A forest is a group of one or more domain trees that do not form a contiguous namespace but share a common schema, directory configuration, global catalog, and automatic two-way transitive trust relationships between domains. There is always at least one forest on a network, and it is created when the first domain controller on a network is installed. The first domain created becomes the forest root domain.
Forests represent the ultimate security boundaries. No administrative control or user access is possible between forests unless the permission is explicitly configured. This configuration happens using a type of trust new to Windows Server 2003 named the forest trust, which is used for managing the security relationship between two forests. This new feature simplifies cross-forest security administration by allowing all domains in one forest to trust all domains in another forest through the use of transitive trust rela tionships. However, the forest trust is not transitive at the forest level. In other words, if one forest trusts a second, and the second forest trusts a third, the first forest does not automatically trust the third forest. You should also be aware that the use of forest trusts requires that both forests be raised to Windows 2003 functional level, which means all domain controllers in both forests must be running Windows Server 2003. By and large, you should strive to avoid using multiple forests if at all possible. Nonethe less, there are a few situations for which you might need to implement multiple forests. These situations include:
■ Linking two existing separate organizations. Whether because of merger or acqui sition, you might find that two completely separate forests need to be linked together to share resources. This link might be a temporary situation while one forest is migrated into another, or it might be a more permanent situation in which both companies need to remain relatively autonomous.
■ Creating an autonomous unit. Because forests represent the ultimate security boundary, you can use a separate forest to create a network where the adminis tration must be largely independent of the primary forest. In this situation, the IT staff of the separate forest can maintain and modify the schema without conse quence to other forests—useful if a group needs to install or test directory-enabled applications (or otherwise modify the directory structure) without depending on the central IT staff or if you want to deploy a pilot Active Directory rollout. In an autonomous forest, authority still resides with the central IT staff, but the admin istrators of the autonomous forest are granted a degree of flexibility.
■ Creating an isolated unit. An isolated forest differs from an autonomous forest mainly in the level of control by administrators outside the forest. An isolated forest is assured that no administrator outside the forest can interfere with the man agement of the isolated forest. This is useful in situations where high security or meeting legal requirements are necessary.
Before planning to implement multiple forests, you must understand that much of the functionality that is available within the scope of a single forest is not available between forests. Maintaining multiple forests also requires significantly more adminis tration than maintaining a single forest.
The disadvantages of a multiforest design include the following:
■ Users require more training in how to find resources. Searching for resources within the bounds of a single forest is relatively simple from the user perspective, thanks to the global catalog. Using more than one forest means using more than one global catalog and users are forced to specify which forest they want to search when looking for resources.
■ Users logging on to computers in forests outside their own must use the default user principal name when logging on. This requires extra training for those users. ■ Additional IT staff must often be employed to monitor and manage a separate for
est, which requires the cost of training more IT professionals and the cost of their time invested in these activities.
■ Administrators need to keep up with multiple schemas.
■ There are separate configuration containers for each forest. Topology changes need to be replicated to other forests.
■ Administrators have to configure DNS name resolution across forest boundaries to provide domain controller and resource location functionality.
■ Administrators have to configure the access control lists of resources to allow access to appropriate groups from different forests as well as create new groups to accommodate forest roles across forests.
Exam Tip When you are thinking about the information provided in an exam question and trying to determine whether or not multiple forests are necessary, the chances are they are not. Using multiple forests is strongly discouraged except when autonomy or isolation is necessary. Normally, it is much better to create multiple domain trees within a single forest. However, because forest links are new to Windows Server 2003, you will likely encounter some questions that feature their use.