Active Directory Logical Structure |
A forest is a collection of one or more Windows 2000 Active Directory trees, organized as peers and connected by two-way, transitive trust relationships. A single domain constitutes a tree of one domain, and a single tree constitutes a forest of one tree. Thus, a forest is synonymous with Active Directory — that is, the set of all directory partitions in a particular directory service instance (which includes all domains and all configuration and schema information) makes up a forest.
Trees in the same forest do not form a contiguous namespace. They form a noncontiguous namespace that is based on different DNS root domain names. However, trees in a forest share a common directory schema, configuration, and Global Catalog. This sharing of common schema and configuration data, in addition to trust relationships between their roots, distinguishes a forest from a set of unrelated trees. Although the roots of the separate trees have names that are not contiguous with each other, the trees share a single overall namespace because names of objects can still be resolved by the same Active Directory. A forest exists as a set of cross-reference objects and trust relationships that are known to the member trees. Transitive trusts at the root domain of each namespace provide mutual access to resources. (For more information about cross-reference objects, see "Name Resolution in Active Directory" in this book.)
Important
Tree and forest hierarchies are specific to Windows 2000 domains. A Windows NT 4.0 domain that is configured to trust or to be trusted by a Windows 2000 domain is not part of the Windows 2000 forest to which the Windows 2000 domain belongs.
The forest structure provides companies with the option of constructing their enterprise from separate, distinct, noncontiguous namespaces. Having a separate namespace is desirable under some conditions where, for example, an acquired company's namespace should remain intact. If you have business units with distinct DNS names, you can create additional trees to accommodate the names. An example of this type of organization is shown in Figure 1.7.
Figure 1.7 Example of a Forest That Has Two Trees
Domains within an Active Directory forest share a common directory schema, configuration information, and Global Catalog. They also have transitive trust relationships that allow users in each domain access to available resources in all other domains in the tree.
Note
The directory schema and configuration data are shared because they are stored in separate logical directory partitions that are replicated to domain controllers in every domain in the forest. (For more information about directory partitions, see "Active Directory Data Storage" in this book.) The data relative to a particular domain is replicated only to domain controllers in the same domain. (For more information about replication, see "Active Directory Replication" in this book.) The Global Catalog is a domain controller that stores all objects of all domains in an Active Directory forest, which makes it possible to search for objects at the forest level rather than at the tree level.
For more information about the contents of Active Directory configuration, directory schema, and Global Catalog, see "Active Directory Data Storage" in this book. For more information about searching in Active Directory, see "Name Resolution in Active Directory" in this book.
The first domain created in the forest is called the forest root domain. The forest root domain cannot be deleted, changed, or renamed. When you create a new tree, you specify the root domain of the initial tree, and a trust relationship is established between the root domain of the second tree and the forest root domain. If you create a third tree, a trust relationship is established between the root domain of the third tree and the forest root domain. Because a trust relationship is transitive and bidirectional, the root domain of the third tree also has a two-way trust relationship with the root domain of the second tree.
The distinguished name of the forest root domain is used to locate the configuration and schema directory partitions in the namespace. The distinguished names for the Configuration and Schema containers in Active Directory always show these containers as child objects in the forest root domain. For example, in the child domain noam.reskit.com, the distinguished name of the Configuration container is cn=configuration,dc=reskit,dc=com. The distinguished name of the Schema container is cn=schema,cn=configuration,dc=reskit,dc=com. However, this naming convention provides only a logical location for these containers. The containers do not exist as child objects of the forest root domain, nor is the schema directory partition actually a part of the configuration directory partition. They are separate directory partitions. Every domain controller in a forest stores a copy of the configuration and schema directory partitions, and every copy of these partitions has the same distinguished name on every domain controller.
When Active Directory is installed on a Windows 2000 Server–based computer, configuration and directory schema information is copied from the parent domain to the new server. Updates to configuration and directory schema information are replicated to all domain controllers throughout the forest. The distribution of this configuration and directory schema information ensures that each domain controller is aware of all other trust-related domains and of the replication topology, which makes finding and using resources in other domains possible. (For more information about finding information in Active Directory, see "Name Resolution in Active Directory" in this book.)
Note
The Active Directory rootDSE is a figurative object that has no LDAP distinguished name; it is not an "entry" in the directory but is represented as a null distinguished name (" "). It does, however, have attributes and is known to LDAP as rootDSE. RootDSE is required by LDAP as an entry point to the directory. The distinction must be clear between this root — the set of attributes that LDAP uses to connect to a particular portion of the directory on a particular domain controller — and the root domain of the forest. In addition, both of these "roots" are distinct from the root of the DNS hierarchy, which is the empty space at the top of the namespace that is represented as a period (".") and that is required as an entry point to the DNS hierarchy.
For more information about rootDSE attributes and the directory tree, see "Active Directory Data Storage" in this book. For more information about the DNS root, see "Introduction to DNS" in the TCP/IP Core Networking Guide.