Distributed Networks Distributed Networks




Active Directory  «Prev 
Trees and forests

Windows Domains using Forests and Trees

What Are Domains and Forests?
The Logical Structure of Active Directory
Active Directory stores network object information and implements the services that make this information available and usable to users. Active Directory presents this information through a standardized, logical structure that helps you establish and understand the organization of domains and domain resources in a useful way. This presentation of object information is referred to as the logical structure because it is independent of the physical aspects of the Active Directory infrastructure, such as the domain controllers required for each domain in the network.
Benefits of the Logical Structure
The logical structure provides a number of benefits for deploying, managing, and securing network services and resources. These benefits include:
  1. Increased network security. The logical structure can provide security measures such as autonomy for individual groups or complete isolation of specific resources.
  2. Simplified network management. The hierarchical nature of the logical structure simplifies configuration, control, and administration of the network, including managing user and group accounts and all network resources.
  3. Simplified resource sharing. The logical structure of domains and forests and the relationships established between them can simplify the sharing of resources across an organization.
  4. Low total cost of ownership. The reduced administration costs for network management and the reduced load on network resources that can be achieved with the Active Directory logical structure can significantly lower the total cost of ownership.
An efficient Active Directory logical structure also facilitates the system integration of features such as Group Policy, enabling desktop lockdown, software distribution, and administration of users, groups, workstations, and servers. In addition, the logical structure can facilitate the integration of services such as Exchange 2000, public key infrastructure (PKI), and domain-based distributed file system (DFS).


A tree is hierarchical arrangement of Windows domains that share a continuous namespace
A tree is hierarchical arrangement of Windows domains that share a continuous namespace

When you add a domain to an existing tree, the new domain is a child domain of an existing parent domain
When you add a domain to an existing tree, the new domain is a child domain of an existing parent domain

A forest is a group of trees that do not share a contiguous namespace.
A forest is a group of trees that do not share a contiguous namespace.

The name of the root tree, or the first tree that is created in the forest, is used to refer to a given forest
The name of the root tree, or the first tree that is created in the forest, is used to refer to a given forest


In order for you to decide how to administer a forest, you need to determine the kind of trust relationship your trees or domains will have.
In order for you to decide how to administer a forest, you need to determine the kind of trust relationship your trees or domains will have.

Active Directory supports two forms of trust relationships: 1) one-way, non-transitive trusts and 2) two-way transitive trusts.
Active Directory supports two forms of trust relationships: 1) one-way, non-transitive trusts and 2) two-way transitive trusts.

In a one-way non-transitive trust relationship, if domain green trusts domain yellow, domain yellow does not automatically trust domain green
In a one-way non-transitive trust relationship, if domain green trusts domain yellow, domain yellow does not automatically trust domain green

Windows NT networks use one-way, non-transitive trust relationships
Windows NT networks use one-way, non-transitive trust relationships


In a two-way transitive trust relationship, if domain green trusts domain blue, then domain blue automatically trusts domain green.
In a two-way transitive trust relationship, if domain green trusts domain blue, then domain blue automatically trusts domain green.

If a two-way transitive trust exists between two domains, you can grant permissions to resources in one domain to user and group accounts in the other domain
If a two-way transitive trust exists between two domains, you can grant permissions to resources in one domain to user and group accounts in the other domain