Chapter 2. Forests, Domains, and Trusts


To the layperson, the title of this chapter may seem like a hodgepodge of unrelated terms. For the seasoned Active Directory administrator, however, these terms represent the most fundamental and, perhaps, most important concepts within Active Directory. In simple terms, a forest is a collection of data partitions and domains; a domain is a hierarchy of objects that is replicated between one or more domain controllers; a trust is an agreement between two domains to allow security principals (i.e., users, groups, and computers) to access resources in either domain.

Active Directory domains are named using the Domain Name Service (DNS) namespace. The domains that are part of a common DNS namespace are considered to be in the same domain tree. For example, the,, and domains are part of the domain tree. A single domain tree is sufficient for most implementations, but one example when multiple domain trees are necessary is with large conglomerate corporations. Conglomerates are made up of multiple individual companies. Each company typically wants to maintain its own identity and, therefore, its own namespace. Describing the conglomerate scenario is a good way to show the relationships between forests, domains, domain trees, and trusts.

Assuming each company within the conglomerate wants its Active Directory domain name to be based on its company name, you have two ...

Get Active Directory Cookbook now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.