Domains, Domain Trees, and Forests
Domain trees and forests are two important Active Directory concepts. A domain tree is simply a collection of one or more domains that share a common namespace. The fx.movie.edu and movie.edu domains would be considered part of the movie.edu domain tree; however, the example.com domain, if created after movie.edu, would be in a separate domain tree called example.com. If the domain you create does not contain the full name of the parent domain or forest root domain, it is considered part of a separate domain tree.
A forest is a collection of one or more domain trees. The domains in the movie.edu domain tree and the example.com domain tree could be part of the same forest. A domain tree is based on a common namespace, but a forest is not.
A forest is named after the first domain created in the forest. If movie.edu was the first domain we created, the forest is automatically named movie.edu. We can then create additional domains for fx.movie.edu and example.com all belonging to the movie.edu forest. Another option is to create the example.com domain in its own forest, which has certain implications for user access.
All domains within a forest, regardless of which domain tree they are part of, are trusted by each other from an authentication and authorization perspective. For this reason, the forest is considered the primary security boundary in Active Directory. By making the example.com domain part of the movie.edu forest, users in example.com ...
Get DNS on Windows Server 2003, 3rd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
