Designing a Windows Server 2008 R2 Active Directory : Understanding the Multiple Trees in a Single Forest Model

Let’s say that your organization wants to look at AD DS and wants to use an external namespace for your design. However, your environment currently uses multiple DNS namespaces and needs to integrate them into the same design. Contrary to popular misconception, integration of these namespaces into a single AD forest can be done through the use of multiple trees that exist in one forest. One of the most misunderstood characteristics of AD DS is the difference between a contiguous forest and a contiguous DNS namespace. Many people do not realize that multiple DNS namespaces can be integrated into a single AD DS forest as separate trees in the forest. For example, Figure 1 shows how Microsoft could theoretically organize several AD DS domains that share the same forest but reside in different DNS namespaces.

Figure 1. Sample AD DS forest with multiple unique trees within the same forest.

Only one domain in this design is the forest root—in this case, microsoft.com—and only this domain controls access to the forest schema. All other domains, including subdomains of microsoft.com and the other domains that occupy different DNS structures, are members of the same forest. All trust relationships between the domains are transitive, and trusts flow from one domain to another.

Choosing When to Deploy a Multiple Tree Domain Model

If an organization currently operates multiple units under separate DNS namespaces, one option might be to consider a design such as this one. It is important to understand, however, that simply using multiple DNS namespaces does not automatically qualify you as a candidate for this domain design. For example, you could own five separate DNS namespaces and instead decide to create an AD DS structure based on a new namespace that is contiguous throughout your organization. Consolidating your AD DS under this single domain could simplify the logical structure of your environment while keeping your DNS namespaces separate from AD DS.

If your organization makes extensive use of its separate namespaces, you might want to consider a design like this. Each domain tree in the forest can then maintain a certain degree of autonomy, both perceived and real. Often, this type of design will seek to satisfy even the most paranoid of branch office administrators who demand complete control over their entire IT structure.

Examining a Multiple Tree Domain Real-World Design Example

To gain a greater understanding of the times an organization might use this particular design model, examine the following AD structure. CityA is a local county governmental organization with a loose-knit network of semi-independent city offices, such as the police and fire departments that are spread out around the city. Each department currently uses a DNS namespace for name resolution to all hosts and user accounts local to itself, which provides different email addresses for users located in the fire department, police department, and other branches. The following namespaces are used within the city’s infrastructure:

• citya.org

• firedeptcitya.org

• policeofcitya.org

• cityalibrary.org

The decision was made to merge the existing network environments into a single AD DS forest that will accommodate the existing departmental namespaces but maintain a common schema and forest root. To accomplish this, AD DS was established with citya.gov as the namespace for the root domain. The additional domains were added to the forest as separate trees but with a shared schema, as shown in Figure 2.

Figure 2. Single AD DS forest with separate directory trees for departments..

The individual departments were able to maintain control over their individual security and are disallowed from making changes in domains outside their control. The common forest schema and global catalog helped to increase collaboration between the varying organizations and allow for a certain amount of central administration.

This type of domain design is logically a bit messier but technically carries the same functionality as any other single forest design model. All the domains are set up with two-way transitive trusts to the root domain and share a common schema and global catalog. The difference lies in the fact that they all utilize separate DNS namespaces, a fact that must also be reflected in the zones that exist in DNS.