This action might not be possible to undo. Are you sure you want to continue?
In this section
The Logical Structure of Active Directory
The Physical Structure of Active Directory
What are Domains?
What are Forests?
The Active Directory directory service is a distributed database that stores and manages information about network resources, as well as
application-specific data from directory-enabled applications. Active Directory allows administrators to organize objects of a network (such
as users, computers, and devices) into a hierarchical collection of containers known as the logical structure. The top-level logical container
in this hierarchy is the forest. Within a forest are domain containers, and within domains are organizational units.
Understanding domains and forests requires understanding the possible relationships they might have in Active Directory. The relationships
between these logical containers might be based on administrative requirements, such as delegation of authority, or they might be defined
by operational requirements, such as the need to provide for data isolation. Service administrators can use domain and forest containers to
meet a number of specific requirements, including:
Implementing an authentication and authorization strategy for sharing resources across a network
Providing a mechanism for centralizing management of multiple domains and forests
Providing an information repository and services to make information available to users and applications
Organizing objects of a network (such as users, computers, devices, resources, and application specific data from directory-enabled
applications) into a non-physical hierarchical structure
To learn more about domains and forests, you must first understand the logical and physical structures of Active Directory. This section
describes how those structures differ, and defines domains and forests in terms of the logical structure.
Active Directory stores network object information and implements the services that make this information available and usable to users.
Active Directory presents this information through a standardized, logical structure that helps you establish and understand the
organization of domains and domain resources in a useful way. This presentation of object information is referred to as the logical structure
because it is independent of the physical aspects of the Active Directory infrastructure, such as the domain controllers required for each
domain in the network.
Benefits of the Logical Structure
The logical structure provides a number of benefits for deploying, managing, and securing network services and resources. These benefits
Increased network security. The logical structure can provide security measures such as autonomy for individual groups or complete
isolation of specific resources.
Simplified network management. The hierarchical nature of the logical structure simplifies configuration, control, and administration of
the network, including managing user and group accounts and all network resources.
Simplified resource sharing. The logical structure of domains and forests and the relationships established between them can simplify
the sharing of resources across an organization.
Low total cost of ownership. The reduced administration costs for network management and the reduced load on network resources
that can be achieved with the Active Directory logical structure can significantly lower the total cost of ownership.
An efficient Active Directory logical structure also facilitates the system integration of features such as Group Policy, enabling desktop
lockdown, software distribution, and administration of users, groups, workstations, and servers. In addition, the logical structure can
facilitate the integration of services such as Exchange 2000, public key infrastructure (PKI), and domain-based distributed file system
Components of the Logical Structure
The logical structure consists of leaf object and container object components that must conform to the hierarchical structure of an Active
Directory forest. Leaf objects are objects that have no child objects, and are the most basic component of the logical structure. Container
objects store other objects and occupy a specific level within the forest hierarchy.
The Logical Structure of Active Directory
Back to Top
Page 1 of 16 What are Domains and Forests? - Directory Services: Windows Server 2003
The relationships among the components of the logical structure control access to stored data and determine how that data is managed
across one or more domains within a single forest. The components that make up the Active Directory logical structure are described in the
Components of the Active Directory Logical Structure
By understanding the purpose and hierarchical structure of these components, you can complete a variety of tasks, including installing,
configuring, managing, and troubleshooting Active Directory. Although the logical structure of Active Directory is a hierarchical organization
of all users, computers, and other physical resources, the forest and domain form the basis of the logical structure.
Forests, which are the security boundaries of the logical structure, can be structured to provide data and service autonomy and isolation in
an organization in ways that can both reflect site and group identities and remove dependencies on the physical topology. Domains can be
structured within a forest to provide data and service autonomy (but not isolation) and to optimize replication with a given region.
This separation of logical and physical structures improves manageability and reduces administrative costs because the logical structure is
not impacted by changes in the physical structure, such as the addition, removal, or reorganization of users and groups.
You can view and manage components of the logical structure by using the Active Directory Users and Computers, Active Directory
Domains and Trusts, and Active Directory Schema Microsoft Management Console (MMC) snap-ins, and other tools.
The physical structure of Active Directory is represented by a set of physical components which, when configured correctly, can help
optimize the transmission of network replication and authentication in ways specifically tailored to fit your physical network. Physical
network components, such as domain controllers and physical subnets, are used to facilitate network communication and to set physical
boundaries around network resources. More specifically, the physical structure of Active Directory represents all of the physical subnets in
your enterprise network, the domain controllers in those physical subnets (commonly referred to as Sites in Active Directory) and the
replication connections between the domain controllers.
Sites and subnets are represented in Active Directory by site and subnet objects. Computers on TCP/IP networks are assigned to site
objects based on their location in a physical subnet or a set of physical subnets. Physical subnets group computers in a way that identifies
their physical proximity on the network. Each site object is associated with one or more subnet objects. Subnet objects are used during the
Organizational units are container objects. You use these container objects to arrange other objects in a manner that
supports your administrative purposes. By arranging objects in organizational units, you make it easier to locate and
manage them. You can also delegate the authority to manage an organizational unit. Organizational units can be nested in
other organizational units.
You can arrange objects that have similar administrative and security requirements into organizational units.
Organizational units provide multiple levels of administrative authority, so that you can apply Group Policy settings and
delegate administrative control. This delegation simplifies the task of managing these objects and enables you to structure
Active Directory to fit your organization´s requirements.
Domains are container objects. Domains are a collection of administratively defined objects that share a common
directory database, security policies, and trust relationships with other domains. In this way, each domain is an
administrative boundary for objects. A single domain can span multiple physical locations or sites and can contain millions
Domain trees are collections of domains that are grouped together in hierarchical structures. When you add a domain to a
tree, it becomes a child of the tree root domain. The domain to which a child domain is attached is called the parent
A child domain might in turn have its own child domain. The name of a child domain is combined with the name of its
parent domain to form its own unique Domain Name System (DNS) name such as Corp.nwtraders.msft. In this manner, a
tree has a contiguous namespace.
A forest is a complete instance of Active Directory. Each forest acts as a top-level container in that it houses all domain
containers for that particular Active Directory instance. A forest can contain one or more domain container objects, all of
which share a common logical structure, global catalog, directory schema, and directory configuration, as well as
automatic two-way transitive trust relationships. The first domain in the forest is called the forest root domain. The name
of that domain refers to the forest, such as Nwtraders.msft. By default, information in Active Directory is shared only
within the forest. In this way, the forest is a security boundary for the information that is contained in that instance of
Sites are leaf and container objects. The sites container is the topmost object in the hierarchy of objects that are used to
manage and implement Active Directory replication. The sites container stores the hierarchy of objects that are used by
the Knowledge Consistency Checker (KCC) to effect the replication topology. Some of the objects located in the sites
container include NTDS Site Settings objects, subnet objects, connection objects, server objects, and site objects (one site
object for each site in the forest). The hierarchy is displayed as the contents of the Sites container, which is a child of the
The Physical Structure of Active Directory
Back to Top
Page 2 of 16 What are Domains and Forests? - Directory Services: Windows Server 2003
process of domain controller location to find a domain controller in the same site as the computer that is logging on. This information also is
used during Active Directory replication to determine the best routes between domain controllers. This enables you to use network
bandwidth more efficiently. For example, it ensures that when users log on to the network they are authenticated by the authentication
authority nearest to the user, thus reducing the amount of network traffic.
The physical domain controller contains the directory partitions that are replicated. Although the logical and physical structures are defined
and configured independently, they have interdependencies that affect replication.
You can view the physical structure of Active Directory by using Active Directory Sites and Services.
For more information about the network components associated with the physical structure of Active Directory, see the "Active Directory
Replication Topology Technical Reference."
Domains are logical directory components that you create to manage the administrative requirements of your organization. The logical
structure is based on the administrative requirements of an organization, such as the delegation of administrative authority, and
operational requirements, such as the need to control replication. In general, domains are used to control where in the forest replication of
domain data occurs and organizational units are used to further organize network objects into a logical hierarchy and delegate control to
appropriate administrative support personnel.
A domain is a partition in an Active Directory forest. Partitioning data enables organizations to replicate data only to where it is needed. In
this way, the directory can scale globally over a network that has limited available bandwidth. Domains can also be defined as:
Containers within a forest
Units of Policy
Units of Replication
Authentication and Authorization Boundaries
Units of Trust
Each domain has a domain administrators group. Domain administrators have full control over every object in the domain. These
administrative rights are valid within the domain only and do not propagate to other domains.
Domains as Containers Within a Forest
Within the scope of a forest, a domain is a container. Objects in that container inherently trust each other and the security services located
in that same container. Each time you create a new domain container in a forest, a two-way, transitive trust relationship is automatically
created between the new domain and its parent domain. Trusts are logical relationships established between domains to allow pass-through
authentication in which a trusting domain honors the logon authentications of a trusted domain. Because all domain containers within a
forest are joined together by two-way transitive trusts, objects within one domain container also inherently trust all other objects and
security services located in every domain container located in that forest.
Domain containers are used to store and manage Active Directory objects, some of which have a physical representation. All of the objects
within the domain container are stored in a central database that stores only objects created within that domain. Some objects represent
people or groups of people, while others represent computers or network servers. Examples of Active Directory objects that have a physical
representation are user, computer, and group objects.
While domains contain objects that represent physical things, they also contain objects that are used to help self-regulate domain
operations such as trusted domain objects (TDOs) and site link objects. Domain containers can also hold subordinate containers such as
organizational units. The following figure shows where objects are stored within the logical structure of a domain.
Domain Containment Structure Within a Forest
What Are Domains?
Back to Top
Page 3 of 16 What are Domains and Forests? - Directory Services: Windows Server 2003
Organizational Units and Objects
Organizational units are used to group objects, including accounts and resources in a domain, for administrative purposes, such as the
application of Group Policy or delegation of authority. Control over an organizational unit, including the objects within it, is determined by
the access control lists (ACLs) on the organizational unit and on the objects in the organizational unit.
The organizational unit is a particularly useful type of directory object contained within domains. Each organizational unit is an Active
Directory container within a domain into which users, groups, computers, and other organizational units of the domain can be placed. An
organizational unit cannot contain objects from other domains.
An organizational unit is the smallest scope or unit to which Group Policy settings can be assigned or to which administrative authority can
be delegated. A hierarchy of organizational units can be extended as necessary to model the hierarchy of an organization within a domain.
The administrative model of the organizational unit can be scaled to any size. For more information about Group Policy, see "How Core
Group Policy Works."
Administrative authority can be delegated for individual organizational units or for multiple organizational units. Organizational units can be
nested to create a hierarchy within a domain and form logical administrative units for users, groups, and resource objects, such as printers,
computers, applications, and file shares. The organizational unit hierarchy within a domain is independent of the structure of other
domains: Each domain can implement its own hierarchy. Likewise, domains that are managed by the central authority can implement
similar organizational unit hierarchies. The structure is flexible, which allows organizations to create an environment that mirrors the
administrative model, whether it is centralized or decentralized.
Active Directory objects represent the physical entities that make up a network. An object stores an instance of a class. A class is defined in
the Active Directory schema as a specific set of mandatory and optional attributes - that is, an attribute can be present in an object in
Active Directory only when that attribute is permitted by the object´s class. Classes also contain rules that determine which classes of
objects can be superior to (parents of) a particular object of the class. Each attribute is also defined in the directory schema. The attribute
definitions determine the syntax for the values the attribute can have.
Creation of an Active Directory object requires specification of values for the attributes of the object in its particular class, consistent with
the rules of the directory schema. For example, creating a user object requires specification of alphanumeric values for the user´s first and
last names and the logon identifier, which are mandatory according to the directory schema. Other non-mandatory values can also be
specified, such as telephone number and address.
Applications that create or modify objects in Active Directory use the directory schema to determine what attributes the object must and
might have, and what those attributes can look like in terms of data structures and syntax constraints. The directory schema is maintained
forest-wide so that all objects created in the directory conform to the same values.
Objects are either container objects or leaf objects. A container object stores other objects, and as such occupies a specific level in a
subtree hierarchy. An object class is a container if at least one other class specifies it as a possible superior, so any object class defined in
the schema can become a container. A leaf object does not store other objects, so it occupies the endpoint of a subtree. For more
information about Active Directory Objects, see "How Domains and Forests Work" and "How the Active Directory Schema Works".
Page 4 of 16 What are Domains and Forests? - Directory Services: Windows Server 2003
Domains as Units of Policy
A domain defines a scope or unit of policy within a forest. Some policy settings apply only to the scope of a domain, that is, the policy
settings are domain-wide. Account policies, for example, apply uniformly to all user accounts in the domain. Although a domain is not the
smallest unit of policy that can be assigned (policies can be assigned to organizational units) it is the most commonly used unit when
splitting administrative duties between departments and subsidiaries located in different geographical locations. As shown in the following
figure, you might need to create multiple domains to provide for policy variance among domains throughout a forest. A domain is also
considered a unit of access control, in that it can be used for business groups requiring general autonomy.
Delegation of Domains to Domain Admins that Require Different Policies or Autonomy
You cannot define different account policies for different organizational units in the same domain. Policy settings are stored as Group Policy
objects (GPOs) in Active Directory. A GPO establishes how domain resources can be accessed, configured, and used. The policies associated
with a GPO are applied only within the domain and not across domains. A GPO can be associated with one or more Active Directory
containers, such as a site, domain, or organizational unit.
Account policies and Public Key policies have domain-wide scope and are set at the domain GPO level. All other policies can be specified at
the level of the organizational unit. Some policies that can be applied only at the domain container level include:
Password policy. Determines the rules, such as password length, that must be met when a user sets a password.
Account lockout policy. Defines rules for intruder detection and account deactivation.
Kerberosticket policy. Determines the lifetime of a Kerberos ticket. A Kerberos ticket is obtained during the logon process and is used
for network authentication. A particular ticket is only valid for the lifetime specified in the policy.
Because organizational units provide multiple levels of administrative authority, you can use them to systematically apply Group Policy
Page 5 of 16 What are Domains and Forests? - Directory Services: Windows Server 2003
settings and delegate administrative control. Delegation simplifies the task of managing these objects and enables you to structure Active
Directory to fit the requirements of your organization. Using delegated authority in conjunction with GPOs and group memberships allows
one or more administrators to be assigned rights and permissions to manage objects in an entire domain or in one or more organizational
units within the domain.
For more information about Group Policy, see "How Core Group Policy Works."
Domains as Units of Replication
The physical significance of a domain is that it is a unit of replication. In fact, with the exception of application partitions, which replicate
only non-security principal objects, the domain is the smallest unit of replication that can be administered within an Active Directory forest.
This is because all objects that are located within a domain container, also referred to as domain data, are replicated to other domain
controllers within that same domain, regardless of whether those domain controllers are located over a local area network (LAN) or wide
area network (WAN) connection.
As shown in the following figure, Active Directory multi-master replication manages the transfer of domain objects to the appropriate
domain controllers automatically, keeping domain data up-to-date among all domain controllers in the domain, regardless of location.
Replication of Domain Data Within Each Domain in the Forest
All domain controllers in the forest are also updated with changes to forest-wide data. For more information about replication at the Forest
level, see "Forests as Units of Replication" later in this section Domain-wide replication relies on three components of the Active Directory
physical structure to be in place for optimal performance, these include:
Page 6 of 16 What are Domains and Forests? - Directory Services: Windows Server 2003
The physical domain controller contains the domain partition data that is replicated to other domain controllers in that same domain. A
domain partition stores only the information about objects located in that domain. All domain controllers in a domain receive changes and
replicate those changes to the domain partition stored on all other domain controllers in the domain. In this way, all domain controllers are
peers in the domain and manage replication as a unit.
Domain controllers also have two non-domain directory partitions that store forest-wide data, which includes the directory schema and
configuration data. Optionally, on Windows Server 2003 domain controllers, application partitions can be configured to be located on
designated domain controllers anywhere in a forest. Unlike the schema and configuration partitions, application partitions are not located
on every domain controller in a forest. For more information about the replication of forest-wide data, see "Forests as Units of Replication,"
later in this section.
Partitioning Active Directory data into three physical partitions on each domain controller helps to control replication so that data is
replicated only to where it is needed. In this way, Active Directory can scale globally over a network that has limited available bandwidth.
Within the scope of a forest, sites are a representation of the physical network topology. This includes physical subnet and site definitions.
Replication of updates to domain data occurs between multiple domain controllers to keep replicas synchronized. Multiple domains are
common in large organizations, as are multiple sites in disparate locations. In addition, domain controllers for the same domain are
commonly placed in more than one site.
Therefore, replication must often occur both within sites and between sites to keep domain and forest data consistent among domain
controllers that store the same directory partitions. Replication within sites generally occurs at typical LAN speeds between domain
controllers that are on the same network segment. Replication between sites usually occurs over WAN links that might be costly in terms of
bandwidth. To accommodate the differences in distance and cost of replication within a site and between sites, the intrasite replication
topology is used to optimize speed, and the intersite replication topology is used to minimize cost based on a configurable replication
The Knowledge Consistency Checker (KCC) is a distributed application that runs on every domain controller and is responsible for creating
the connections between domain controllers that collectively form the replication topology. The KCC uses Active Directory data to determine
where to create connections between source domain controllers and destination domain controllers.
Intersite replication is optimized for bandwidth efficiency, and directory updates between sites occur automatically based on a configurable
Domain-Wide Operations Masters
Active Directory supports multi-master replication of the directory data store between all domain controllers in the domain. However, some
changes are impractical to perform in multi-master fashion, so only a single domain controller, called the operations master, accepts
requests for such changes. Because these roles can be transferred to other domain controllers within the domain or forest, they are
sometimes referred to as operations master roles.
There are three operations master roles per domain. These include the Relative Identifier (RID) Master, Primary Domain Controller (PDC)
emulator, and Infrastructure Master. These three roles must be unique in each domain, so each domain can have only one RID master, one
PDC emulator, and one Infrastructure Master. For information about forest-wide roles, see "Forest-Wide Operations Master Roles" later in
this section. For more information about replication, see "How Active Directory Replication Topology Works."
Domains as Authentication and Authorization Boundaries
By default, a domain provides authentication and authorization services for all its accounts in order to facilitate logons and single sign-on
access control to shared resources within the boundaries of the domain. The process of authentication ensures that users are who they
claim to be. Once identified, the user can be authorized access to a specific set of network resources based on permissions. Authorization
takes place through the mechanism of access control, using access control lists (ACLs) that define permissions on file systems, network file
and print shares, and entries in Active Directory.
Authorization is determined not only by the identity of the user but also the membership of the user in one or more security groups. In fact,
the preferred method of controlling domain-wide resources is to grant access to groups rather than to individuals, adjusting the level of
authorization for a group according to the needs of its members. This method of controlling access makes it easier to keep ACLs up-to-date
on domains that have thousands of users and objects. Group membership can be managed centrally by anyone with the appropriate
administrative credentials. You can change the level of authorization a particular user has to many resources simply by adding or removing
the user from a group. The following figure shows when authentication and authorization for a user in a given domain occur.
Authentication and Authorization of a User Within the Same Domain
Page 7 of 16 What are Domains and Forests? - Directory Services: Windows Server 2003
Authentication is not limited to users. Computers and services are also authenticated when they make network connections to other
servers. For example, Windows Server 2003-based servers and client computers connect Active Directory in their domain for policy
information during startup. Computers and services also prove their identity to clients that request mutual authentication. Mutual
authentication prevents an intruder from adding another computer as an imposter between the client and the real network server. The
Kerberos version 5 authentication protocol is a technology for single sign-on to network resources. Windows Server 2003 uses the Kerberos
V5 protocol to provide single sign-on to network services within a domain, and to services residing in trusted domains. The Kerberos V5
protocol verifies both the identity of the user and of the network services, providing mutual authentication.
Authentication and authorization services in one domain can be extended to accounts that are located in trusted domains. This can be done
by using trusts. Trusts are logical relationships established between domains to allow pass-through authentication in which a trusting
domain honors the logon authentications of a trusted domain. Consequently, trust relationships inherently allow domain-specific
authentication and authorization services to be extended, thereby enabling single sign-on access control capabilities throughout a forest.
Because the domain trust relationships between all domains in the forest are bidirectional by default, authentication in one domain is
sufficient for referral or pass-through authentication to resources in other domains in the forest.
Domains as Units of Trust
A domain is the smallest container within Active Directory that can be used in a trust relationship. All domains within a forest are connected
by Kerberos-based trusts. Kerberos-based trusts are two-way and transitive in nature. Trusts act as authentication pipelines that must be
present in order for users in one domain to access resources in another domain. All authentication requests made between domains located
inside or outside of a forest must occur over trusts. Trust relationships within a forest are created as implicit two-way transitive trusts.
"Access to resources" in any discussion of trust relationships always assumes the limitations of access control.
Within a forest, trust relationships are automatically created between the forest root domain and any tree root domains on the one hand,
and all child domains that are subordinate to the forest root domain on the other. Because trust relationships are two-way and transitive by
default, users and computers can be authenticated between any domain containers in the forest, as shown in the following figure.
Domains as Units of Trust and the Authentication Paths they Provide
Page 8 of 16 What are Domains and Forests? - Directory Services: Windows Server 2003
In accordance with DNS naming standards, Active Directory domains within a single forest are created in an inverted tree structure, with
the forest root domain at the top. This tree structure requires that trusts exist between domains to facilitate security of communications.
Adding a domain tree to a forest requires specification of the forest root domain, which results in the establishment of a trust relationship
between the root domain of the new tree and the forest root domain. For more information about trusts and root domains, see "Forests as
Collections of Domain Containers that Trust Each Other," later in this section.
What Domains Are Not
Domains are not security boundaries within the scope of Active Directory and do not provide complete isolation in the face of possible
attacks by malicious service administrators who might manage that forest. This is because a malicious service administrator, such as a
member of the Domain Admins group, can use nonstandard tools and procedures to gain full access to any domain in the forest or to any
computer in the forest. For example, service administrators in a non-root domain can make themselves members of the Enterprise Admins
or Schema Admins group.
However, administrative rights do not flow across domain boundaries, nor do they flow down through a domain tree. For example, if you
have a domain tree with domains A, B, and C, where A is the parent domain of B and B is the parent domain of C, users with administrative
rights in domain A do not have administrative rights in B, nor do users with administrative rights in domain B have administrative rights in
domain C. For a user to obtain administrative rights in a given domain, a higher authority must grant them. This does not mean, however,
that an administrator cannot have administrative rights in multiple domains; it simply means that all rights must be explicitly defined.
For more information about isolation, see "Forests as Security Boundaries," later in this section.
At its highest level, a forest is a single instance of Active Directory. Therefore, a forest is synonymous with Active Directory, meaning that
What Are Forests?
Back to Top
Page 9 of 16 What are Domains and Forests? - Directory Services: Windows Server 2003
the set of all directory partitions in a particular Active Directory instance (which includes all domain, configuration, schema and optional
application information) makes up a forest. This means that when you have multiple forests in an enterprise they will, by default, act
separately from each other as if they were the only directory service in your organization.
This behavior, however, is easily be modified so that multiple forests can share Active Directory responsibilities across an enterprise. This is
done by creating external or forest trust relationships between the forests. In this way, each forest can be connected with every other
forest to form a collaborative directory service solution for any enterprise with business needs that include multiple forest collaboration.
Forests can also be defined as:
Collections of Domain Containers that Trust Each Other
Units of Replication
Units of Delegation
Forests as Collections of Domain Containers that Trust Each Other
Within the scope of Active Directory, a forest is a collection of domain containers that inherently trust each other and other security
services that are located in that same forest. All domain containers in a forest share a common global catalog, directory schema, and
directory configuration, as well as automatic two-way transitive trust relationships. Because all of the domain containers are inherently
joined through two-way transitive trusts, all authentication requests made from any domain in the forest to any other domain in the same
forest will be granted. In this way, all security principals that are located in domain containers within a forest inherently trust each other.
Forests can be used to segregate domain containers into one or more unique DNS namespace hierarchies known as domain trees. Although
each domain tree consists of a unique namespace the schema and configuration data for the forest are shared throughout all the domain
containers in a forest irrespective of namespace. Each domain container in a forest must adhere to DNS naming schemes and all domains
are organized in a root and subordinate domain hierarchy. Root domains, such as forest root and tree root domains, define the DNS
namespace for their subordinate domains. Although a forest can consist of multiple domain trees, it represents one organization. However,
an organization can have multiple forests. For more information about multiple forests, see "Forests as Units of Delegation," later in this
section. As shown in the following figure, the namespace for each root domain must be unique.
Domain Containers, Root Domains and DNS Namespaces Within a Forest
Page 10 of 16 What are Domains and Forests? - Directory Services: Windows Server 2003
Forest Root Domain
Although trees in a forest do not share the same DNS namespace, a forest does have a single root domain, called the forest root domain.
The forest root domain is, by definition, the first domain created in the forest. The Enterprise Admins and Schema Admins groups are
located in this domain. By default, members of these two groups have forest-wide administrative credentials. In Windows 2000 Active
Directory, the forest root domain cannot be deleted, changed, or renamed. In Windows Server 2003 Active Directory, the forest root
domain cannot be deleted, but it can be restructured or renamed.
Objects are located within Active Directory domains according to a hierarchical path, which includes the labels of the Active Directory
domain name and each level of container objects. The full path to the object is defined by the distinguished name (also known as a DN).
The distinguished name is unambiguous (identifies one object only) and unique (no other object in the directory has this name). By using
the full path to an object, including the object name and all parent objects to the root of the domain, the distinguished name uniquely and
unambiguously identifies an object within a domain hierarchy.
The distinguished name of the forest root domain is used to locate the configuration and schema directory partitions in the namespace. The
distinguished names for the Configuration and Schema containers in Active Directory always show these containers as child objects in the
forest root domain. For example, in the child domain Noam.wingtiptoys.com (where Wingtiptoys.com is the name of the forest root
domain), the distinguished name of the Configuration container is cn=configuration,dc=wingtiptoys,dc=com. The distinguished name of the
Schema container is cn=schema,cn=configuration,dc=wingtiptoys,dc=com. However, this naming convention provides only a logical
location for these containers.
These containers do not exist as child objects of the forest root domain, nor is the schema directory partition actually a part of the
configuration directory partition: They are separate directory partitions. Every domain controller in a forest stores a copy of the
configuration and schema directory partitions, and every copy of these partitions has the same distinguished name on every domain
Tree Root Domain
A domain tree represents a unique DNS namespace: it has a single root domain, known as the tree root domain, and is built as a strict
hierarchy: Each domain above the tree root domain has exactly one superior, or parent, domain (the forest root domain). The namespace
created by this hierarchy, therefore, is contiguous - each level of the hierarchy is directly related to the level above it and to the level
Page 11 of 16 What are Domains and Forests? - Directory Services: Windows Server 2003
below it. In other words, the names of domains created beneath the tree root domain (child domains) are always contiguous with the name
of the tree root domain. The DNS names of the child domains of the root domain of a tree reflect this organization; therefore, the children
of a root domain called Somedomain are always children of that domain in the DNS namespace (for example, Child1.somedomain,
Child2.somedomain, and so forth).
Multiple domain trees can belong to a single forest and do not form a contiguous namespace; that is, they have noncontiguous DNS domain
names. Although the roots of the separate trees have names that are not contiguous with each other, the trees share a single overall
namespace because names of objects can still be resolved by the same Active Directory instance. A forest exists as a set of cross-reference
objects and trust relationships that are known to the member trees. Transitive trusts at the root domain of each namespace provide mutual
access to resources.
The domain hierarchy in a forest determines the transitive trust links that connect each domain. Each domain has a direct trust link with its
parent and each of its children. If there are multiple trees in a forest, the forest root domain is at the top of the trust tree and, from a trust
perspective, all other tree roots are children. That means authentication traffic between any two domains in different trees must pass
through the forest root.
Forests as Units of Replication
Unlike domains, forests are the largest unit of replication that can be administered in an Active Directory environment. To efficiently
synchronize data between domain controllers throughout a forest, Active Directory replication transfers updates according to directory
partition. Directory partitions are used to help organize how replication occurs within a forest. Active Directory uses four distinct directory
partition types to store and copy four different types of data.
One directory partition contains domain data; the other three are forest-wide partitions, and contain configuration, schema, and application
data. This storage and replication design provides directory information to users and administrators throughout the domain. Each domain
controller receives directory updates to the data stored in its domain only, as well as updates to the data in the two directory partitions that
store configuration and schema data for the forest. As shown in the following figure, schema and configuration data must be replicated to
all domain controllers that exist in a forest, while optional Application data is replicated only to domain controllers within the same forest
running Windows Server 2003 that are specified as replication partners.
Forest-Wide Replication Scope
Page 12 of 16 What are Domains and Forests? - Directory Services: Windows Server 2003
The following table describes each of the three forest-wide partitions in more detail.
Forest-Wide Directory Partitions
The schema partition contains the forest-wide schema. Each forest has one schema so that the definition of each object
class is consistent. The schema is the formal definition of all object and attribute data that can be stored in the directory.
Active Directory domain controllers include a default schema that defines many object types, such as user and computer
accounts, groups, domains, organization units, and security policies. Administrators and programmers can extend the
schema by defining new object types and attributes or by adding new attributes for existing objects. Schema objects are
protected by access control lists, ensuring that only authorized users can alter the schema. The schema partition is
replicated to each domain controller in the forest.
The configuration partition describes the topology of the forest as well as other forest, domain and domain controller
settings. This configuration data includes a list of all domains, trees, and forests and the locations of the domain controllers
and global catalogs. The configuration partition is replicated to each domain controller in the forest.
Applications and services can use application directory partitions to store application-specific data. Data stored in the
application directory partition is intended to satisfy cases where information needs to be replicated but not necessarily on a
global scale. Application directory partitions can contain any type of object, except security principals. Application directory
partitions are usually created by the applications that will use them to store and replicate data. One of the benefits of an
Page 13 of 16 What are Domains and Forests? - Directory Services: Windows Server 2003
All forest replication is Multi-Master with the exception of the three domain-wide and two forest-wide operations master roles. Forest-wide
replication requires domain controllers and three other components of the Active Directory physical structure to be in place for optimal
performance. These components are forest-wide operations master roles, sites, and global catalogs.
Forest-Wide Operations Master Roles
There are two operations master roles assigned for the entire forest. These include the domain naming master and the schema master.
Each forest must have one and only one schema master and one domain naming master, so these two roles must remain in the forest root
domain. The other three operations master roles are assigned to each domain in the forest. These three roles must be unique in each
domain, so each domain can have only one relative ID master, one PDC emulator, and one infrastructure master.
In an Active Directory forest with only one domain and one domain controller, that domain controller has all the operations master roles.
For more information about operations master roles, see "How Operations Masters Work."
Sites in Active Directory represent the physical structure, or topology, of the network. Within the scope of a forest, sites are a
representation of the physical network topology, including physical subnet and site definitions. When you establish sites, domain controllers
within a single site communicate frequently. This communication minimizes the latency within the site; that is, the time required for a
change that is made on one domain controller to be replicated to other domain controllers. You create sites to optimize use of the
bandwidth between domain controllers in different locations. For more information about sites, see "How the Active Directory Replication
The global catalog stores a full copy of all Active Directory objects in the directory for its host domain and a partial copy of all objects for all
other domains in the forest. Users in a forest do not need to be aware of directory structure because all users see a single directory through
the global catalog. Applications and clients can query the global catalog to locate any object in a forest. The global catalog is hosted on one
or more domain controllers in the forest. It contains a partial replica of every domain directory partition in the forest. These partial replicas
include replicas of every object in the forest, including the attributes most frequently used in search operations and the attributes required
to locate a full replica of the object. A global catalog is created automatically on the first domain controller in the forest. Optionally, other
domain controllers can be configured to serve as global catalogs.
A global catalog serves the following roles:
Enables user searches for directory information about objects throughout all domains in the forest
Resolves user principal names (UPNs) during authentication, when the authenticating domain controller does not have information
about the account
Supplies universal group membership information in a multiple domain environment
Validates references to objects in other domains in the forest
For more information about global catalogs and their roles, see "How the Global Catalog Works."
Forests as Security Boundaries
Each forest is a single instance of the directory, the top-level Active Directory container, and a security boundary for all objects that are
located in the forest. This security boundary defines the scope of authority of the administrators. In general, a security boundary is defined
by the top-level container for which no administrator external to the container can take control away from administrators within the
container. As shown in the following figure, no administrators from outside a forest can control access to information inside the forest
unless first given permission to do so by the administrators within the forest.
Enterprise Administrators Outside of a Forest Can Administer Only Within Their Own Forest
application directory partition is that, for redundancy, availability, or fault tolerance, the data in it can be replicated to
different domain controllers in a forest. The data can be replicated to a specific domain controller or any set of domain
controllers anywhere in the forest. This differs from a domain directory partition in which data is replicated to all domain
controllers in that domain.
Only domain controllers running Windows Server 2003 can host a replica of an application directory partition. Application
directory partitions are created, configured, and managed by the administrator.
Page 14 of 16 What are Domains and Forests? - Directory Services: Windows Server 2003
A forest is the only component of the Active Directory logical structure that is a security boundary. By contrast, a domain is not a security
boundary because it is not possible for administrators from one domain to prevent a malicious administrator from another domain within
the forest from accessing data in their domain. A domain is, however, the administrative boundary for managing objects, such as users,
groups, and computers. In addition, each domain has its own individual security policies and trust relationships with other domains.
Forests as Units of Delegation
The forest is the largest management unit of Active Directory as well as the ultimate unit of autonomy and isolation of authority. Members
of the Enterprise Admins and forest root Domain Admins security groups are known as enterprise administrators. Enterprise administrators
control the Active Directory objects in the configuration container that do not belong to any one domain, including Enterprise Certification
Authority objects and other configuration data that affects all domains in the forest.
Because enterprise administrators have authority over all domains in the forest, the domain administrators in each domain must trust the
enterprise administrators. You cannot truly restrict enterprise administrators from managing objects in any domain in the forest. Enterprise
administrators can always regain control over objects. Some organizations with political challenges, such as those frequently encountered
in mergers and acquisitions, might find the scope of this enterprise authority too great and require more than one forest. If your
organization requires strict isolation of authority between domains, you must deploy multiple forests with manually created trusts between
domains in the different forests.
Because each forest is administered separately, adding additional forests to your organization increases the management overhead of the
organization. The number of forests that you need to deploy is based on the autonomy and isolation requirements of each group within
your organization. Reasons to create multiple forests in your organization include:
To secure data within each forest. Sensitive data can be protected so that only users within that forest can access it.
To isolate directory replication within each forest. Schema changes, configuration changes, and the addition of new domains to a
forest have forest-wide impact only within that forest, not on a trusting forest.
Because the forest is a security boundary, each forest does not trust or allow access from any other forest by default. However, in Windows
Server 2003 Active Directory, transitive trust relationships can be manually established between forests to establish cross-forest access to
resources, so that users in one forest can access resources in another forest.
Forest trusts help you to manage a segmented Active Directory infrastructure within your organization by providing support for accessing
resources and other objects across multiple forests. By using forest trusts, you can link two different Windows Server 2003 forests to form
a one-way or two-way transitive trust relationship. A forest trust allows administrators to federate two Active Directory forests with a single
trust relationship to provide a seamless authentication and authorization experience across the forests.
When two forests are connected by a forest trust, authentication requests made using the Kerberos V5 or NTLM protocols can be routed
between forests to provide access to resources in both forests. Trust security settings and firewalls can be configured between domains in
different forests that are joined by trust relationships to limit cross-forest connectivity to specific users or applications. For more
information about trust security settings, see "Security Considerations for Trusts."
A forest trust can be created only between a forest root domain in one Windows Server 2003 forest and a forest root domain in another
Windows Server 2003 forest. Forest trusts can be created between two forests only and cannot be implicitly extended to a third forest. This
means that if a forest trust is created between Forest 1 and Forest 2, and another forest trust is created between Forest 2 and Forest 3,
Page 15 of 16 What are Domains and Forests? - Directory Services: Windows Server 2003
Forest 1 does not have an implicit trust with Forest 3. The following figure shows two separate forest trust relationships between three
Windows Server 2003 forests in a single organization.
Two Forest Trusts Between Three Windows Server 2003 Forests
The following resources contain additional information that is relevant to this section.
How Active Directory Replication Topology Works
How Core Group Policy Works
How Domains and Forests Work
How Operations Masters Work
How the Active Directory Schema Works
How the Global Catalog Works
Security Considerations for Trusts
Back to Top
Page 16 of 16 What are Domains and Forests? - Directory Services: Windows Server 2003
This action might not be possible to undo. Are you sure you want to continue?