchical structure, which includes three levels namely forests, trees and domains. The highest
structure is forest and offers the one point access to whole of the administrative part; within forest the next is tree that comprises of
more than one domain; and at last is domain which is the individual entities to be managed like printers.
Hence, a domain is a collection of computers and resources that share a common security database, called as the Active Directory
database. Each domain in Active Directory is identified by a Domain Name System (DNS) domain name and requires one or more
domain controllers. If user’s network requires more than one domain, he can easily create multiple domains.
A domain tree or tree is formed by grouping one or multiple domains whereby each domain in the tree shares a contiguous
namespace and a hierarchical naming structure. A forest on the other hand is the grouping of one or more domain trees. Trees in a
forest have the naming structures of their associated domains.
A domain provides several benefits:
• Organizing objects; within a domain, you can use organizational units for this purpose.
• Publishing resources and information about domain objects
• Applying a Group Policy object to the domain consolidates resource and security management.
• Delegating authority eliminates the need for a number of administrators with broad administrative authority.
• Security policies and settings do not cross from one domain to another. However, the forest is the final security boundary.
• Each domain stores only the information about the objects located in that domain.
The Root Domain
When you create the first domain in a forest, that domain becomes the root domain. The root domain has many unique components
and features that the remainder of the domains added to the same forest do not have. The root domain is the only domain that
contains the following groups and roles:
• Enterprise Admins group
• Schema Admins group
• Schema Master role
• Domain Naming Master role
Domain Design Factors
The factors which typically affect the domain design are:
• Geographical factors
• WAN link costs
• Business Requirement Factors
• Domain Name Strategy
Forest Design Factors
The various factors that should be considered when planning the design of the forest are:
• The structure of the organization
• Identify operation requirements
• Legal factors
• Cost factors
• Namespace factors
The Single Domain Forest Model
A single domain model is the easiest to administer and the least expensive to maintain. It consists of a forest that contains a single
domain. This domain is the forest root domain and it contains all of the user and group accounts in the forest.
A single domain forest model reduces administrative complexity by providing the following advantages:
• Any domain controller can authenticate any user in the forest.
• All domain controllers can be global catalogs; therefore, you do not need to plan for global catalog server placement.
In a single domain forest, all directory data is replicated to all geographic locations that host domain controllers. While this model is
the easiest to manage, it also creates the most replication traffic of the two domain models.
Disadvantages of a single forest model:
• It does not include test environments.
• As there is only one forest, any changes that are made to the forest affect all the domains within the environment.
• User has to control enterprise components that are shared over all domains.
Multiple Domain/forest model
The benefits of using multiple forest model are:
• Businesses can operate independently from one another within the larger organization.
• Isolated schemas and configuration directory partitions enable you to define forest autonomy at the schema level and configuration
level.
• For each business, user can define a separate DNS hierarchy.
• Test environments can be implemented.
But, to maintain the multiple forest model, user requires greater synchronization and implementation between forests. Also, it has a
far greater design, hardware and administrative cost than that of a single forest implementation.
EUGENE
