Active Directory  «Prev  Next»
Lesson 8 Trees and forests
Objective Define the relationship between domain trees and forests.

Domain Trees and Forests

Relationship between Domain Trees and Forests

As you expand upon and organize Active Directory, you will create trees and forests. In Windows NT, the namespace was flat. Although NT domains could be configured to trust one another, each was a completely separate entity.
With Windows 2000 and later Windows versions, you can create a group of subdomains branching off from a root domain; these subdomains form a tree[1]. Subdomains are also called child domains[2], as they use the namespace of the root domains in which they reside. For instance, if the root domain is named domain.com, a child domain created under it would be named something like child1.domain.com.

This shows a child domain and its relationship to a root domain.
This shows a child domain and its relationship to a root domain.

In organizing Active Directory, you may also want to join groups of domains together into a structure, called a forest[3] Forests are collections of root domains (they do not share a contiguous namespace). The root domain, the first domain that you create, contains the configuration and schema for the forest. Additional domains are added to the root domain to form the tree structure or the forest structure, depending on the domain name requirements. Domains within a forest share two-way transitive trust relationships and share a common schema and global catalog.

Question: What are trees and what are forests?
Answer: Trees are a cohesive group of domains, known as subdomains or child domains, that grow from a root domain. All the domains within a tree share a contiguous namespace. Forests are collections of root domains. They do not share a contiguous namespace.

Why create Multiple Domains?

There will be many occasions in which you will need to create additional domains. Multiple domains are useful when you are dealing with:
  1. Different password requirements between organizations
  2. Large numbers of objects
  3. Different internet domain names
  4. Better control of replication
  5. Decentralized network administration

In order for you to decide whether to create multiple domains and how to use them to best effect, you need to have a clear understanding of the relationship between trees and forests-known as a trust relationship[4] .
The diagrams below will explain to you the workings of the trust relationship.

Hierarchical Arrangement of Windows Domains

1) A tree is hierarchical arrangement of Windows domains that share a continuous namespace
1) A tree is a hierarchical arrangement of Windows domains that share a continuous namespace.

2)When you add a domain to an existing tree, the new domain is a child domain of an existing parent domain. The name of the child domain is combined with the name of the parent domain to form its DNS name.
2) When you add a domain to an existing tree, the new domain is a child domain of an existing parent domain. The name of the child domain is combined with the name of the parent domain to form its DNS name.

3) A forest is a group of trees that do not share a contiguous namespace. The trees in a forest share a common configuration, schema, and global catalog.
3) A forest is a group of trees that do not share a contiguous namespace. The trees in a forest share a common configuration, schema, and global catalog.

4) The name of the root tree, or the first tree that is created in the forest, is used to refer to a given forest, is used to refer to a given forest. Each tree in a forest has its own unique namespace.
4) By default, the name of the root tree, or the first tree that is created in the forest, is used to refer to a given forest, is used to refer to a given forest. Each tree in a forest has its own unique namespace.

5) In order for you to decide how to administer a forest, you need to determine the kind of trust relationship your trees or domains will have. By default, all root domains within a forest have a two-way transitive trust relationship with one another.
5) In order for you to decide how to administer a forest, you need to determine the kind of trust relationship your trees or domains will have. By default, all root domains within a forest have a two-way transitive trust relationship with one another.

6) Active Directory supports two forms of trust relationships: 1) one-way, non-transitive trusts and 2) two-way transitive trusts. One-way, non-transitive trusts must be explicitly created by the administrator.
6) Active Directory supports two forms of trust relationships: 1) one-way, non-transitive trusts and 2) two-way transitive trusts. One-way, non-transitive trusts must be explicitly created by the administrator. If you have Windows Server 2016 domains coexisting with Windows domains on your network, the trust relationship between the Server and Windows domains are always explicitly one-way non-transitive trusts.

7) In a one-way non-transitive trust relationship, if domain green trusts domain yellow, domain yellow does not automatically trust domain green
7) In a one-way non-transitive trust relationship, if domain green trusts domain yellow, domain yellow does not automatically trust domain green

8) Windows networks use one-way, non-transitive trust relationships. You manually create these relationships between existing domains. In a large network, this imposes a lot of administrative overhead. Active Directory supports one-way non-transitive trusts for connections to Windows networks and between Active Directory domains.
8) Windows networks use one-way, non-transitive trust relationships. You manually create these relationships between existing domains. In a large network, this imposes a lot of administrative overhead. Active Directory supports one-way non-transitive trusts for connections to Windows networks and between Active Directory domains.

9) In a two-way transitive trust relationship, if domain green trusts domain blue, then domain blue automatically trusts domain green.
9) In a two-way transitive trust relationship, if domain green trusts domain blue, then domain blue automatically trusts domain green.

10) If a two-way transitive trust exists between two domains, you can grant permissions to resources in one domain to user and group accounts in the other domain, and vice versa. Two-way, transitive trust relationships are the default between Windows 2000 domains.
10) If a two-way transitive trust exists between two domains, you can grant permissions to resources in one domain to user and group accounts in the other domain, and vice versa. Two-way, transitive trust relationships are the default between Windows domains.


  1. A tree is a hierarchical arrangement of Windows domains that share a continuous namespace.
  2. When you add a domain to an existing tree, the new domain is a child domain of an existing parent domain.
  3. A forest is a group of trees that do not share a contiguous namespace.
  4. By default, the name of the root tree, or the first tree that is created in the forest, is used to refer to a given forest
  5. In order for you to decide how to administer a forest, you need to determine the kind of trust relationship your trees or domains will have.
  6. Active Directory supports two forms of trust relationships: 1) one-way, non-transitive trusts and 2) two-way transitive trusts.
  7. In a one-way non-transitive trust relationship, if domain green trusts domain yellow, domain yellow does not automatically trust domain green
  8. Windows networks use one-way, non-transitive trust relationships. You manually create these relationships between existing domains.
  9. In a two-way transitive trust relationship, if domain green trusts domain blue, then domain blue automatically trusts domain green.
  10. If a two-way transitive trust exists between two domains, you can grant permissions to resources in one domain to user and group accounts in the other domain

Windows Domains

Domain Trees Forest - Exercise

But first, click the Exercise link below to implement what you have learned by creating your own Active Directory.
Domain Trees Forest - Exercise
The next lesson will conclude this module.

[1] Trees: A tree is a collection of domains that share a contiguous namespace.
[2] Child domains: A domain located in the namespace tree directly under another domain name (the parent domain), which contains the name of the parent in its own name. Example: sales.tacteam.net is a child domain of the tacteam.net parent domain.
[3] Forests: Two or more domain trees which do not share a contiguous namespace can be joined in a forest.
[4] Trust relationship: A logical relationship established between domains that allows pass-through authentication, providing for users in a trusted domain to access resources in a trusting domain, without having a user account in the trusting domain.