To the layperson, the title of this chapter may seem like a hodgepodge of unrelated terms. For the seasoned Active Directory administrator, however, these terms represent the most fundamental and, perhaps, most important concepts within Active Directory. In simple terms, a forest is a collection of data partitions and domains; a domain is a hierarchy of objects that is replicated between one or more domain controllers; a trust is an agreement between two domains or forests to allow security principals (i.e., users, groups, and computers) from one domain to access resources in the other domain.

Active Directory domains are named using the Domain Name Service (DNS) namespace. You can group domains that are part of the same contiguous DNS namespace within the same domain tree. For example, the marketing.adatum.com, sales.adatum.com, and adatum.com domains are part of the adatum.com domain tree. A single domain tree is sufficient for most implementations, but one example in which multiple domain trees might be necessary is with large conglomerate corporations. Conglomerates are made up of multiple individual companies in which each company typically wants to maintain its own identity and, therefore, its own namespace. If you need to support noncontiguous namespaces within a single forest, you will need to create multiple domain trees. For example, adatum.com and treyresearch.com can form two separate domain trees within the same ...