Designing a Windows Server 2008 R2 Active Directory : Understanding the Multiple Trees in a Single Forest Model

1/23/2011 9:07:29 AM
Let’s say that your organization wants to look at AD DS and wants to use an external namespace for your design. However, your environment currently uses multiple DNS namespaces and needs to integrate them into the same design. Contrary to popular misconception, integration of these namespaces into a single AD forest can be done through the use of multiple trees that exist in one forest. One of the most misunderstood characteristics of AD DS is the difference between a contiguous forest and a contiguous DNS namespace. Many people do not realize that multiple DNS namespaces can be integrated into a single AD DS forest as separate trees in the forest. For example, Figure 1 shows how Microsoft could theoretically organize several AD DS domains that share the same forest but reside in different DNS namespaces.
Figure 1. Sample AD DS forest with multiple unique trees within the same forest.

Only one domain in this design is the forest root—in this case,—and only this domain controls access to the forest schema. All other domains, including subdomains of and the other domains that occupy different DNS structures, are members of the same forest. All trust relationships between the domains are transitive, and trusts flow from one domain to another.

Choosing When to Deploy a Multiple Tree Domain Model

If an organization currently operates multiple units under separate DNS namespaces, one option might be to consider a design such as this one. It is important to understand, however, that simply using multiple DNS namespaces does not automatically qualify you as a candidate for this domain design. For example, you could own five separate DNS namespaces and instead decide to create an AD DS structure based on a new namespace that is contiguous throughout your organization. Consolidating your AD DS under this single domain could simplify the logical structure of your environment while keeping your DNS namespaces separate from AD DS.

If your organization makes extensive use of its separate namespaces, you might want to consider a design like this. Each domain tree in the forest can then maintain a certain degree of autonomy, both perceived and real. Often, this type of design will seek to satisfy even the most paranoid of branch office administrators who demand complete control over their entire IT structure.

Examining a Multiple Tree Domain Real-World Design Example

To gain a greater understanding of the times an organization might use this particular design model, examine the following AD structure. CityA is a local county governmental organization with a loose-knit network of semi-independent city offices, such as the police and fire departments that are spread out around the city. Each department currently uses a DNS namespace for name resolution to all hosts and user accounts local to itself, which provides different email addresses for users located in the fire department, police department, and other branches. The following namespaces are used within the city’s infrastructure:

The decision was made to merge the existing network environments into a single AD DS forest that will accommodate the existing departmental namespaces but maintain a common schema and forest root. To accomplish this, AD DS was established with as the namespace for the root domain. The additional domains were added to the forest as separate trees but with a shared schema, as shown in Figure 2.

Figure 2. Single AD DS forest with separate directory trees for departments..

The individual departments were able to maintain control over their individual security and are disallowed from making changes in domains outside their control. The common forest schema and global catalog helped to increase collaboration between the varying organizations and allow for a certain amount of central administration.

This type of domain design is logically a bit messier but technically carries the same functionality as any other single forest design model. All the domains are set up with two-way transitive trusts to the root domain and share a common schema and global catalog. The difference lies in the fact that they all utilize separate DNS namespaces, a fact that must also be reflected in the zones that exist in DNS.

  •  Windows 7 : Installing and Running Your Software (part 2) - Using Older Programs with Windows 7
  •  Windows 7 : Installing and Running Your Software (part 1)
  •  Windows 7 : Software Installation - What You Need to Know
  •  Designing a Windows Server 2008 R2 Active Directory : Understanding the Multiple Domain Model
  •  Designing a Windows Server 2008 R2 Active Directory : Understanding the Single Domain Model
  •  Windows 7: Optimizing Performance (part 3) - Using ReadyBoost to Enhance Performance
  •  Windows 7: Optimizing Performance (part 2) - Fine-Tuning Virtual Memory & Data Execution Prevention
  •  Windows 7: Optimizing Performance (part 1) - Fine-Tuning Visual Effects & Application Performance
  •  Designing a Windows Server 2008 R2 Active Directory : Choosing a Domain Structure
  •  Designing a Windows Server 2008 R2 Active Directory : Understanding AD DS Domain Design
  •  Personalizing Windows 7 (part 6) - Configuring Your Monitors
  •  Personalizing Windows 7 (part 5) - Choosing Your Mouse Pointers
  •  Personalizing Windows 7 (part 4) - Choosing Your System Sounds
  •  Personalizing Windows 7 (part 3) - Choosing and Configuring Your Screensaver
  •  Outlining AD DS Changes in Windows Server 2008 R2 (part 3) - Auditing Changes Made to AD Objects
  •  Outlining AD DS Changes in Windows Server 2008 R2 (part 2) - Implementing Multiple Password Policies per Domain
  •  Outlining AD DS Changes in Windows Server 2008 R2 (part 1)
  •  Personalizing Windows 7 (part 2) - Choosing Your Desktop Background
  •  Personalizing Windows 7 (part 1) - Fine-Tuning Your Window Colors and Experience Level
  •  Windows Server 2008 R2 Active Directory Domain Services Primer : Outlining the Role of DNS in AD DS
    Top 10
    Pure Sensia 200D - Nice Wireless Speaker
    AOC E2343FI – It Isn’t Just Incredibly Slim
    HP Anti-glare Compaq LCD
    Philips C-Line 249C4QH - Lacking In Features And Adjustability
    Wonderful Accessories For Your Life
    Xyfi Wi-Fi And 3G Router
    All About Nexus 7 (Part 5)
    All About Nexus 7 (Part 4)
    All About Nexus 7 (Part 3)
    All About Nexus 7 (Part 2)
    Most View
    Handling User Interaction and Events in XAML
    Audioengine W3 Wireless DAC Review
    BlackBerry Java Application Development : Networking - The transport-so many possibilities
    Building Android Apps: Web Storage
    Spotlight – Money Dashboard
    Windows Server 2003 : Planning a Host Name Resolution Strategy - Designing a DNS Namespace
    Microsoft SQL Server 2005 : Report Definition and Design (part 1) - Data Sources
    Programming the Service Bus
    The Best Of Both Worlds : Lucidlogix Virtu Explained, Virtu's Hardware Considerations
    Windows Azure : Blobs - Usage Considerations
    Personalizing Windows 8 : Adjusting the Look of Windows 8
    Nzxt Phantom 410
    Visual Studio Team System 2008 : Working with Test Results (part 1) - Test as part of Team Foundation Server build
    5 Tips For Faster Editing
    Programming Microsoft SQL Server 2005: Overview of SQL CLR - Visual Studio/SQL Server Integration
    Graphic Design – The Worship Of Icons
    The State Of Smartphones
    Windows System Programming : File Pointers & Getting the File Size
    Business Intelligence in SharePoint 2010 with Business Connectivity Services : External Content Types (part 3) - Creating an External Content Type for a Related Item
    Lenovo IdeaPad Z580 - Keeps Up The Tradition