Chapter 5: Exam 70-297 Study Guide
One of the main reasons to create multiple trees is that you need more than one
DNS namespace in the domain forest. You will need to base your decision on
your analysis and other factors, such as future requirements of the organization.
Creating more trees simply means that you will need to maintain separate
namespaces for each tree and create more domains because each domain tree
must have at least one domain.
Designing the Multiple Forest Structure
A forest is a group of domain trees that do not share a contiguous namespace.
There is always one forest in any Active Directory-based network. This forest is
automatically created when you install the first domain controller. The domain
you create becomes the Forest Root domain. A forest specifies the outermost secu-
rity boundary of the network. Administrative control and user access is possible
only in the domains within the forest. To extend access to resources outside the
forest, you need to create forest trusts. These forest trusts are available only if the
forest functional level is Windows Server 2003 and the trusts are not transitive.
Domains in a forest share a common schema, directory partition, two-way transi-
tive trusts relationships between domains, and a common global catalog. As much
as possible, you should avoid using multiple trusts and try to contain your design
to a single forest. But there may be situations when you will need to consider
creating multiple forests. These situations include the following:
Linking two separate organizations
This situation is very much a reality these days, with a number of mergers
and acquisitions taking place. The multiple forests may be needed so that
users in one organization can access resources in the other organization.
Creating an autonomous unit
You may be in a situation where administrators of a forest need indepen-
dence from the main forest of the organization. For example, a group of
developers may need to make changes to the forest schema without affecting
the main forest.
Creating an isolated unit
There may be a situation in which each unit needs to maintain its own secu-
rity and isolated administration for the forest. Some legal requirements may
also require creation of separate forests.
As much as possible, you should try to limit your design to a single forest. With
multiple forests, each forest will have to maintain its own schema and directory
partition as well as the global catalog. Replication and trust relationships will have
to be configured manually. All this means that there are more administrative over-
heads involved with multiple forests and more complex design is required.
Some of the disadvantages of using multiple forests are as follows:
• Administration overhead increases with more training to administrators and
• Replication of information between domains of multiple forests must be