Active Directory Forest – Trees and Domain and Sites

Posted on Christian By Christian 4 Comments on Active Directory Forest – Trees and Domain and Sites

In this article, we will discuss “Active Directory Forest – Trees and Domain and Sites”. Active Directory (AD) is a directory service developed by Microsoft for the Windows domain environment. AD forest is the top container in an Active Directory setup that contains domains, users, computers, and group policies. Please see how to install Veeam Backup Console on a Jump Server, Active Directory: How to Setup a Domain Controller, and how to install and configure Active Directory Domain Services on Windows Server 2022.

The Active Directory structure is built on the domain level. The framework that holds the objects can be viewed at different levels namely forest, domain trees, and domains. An Active Directory framework can have more than one domain, and the above tiers are referred to as a forest.

Note: Under each domain, you can have as many trees as possible. Having an Active Directory environment of this nature can create autonomy and segregation of duty thereby increasing security and if not configured correctly. It can also lead to exploitation in the Active Directory environment.

See the following guides for other information. What are the differences between Universal, Global, and Domain Local Group Scopes. Here is the differences between Active Directory Lightweight Directory Services and Active Directory Domain Services, and how to add a second Domain Controller to your environment?

Active Directory Structure

Within a deployment, objects are grouped into domains as shown in the below diagram. The objects for a single domain are stored in a single database (which can be replicated). Domains are identified by their DNS name structure, (namespace).

Active Directory Forest: A forest is a collection of trees that share a common global catalog, directory schema, logical structure, and directory configuration. The forest represents the security boundary within which users, computers, groups, and other objects are accessible.

A forest is a collection of one or more domains that may have one or more trees. What makes a forest unique is that it shares the same schema. The schema defines what and how Active Directory objects are stored.

A forest is a group of trees that do not share a contiguous namespace.

Active Directory Domain: A domain is defined as a logical group of network objects (computers, users, devices) that share the same Active Directory database. 

When you add a domain to an existing tree, the new domain is a child domain of an existing parent domain.

Active Directory Tree: A tree is a collection of one or more domains and domain trees in a contiguous namespace and is linked in a transitive trust hierarchy. When you have multiple domains in the same namespace (e.g., techdirect.local, zone.techdirect.local), they are considered to be in the same tree. The tree also supports multiple levels of domains.

A tree is a hierarchical arrangement of Windows domains that share a contiguous namespace.

Please see “The trust relationship between this workstation and the primary domain failed“. Also, see “Enter connection information for your on-premise directory or forests: Azure AD connect unable to connect directory, forest not available“.

Some other information on AD Forest – Trees and Domain and Sites

Parent and child domains are automatically linked by the trust. Users in different domains can use these trusts to access resources in another domain assuming that they have access.

Trees in the forest are linked together via a trust automatically. This ensures that any users in any domain in the forest can access any resource in the forest to which they have access.

  • Global Catalog In order for users to find resources in any domain in the forest (remember that each domain has a separate database). Domain Controllers can be made into Global Catalog Servers. A Global Catalog Server contains partial information about every object in the forest. Using this information, the user can conduct searches.
  • Trust relationship: A logical relationship established between domains that allow pass-through authentication. Providing for users in a trusted domain to access resources in a trusting domain without having a user account in the trusting domain.
  • Organizational units (OU) are containers that hold other Active Directory objects like users, computers, printers, shared folders, and even other organizational Units. The advantage of OU is that it can be used to set security policies and delegate administrative control.

Reasons to Create Additional Domain

There will be many occasions in which you will need to create additional domains. Multiple domains are useful when you are dealing with

  • Different password requirements between organizations
  • Large numbers of objects
  • Different internet domain names
  • Better control of replication, and
  • Decentralized network administration

In order for you to decide whether to create multiple domains and how to use them to the best effect. You need to have a clear understanding of the relationship between trees and forests, known as a trust relationship.

While forests, trees, and domains are all logical grouping of objects, the physical grouping of objects is made possible using a site.

A site group objects based on IP addresses. Hence it cannot span across different physical locations. For example, if there are various branches of your organization located at different places, each location can be identified using a site.

A site is mainly used for replication and traffic control purposes. It is important to understand that sites and domains are not interrelated. A site can contain multiple domains and a single domain could span across multiple sites.

I hope you found this blog post on “Active Directory Forest – Trees and Domain and Sites” helpful. If you have any questions, please let me know in the comment section.

5/5 - (1 vote)
Windows Server Tags:, , ,

Related Posts

More Related Articles

Expired Evaluation Configuration Manager to Full Version Upgrade Expired Evaluation Configuration Manager to Full Version Windows Server
RDS Architecture The following servers in this deployment are not part of the deployment Pool: Create an RDS Session Host and Collection Windows Server
33 The wim file needs to be remounted: Fix error 0xc1510114 Windows Server
VMware workstation networking issues Network cable Unplugged: Fix VMware “Warning – Multiple default gateways are intended to provide redundancy to a single network Virtualization
Task Scheduler Greyed Out How to fix Task Scheduler Service Greyed Out in Service MMC Windows
Configure NFS on Windows Server How to install NFS Server on Windows Server Windows Server

Comments (4) on “Active Directory Forest – Trees and Domain and Sites”

  1. Hi Christian, This is a great article. Can you explain a bit more about your last comment with examples: “It is important to understand that site and domains are not interrelated. A site can contain multiple domains and a single domain could span across multiple sites.

    2. Hey, Hish! Not sure if you need this explanation anymore, but for those who have read the article and have the same question unanswered, I’ll try to elaborate. A site is more of a territorial division. For example, we could have a single domain which has 2 domain controllers in different cities. To make sure computers from city 1 won’t go to domain controller located in office in city 2, we need to divide them by creating sites, in this case the term ‘site’ could be taken literally. And to make sure, that domain understands this properly, we have to create ‘subnet mapping’ for each site and corresponding domain controller of that site. Subnet mapping refers to a subnet in which given domain controller is being located in. That’s the example of a single domain spanning across multiple sites.

      As you could guess, site and domains describe different things and different ways in which Active Directory could be divided.

Leave a Reply