Windows Server

Active Directory Forest – Trees and Domain and Sites

Active Directory (AD) is a directory service developed by Microsoft for the Windows domain environment. AD forest is the top container in an Active Directory setup that contains domains, users, computers, and group policies. The Active Directory structure is built on the domain level. The framework that holds the objects can be viewed at different levels namely forest, domain trees, and domains. An Active Directory framework can have more than one domain, and the above tiers are referred to as a forest. See the following guides for other information. What are the differences between Universal, Global, and Domain Local Group Scopes, the differences between Active Directory Lightweight Directory Services and Active Directory Domain Services, and how to add a second Domain Controller to your environment? In this guide, you will learn about Active Directory Forest – Trees and Domain and Sites.

Note: Under each domain, you can have as many trees as possible. Having an Active Directory environment of this nature can create autonomy and segregation of duty thereby increasing security and if not configured correctly, it can also lead to exploitation in the Active Directory environment.

Active Directory Structure

Within a deployment, objects are grouped into domains as shown in the below diagram. The objects for a single domain are stored in a single database (which can be replicated). Domains are identified by their DNS name structure, (namespace).

Active Directory Forest: A forest is a collection of trees that share a common global catalog, directory schema, logical structure, and directory configuration. The forest represents the security boundary within which users, computers, groups, and other objects are accessible. A forest is a collection of one or more domains that may have one or more trees. What makes a forest unique is that it shares the same schema. The schema defines what and how Active Directory objects are stored.

A forest is a group of trees that do not share a contiguous namespace.

Active Directory Domain: A domain is defined as a logical group of network objects (computers, users, devices) that share the same Active Directory database.

When you add a domain to an existing tree, the new domain is a child domain of an existing parent domain.

Active Directory Tree: A tree is a collection of one or more domains and domain trees in a contiguous namespace and is linked in a transitive trust hierarchy. When you have multiple domains in the same namespace (e.g., techdirect.local, zone.techdirect.local), they are considered to be in the same tree. The tree also supports multiple levels of domains.

A tree is a hierarchical arrangement of Windows domains that share a contiguous namespace.

Some other information on AD Forest – Trees and Domain and Sites

Parent and child domains are automatically linked by the trust. Users in different domains can use these trusts to access resources in another domain assuming that they have access. Trees in the forest are linked together via a trust automatically. This ensures that any users in any domain in the forest can access any resource in the forest to which they have access.

  • Global Catalog In order for users to find resources in any domain in the forest (remember that each domain has a separate database), Domain Controllers can be made into Global Catalog Servers. A Global Catalog Server contains partial information about every object in the forest. Using this information, the user can conduct searches.
  • Trust relationship: A logical relationship established between domains that allow pass-through authentication, providing for users in a trusted domain to access resources in a trusting domain, without having a user account in the trusting domain.
  • Organizational units (OU) are containers that hold other Active Directory objects like users, computers, printers, shared folders, and even other organizational Units. The advantage of OU is that it can be used to set security policies and delegate administrative control.

Reasons to Create Additional Domain

There will be many occasions in which you will need to create additional domains. Multiple domains are useful when you are dealing with

  • Different password requirements between organizations
  • Large numbers of objects
  • Different internet domain names
  • Better control of replication, and
  • Decentralized network administration

In order for you to decide whether to create multiple domains and how to use them to the best effect, you need to have a clear understanding of the relationship between trees and forests-known as a trust relationship.

While forests, trees, and domains are all logical grouping of objects, the physical grouping of objects is made possible using a site. 

A site group objects based on IP addresses. Hence it cannot span across different physical locations. For example, if there are various branches of your organization located at different places, each location can be identified using a site. A site is mainly used for replication and traffic control purposes. It is important to understand that sites and domains are not interrelated. A site can contain multiple domains and a single domain could span across multiple sites.

I hope you found this blog post helpful. Now, you have learned about Active Directory Forest – Trees and Domain and Sites. You may also want to learn about the Active Directory Domain Services from the following link. If you have any questions, please let me know in the comment session.

Notify of

Newest Most Voted
Inline Feedbacks
View all comments
2 years ago

Hi Christian, This is a great article. Can you explain a bit more about your last comment with examples: “It is important to understand that site and domains are not interrelated. A site can contain multiple domains and a single domain could span across multiple sites.

1 year ago
Reply to  Hish

Yes I got the same question

1 year ago
Reply to  Hish

Hey, Hish! Not sure if you need this explanation anymore, but for those who have read the article and have the same question unanswered, I’ll try to elaborate. A site is more of a territorial division. For example, we could have a single domain which has 2 domain controllers in different cities. To make sure computers from city 1 won’t go to domain controller located in office in city 2, we need to divide them by creating sites, in this case the term ‘site’ could be taken literally. And to make sure, that domain understands this properly, we have to… Read more »

Would love your thoughts, please comment.x