MCITP 70-640: Active Directory forest and trees

Uploaded by itfreetraining on 16.01.2012

Welcome back to your free training course for Active Directory. In this video I will
look into how Active Directory is represented in an enterprise environment. To make things
simply let’s start with one network. In this network you have ITFreeTraining.
All the users in ITFreeTraining can access resources in ITFreeTraining assuming they
have permission to do so. All the users in ITFreeTraining belong to the one domain.
A domain is defined as a logical group of computers that share the same Active Directory
database. Regardless of how big your network is and
how many places around the global it is located, when possible you want to keep your network
to just one domain. In the real world this is not always possible.
Active Directory in Windows Server 2008 can scale easily to millions of objects but there
are many reasons why you may have a network with more than one domain. This could be because
of limitations in earlier version of Active Directory to the company structure and politics.
Imagine that you had a secure department in your company that held all the Intellectual
property for the company. For maximum security the company puts people who work in this department
in their own domain and even hired there only IT support staff.
This separate department could be added to the original domain as a child domain. In
this case the new child domain is called secure dot When you have
two domains like these that share the same root name space, in this case ITFreeTraining
dot com, these are referred to as being in the same tree. ITFreeTraining is at the
top of the tree so it is considered to be the root domain.
To illustrate this better, you could add yet another domain called sales. As long as sales
shares the ITFreeTraining dot com name space it is part of the tree. Under sales
dot ITFreeTraining dot com you could even add additional child domains called east and
west. All these domains share the ITFreeTraining
name space and thus are considered to be in the same tree in Active Directory. Each domain
however has its own group of user and computers and thus means each domain has its own Active
Directory database. The advantage of having domains like these
in the same tree is that Active Directory will automatically create trusts between the
child and parents domains. These trust relationships allow members of each domain to access resources
in any other domain assuming that they have access.
The next question is what would happen when you add another domain that has a different
name space to the other domains. For example, if I added the domain high cost training dot
com. When this happens the new domain, high cost training will be part of a new tree.
I now have two trees, the ITFreeTraining tree and the high Cost Training tree.
So far I have looked at the root domain and child domains in a tree but there is one structure
that links all these together called a forest. A forest encases multiple domains and trees
into one structure. You don’t have to have multiple domains and trees to have a forest.
To illustrate this I will go back to my original example of one domain. As soon as you create
your first domain a forest is automatically created for that domain.
When I added the two child domains to IT Free Training these now form a tree in the
one forest. The high cost training domain is then added and this forms anther tree in
the same forest. So why is there a need to have a forest?
All domains in a forest have something in common. They share what is called the schema.
The schema defines the Active Directory database. The schema determines what can be stored in
the database and the structure of that data. Each domain has its only copy of the database
but it is the schema that determines its design and the schema is shared between all domains
in the forest. When changes are made to the schema these changes are replicated to every
domain in the forest. The advantage of having a forest is that all
domains in a forest also have trust relationships generated automatically. As shown here, a
user in high cost training could access a resource in east dot
The trust relationship is automatically created between parent and child domains and
between trees in the forest. Assuming the user in high cost training has access they
can access any resource in any domain in the forest.
This brings up the question how does one find items in a forest? In order to find items
in a forest you need an index. In any Active Directory forest there will be servers that
provide an index for all items in the forest. These are called global catalog servers. There
is at least on global catalog server per domain. Global catalog servers or GC’s contain
an index of every object in the forest. This is not a full copy of the object, but enough
to allow a user to perform a search. For example, using a global catalog server you could search
a forest for all the color printers. Since the global catalog contains the basic information
about each object in the forest a user can find this information quickly. The global
catalog server does not contain any detailed information about the printer but it can tell
the user where this object is located in the forest. Think of a global catalog server like
an index at a library. The index gives you an idea what is in the book and more importantly
where to find it if you want to know more. The last example I want to show you is when
anther forest is added. This may occur if your company takes over another company that
already has its own Active Directory infrastructure. Active Directory does support this by an administrator
manually creating a trust between the two forests.
In this case there are two forests. Each forest has it only schema and each domain has its
own copy of the Active Directory database. In the real world you want to reduce the number
of domains that you have to the bare minimum. Having one domain and one forest makes things
a lot easier. In cases like these you don’t have a choice. A separate company is going
to have its own Active Directory forest regardless. In some cases you may need to create a separate
forest. For example if you are testing an application that makes changes to the schema
you may decide to put it in its own forest. By doing this you can be assured the testing
of the application does not make permanent changes to the production network.
That’s it for forests, trees and domains. In the next video I will look at the system
requirements to install your first server for use with Active Directory.
We hope you have enjoyed this free training video. For more free training videos please
go to are web site or you tube channel. Thanks for watching.