A forest is the largest entity in Active Directory. A forest consists of one or more trees joined together at their root domains by trusts. Each tree consists of one or more domains arranged in hierarchical fashion and also joined by trusts. All trees and domains in a forest share a common schema, configuration, and global catalog.

When you promote your first WS2003 domain controller, you automatically create a forest with a single domain. This first domain is the root domain of your first tree and the forest root domain of your entire forest. When you create additional WS2003 domains, you can choose whether to:

  • Add the new domain to an existing tree of your forest

  • Make the new domain the root domain of a new tree in your forest

  • Create an entirely new forest


While a tree has a contiguous DNS namespace, the namespace within a forest doesn’t have to be contiguous. The root domain of each tree in a forest must have its own unique DNS name to identify it within the forest. However, the forest itself is uniquely identified with respect to other forests by the DNS name of its forest root domain—that is, the DNS name of the first domain created in the forest. For example, let’s say that the Canadian company MTIT Enterprises (whose DNS domain name is decides to start a separate, worldwide operation called MTIT Enterprises Worldwide, whose domain name will be different (e.g., In this case the forest root domain and the root domain ...

Get Windows Server 2003 in a Nutshell now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.