Active Directory  «Prev  Next»
Lesson 8 Trees and forests
Objective Define the relationship between domain trees and forests.

Relationship between Domain Trees and Forests

As you expand upon and organize Active Directory, you will create trees and forests. In Windows NT, the namespace was flat. Although NT domains could be configured to trust one another, each was a completely separate entity.
With Windows 2000 and later Windows versions, you can create a group of subdomains branching off from a root domain; these subdomains form a tree[1]. Subdomains are also called child domains[2], as they use the namespace of the root domains in which they reside. For instance, if the root domain is named domain.com, a child domain created under it would be named something like child1.domain.com.
This shows a child domain and its relationship to a root domain.
This shows a child domain and its relationship to a root domain.

In organizing Active Directory, you may also want to join groups of domains together into a structure, called a forest[3] Forests are collections of root domains (they do not share a contiguous namespace). The root domain, the first domain that you create, contains the configuration and schema for the forest. Additional domains are added to the root domain to form the tree structure or the forest structure, depending on the domain name requirements. Domains within a forest share two-way transitive trust relationships and share a common schema and global catalog.
Question: What are trees and what are forests?
Answer: Trees are a cohesive group of domains, known as subdomains or child domains, that grow from a root domain. All the domains within a tree share a contiguous namespace. Forests are collections of root domains. They do not share a contiguous namespace.

Why create Multiple Domains?

There will be many occasions in which you will need to create additional domains. Multiple domains are useful when you are dealing with:
  1. Different password requirements between organizations
  2. Large numbers of objects
  3. Different internet domain names
  4. Better control of replication
  5. Decentralized network administration

In order for you to decide whether to create multiple domains and how to use them to best effect, you need to have a clear understanding of the relationship between trees and forests-known as a trust relationship[4]. The series of images below will explain to you the workings of the trust relationship.
Hierarchical Arrangement of Windows Domains
1) A tree is hierarchical arrangement of Windows domains that share a continuous namespace
1) A tree is a hierarchical arrangement of Windows domains that share a continuous namespace.

2)When you add a domain to an existing tree, the new domain is a child domain of an existing parent domain. The name of the child domain is combined with the name of the parent domain to form its DNS name.
2) When you add a domain to an existing tree, the new domain is a child domain of an existing parent domain. The name of the child domain is combined with the name of the parent domain to form its DNS name.

3) A forest is a group of trees that do not share a contiguous namespace. The trees in a forest share a common configuration, schema, and global catalog.
3) A forest is a group of trees that do not share a contiguous namespace. The trees in a forest share a common configuration, schema, and global catalog.

4) The name of the root tree, or the first tree that is created in the forest, is used to refer to a given forest, is used to refer to a given forest. Each tree in a forest has its own unique namespace.
4) By default, the name of the root tree, or the first tree that is created in the forest, is used to refer to a given forest, is used to refer to a given forest. Each tree in a forest has its own unique namespace.

5) In order for you to decide how to administer a forest, you need to determine the kind of trust relationship your trees or domains will have. By default, all root domains within a forest have a two-way transitive trust relationship with one another.
5) In order for you to decide how to administer a forest, you need to determine the kind of trust relationship your trees or domains will have. By default, all root domains within a forest have a two-way transitive trust relationship with one another.

6) Active Directory supports two forms of trust relationships: 1) one-way, non-transitive trusts and 2) two-way transitive trusts. One-way, non-transitive trusts must be explicitly created by the administrator.
6) Active Directory supports two forms of trust relationships: 1) one-way, non-transitive trusts and 2) two-way transitive trusts. One-way, non-transitive trusts must be explicitly created by the administrator. If you have Windows Server 2016 domains coexisting with Windows domains on your network, the trust relationship between the Server and Windows domains are always explicitly one-way non-transitive trusts.

7) In a one-way non-transitive trust relationship, if domain green trusts domain yellow, domain yellow does not automatically trust domain green
7) In a one-way non-transitive trust relationship, if domain green trusts domain yellow, domain yellow does not automatically trust domain green

8) Windows networks use one-way, non-transitive trust relationships. You manually create these relationships between existing domains. In a large network, this imposes a lot of administrative overhead. Active Directory supports one-way non-transitive trusts for connections to Windows networks and between Active Directory domains.
8) Windows networks use one-way, non-transitive trust relationships. You manually create these relationships between existing domains. In a large network, this imposes a lot of administrative overhead. Active Directory supports one-way non-transitive trusts for connections to Windows networks and between Active Directory domains.

9) In a two-way transitive trust relationship, if domain green trusts domain blue, then domain blue automatically trusts domain green.
9) In a two-way transitive trust relationship, if domain green trusts domain blue, then domain blue automatically trusts domain green.

10) If a two-way transitive trust exists between two domains, you can grant permissions to resources in one domain to user and group accounts in the other domain, and vice versa. Two-way, transitive trust relationships are the default between Windows 2000 domains.
10) If a two-way transitive trust exists between two domains, you can grant permissions to resources in one domain to user and group accounts in the other domain, and vice versa. Two-way, transitive trust relationships are the default between Windows domains.


Enhancing Hierarchy and Simplifying Management

In the context of Active Directory (AD) domains, a continuous namespace[5] plays a pivotal role in organizing and managing resources within Forests and Trees. A continuous namespace consists of a hierarchical and contiguous structure of domain names that share a common root domain. This structure enables efficient administration, seamless navigation, and streamlined access to resources, while also simplifying the process of implementing security policies and trust relationships.
The benefits and significance of a continuous namespace in Active Directory domains using Forests and Trees can be highlighted in the following key aspects:
  1. Hierarchy and Organization: A continuous namespace provides a well-structured hierarchy, allowing for a clear organization of resources and domains. This hierarchy facilitates the arrangement of domains within Trees and Forests, making it easier for administrators to manage resources and users in a large-scale environment.
  2. Simplified Trust Relationships: Trust relationships are crucial for granting access to resources across different domains within a Forest. A continuous namespace ensures that parent and child domains share a common root domain, which automatically establishes a transitive trust relationship between them. This simplification reduces the administrative overhead of manually creating and maintaining trust relationships.
  3. Name Resolution and Resource Access: A continuous namespace improves name resolution and resource access within an Active Directory Forest. As domain names are contiguous, the Domain Name System (DNS) can resolve names more efficiently, ensuring that users and services can quickly locate and access resources across the Forest.
  4. Streamlined Group Policy Implementation: Implementing Group Policy Objects (GPOs) is essential for managing and configuring settings within an Active Directory environment. A continuous namespace enables administrators to efficiently apply GPOs across the entire domain hierarchy, ensuring that policies are enforced consistently and reliably throughout the Forest.
  5. Scalability and Flexibility: Continuous namespaces offer greater scalability and flexibility when expanding the domain infrastructure. By adding new child domains or Trees under the common root domain, organizations can accommodate growth and evolving requirements without disrupting the existing namespace or introducing complexity.

A continuous namespace plays a critical role in Active Directory domains using Forests and Trees by enhancing hierarchy, simplifying management, and streamlining resource access. By providing a well-structured, scalable, and flexible foundation, continuous namespaces contribute to the overall efficiency and effectiveness of Active Directory-based infrastructures.

Domains and Forests

Question: What Are Domains and Forests?
The Logical Structure of Active Directory
Active Directory stores network object information and implements the services that make this information available and usable to users. Active Directory presents this information through a standardized, logical structure that helps you establish and understand the organization of domains and domain resources in a useful way. This presentation of object information is referred to as the logical structure because it is independent of the physical aspects of the Active Directory infrastructure, such as the domain controllers required for each domain in the network.
Benefits of the Logical Structure
The logical structure provides a number of benefits for deploying, managing, and securing network services and resources. These benefits include:
  1. Increased network security. The logical structure can provide security measures such as autonomy for individual groups or complete isolation of specific resources.
  2. Simplified network management. The hierarchical nature of the logical structure simplifies configuration, control, and administration of the network, including managing user and group accounts and all network resources.
  3. Simplified resource sharing. The logical structure of domains and forests and the relationships established between them can simplify the sharing of resources across an organization.
  4. Low total cost of ownership. The reduced administration costs for network management and the reduced load on network resources that can be achieved with the Active Directory logical structure can significantly lower the total cost of ownership.
An efficient Active Directory logical structure also facilitates the system integration of features such as Group Policy, enabling desktop lockdown, software distribution, and administration of users, groups, workstations, and servers. In addition, the logical structure can facilitate the integration of services such as Exchange 2000, public key infrastructure (PKI), and domain-based distributed file system (DFS).


Domain Trees Forest - Exercise

But first, click the Exercise link below to implement what you have learned by creating your own Active Directory.
Domain Trees Forest - Exercise
The next lesson will conclude this module.

[1] Trees: A tree is a collection of domains that share a contiguous namespace.
[2] Child domains: A domain located in the namespace tree directly under another domain name (the parent domain), which contains the name of the parent in its own name. Example: sales.tacteam.net is a child domain of the tacteam.net parent domain.
[3] Forests: Two or more domain trees which do not share a contiguous namespace can be joined in a forest.
[4] Trust relationship: A logical relationship established between domains that allows pass-through authentication, providing for users in a trusted domain to access resources in a trusting domain, without having a user account in the trusting domain.
[5] continuous namespace: A continuous namespace in Active Directory is a hierarchical domain structure where child domains are subdomains of the parent domain. For example, if the parent domain is `example.com`, a continuous child domain would be `child.example.com`.

SEMrush Software 8 SEMrush Banner 8