Tree and Forest in Active Directory
The Domain is the core unit of logical structure in Active Directory. All objects that share a common directory database and trust relationship with other domain and security policies are known as Domains. Each domain stores information only about the objects that belong to that domain.
All security polices and settings, such as administrative rights, security policies, and Access Control Lists (ACLs), do not cross from one domain to another. Thus, a domain administrator has full rights to set policies only within domain they belong to.
Domains provide administrative boundaries for objects and manage security for shared resources and a replication unit for objects.
A Tree
Trees are collections of one or more domains that allow global resource sharing. A tree may consist of a single domain or multiple domains in a contiguous namespace. A domain added to a tree becomes a child of the tree root domain. The domain to which a child domain is attached is called a parent domain. A child domain can also have its multiple child domains. Child domain uses the name then its parent domain name and gets a unique Domain Name System (DNS).
For example, if tech.com is the root domain, users can create one or more Child domains to tech.com such as north.tech.com and or south.tech.com. These “children” may also have child domains created under them, such as sales.north.tech.com.
The domains in a tree have two way, Kerberos transitive trust relationships. A Kerberos transitive trust simply means that if Domain A trusts Domain B and Domain B trusts Domain C, then Domain A trusts Domain C. Therefore, a domain joining a tree immediately has trust relationships established with every domain in the tree.
A Forest
A forest is a collection of multiple trees that share a common global catalog, directory schema, logical structure, and directory configuration. Forest has automatic two way transitive trust relationships. The very first domain created in the forest is called the forest root domain.
Forests allow organizations to group their divisions that use different naming schemes and may need to operate independently. But as an organization, they want to communicate with the entire organization via transitive trusts and share the same schema and configuration container.
|
|
Comments (16)
Leave a Reply
- Active Directory Groups
Groups are containers that contain user and computer objects within them as members. When security permissions are set for a group in the Access Control List on a resource, all members of that group receive those permissions. Domain Groups enable centralized administration in a domain. All domain groups are created on a domain controller. In [...]...
- Logical Structure of an Active Directory
Active Directory fulfills all the needs of an organization by designing a directory structure. It provides flexibility in designing the business structure according to current and future needs for an organization, so it should be examined prior to installing active directory. In Active Directory, resources are organized in a logical structure, and this grouping of [...]...
- How to Delegate Administrator Privileges in Active Directory
The primary reason to create organizational units is to distribute administrative tasks across the organization by delegating administrative control to other administrators. Delegation is especially important when a decentralized administrative model is developed. Delegation of administration is the process of decentralizing the responsibility for managing organizational units from a central administrator to other administrators. The [...]...
- Active Directory Replication
The initial Windows NT versions were designed as single master network environments. The primary domain controller (PDC) was responsible for managing the domain database’s master copy. The PDC was therefore responsible for replicating any changes to the backup domain controllers (BDCs). In these environments, any changes had to be performed on the PDC, which then [...]...
- Active Directory
Active Directory (AD) is a structure used on computers and servers running the Microsoft Windows operating system (OS). AD is used to store network, domain, and user information and was originally created by Microsoft in 1996. It was first deployed on Microsoft Windows 2000. Active directories provide a number of functions to include providing information [...]...
Excellent summary for network begginers like me!!!
It’s very clear.
fantastic article but missing some example in the forest description……
Hi…its very nice way of explaining the structure, however would be muh appreciated if the tree and forest architecture is explained and the scenario where it can be used would help us to improve our concepts..Anywayz thanks for such a useful post…Wouls like to see some more in future
Thanks
Srikant
Tree & Forest Defenision Very good, pl add Examples…
Grt information and its vry useful. Thnks a lot
nice explanation made me understand Tree and Forest.thanks for this
great yaar. you made me understand.Thanking you.
oh! ts great nd informative nw m confident tht i can gear to my next exams ..
got my ans thnks mate
great yaar. you made me understand.Thanking you.
Thank you so much for giving very useful information.
Thanks it is very clear and understandable, But i would have appreciate if u could expain along with some example and diagram
Thanks & Regards
Palash (Desktop Engineer)
thanks a lot sir for given me such a great informatin……………..
very well explained…
Its clearly understandable…. superb.