Don't Get Lost in Active Directory Forests

FRAMINGHAM (07/17/2000) - Microsoft Corp. Windows 2000 rollout is one of the most important deployment initiatives most organizations will undertake in the next two years. An important design decision is whether to go with single or multiple Active Directory "forests" for your production intranet.

Active Directory merges Microsoft NT domains with Domain Name System domains.

Then, within the Active Directory domains, customers can store Lightweight Directory Access Protocol information about organizational units, users, groups, computers and other objects. Each domain reflects an IT organization with its own security policies and administration organizations.

Active Directory takes the domain model a step further, enabling a "forest" construct through which many domains in a company can be grouped together. When multiple domains are grouped into a forest, they share a searchable Global Catalog, transitive trusts and universal groups for access-control purposes.

This means that when a user logs on to any domain controller in any domain of the forest, his Kerberos access token gets loaded with the Security Identifiers (SID) of all the groups to which he belongs. Some of these groups are universal groups in the global catalog, which can contain users from multiple domains.

When the user connects to any domain in the forest, transitive trusts kick in to authenticate the user automatically. Similarly, the group SIDs in the user's access token act as tickets to ride any resource in the domain authorized for that group. The single point of administration and single sign-on features sound like a dream come true.

But forests also share a configuration container, which includes the schema, or logical data definitions that all domains must use. This means organizations with a single production intranet forest must also have a single "schema control committee." Because directory-enabled applications such as Microsoft Exchange change the schema, IT organizations in different domains must coordinate deployment and versioning of those applications, necessitating an "application certification board." This represents more centralization and coordination than many organizations are used to.

So you have two options. You can deploy one forest with relatively few applications changing the schema (and, therefore, with reduced functionality) and tighter coordination among business IT functions. This approach offers cross-forest single point of administration, single sign-on and reduced total cost of ownership (TCO). Or, you can deploy multiple forests with a high degree of business unit autonomy and many applications (that is, high functionality).

At the price of increased complexity and TCO using metadirectory services to synchronize information across forests, you can restore some of the benefits of the single forest, but not all.

Blum is senior vice president and principal consultant with The Burton Group, an IT advisory service. He can be reached at

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about Burton GroupLogicalMicrosoft

Show Comments