Step 1: Determine the Number of Forests

Article
02/25/2008

Published: February 25, 2008

Every Active Directory implementation will have at least one forest. The first step in Active Directory design is to determine whether one or multiple forests are required to meet the organization’s objectives. If multiple forests are required, then the total number of forests needs to be determined.

Getting this decision correct in the beginning is important. As planning progresses, the assumptions that are driven by this design decision will make changing the configuration more difficult. It is considerably more difficult to collapse forests once they have been established than it is to add additional forests later.

Option 1: Single Forest

When considering the overall design of Active Directory, a single forest implementation is the default.

A best practice is to start with a single forest and let business requirements justify any additional forests.

For extremely large directories, replication could become an issue. Whereas domains are used to partition the directory data and control replication of domain-centric information, forest-wide information—which includes configuration data, schema, and global catalog data—must be replicated.

Option 2: Multiple Forests

The following requirements will dictate a design with multiple forests:

Multiple schemas. Everything in the forest shares a common schema. Conflicts between applications or administration of the schema can introduce the need for an additional forest.
Resource forests. Some organizations may require multiple forests for isolation reasons, but need to share a common resource, for example Microsoft Exchange Server 2000 and later. A separate forest can be created to host the shared resources, and forest-level trusts can be used to provide the authentication and authorization paths. A test environment could be created as a resource forest.
Forest administrator distrust. Some organizations have an internal structure that includes more than one IT team. When each IT team wants to control the forest while denying the other IT staff control, implementing multiple forests are means to that end. This is a common scenario when companies merge, in government agencies, and at universities.
Legal regulations or geo-political reasons for application and/or data access. All domains in a single forest have automatic, two-way Kerberos trusts so that data and applications can be accessed easily. When working with some countries or regions, legal requirements may dictate the separation of data and applications. Multiple forests provide this separation.

Implementing multiple forests increases the cost of managing the environment. Additional hardware and software are required to maintain and support multiple forests, and additional staff may also be required.

If information sharing across forests is required, then cross-forest trusts are necessary. These trusts support Kerberos in Windows Server 2003 and Windows Server 2008 environments.

Global catalogs do not replicate across forest boundaries. To obtain a unified view across multiple forests, directory synchronization software, such as Identity Lifecycle Manager 2007, must be implemented. Implementing such technologies increases the administrative burden of multiple forests.

How Many Forests?

When the need for multiple forests is confirmed, the exact number of required forests must be determined. Iterate through the forest decision until all of the business requirements have been addressed and the total number of forests required has been identified.

Evaluating the Characteristics

Complexity
One forest	A single forest is the entry point for a deployment of Active Directory; complexity cannot be reduced.	Low
Multiple forests	Second and subsequent forests add to the overall complexity of the environment.	High

Cost
One forest	A single forest is the most inexpensive choice because it requires less hardware, software, and administrative support.	Low
Multiple forests	Hardware, software, and administrative considerations increase the cost for each forest that is added to the design.	High

Security
One forest	The forest is the security boundary, and the forest administrator has access to all resources within the forest.	→
Multiple forests	Security responsibilities are granted to the administrator of each forest. The division of security responsibilities among multiple administrators could be a better overall rating for security.	↑

Validating with the Business

In addition to evaluating the decision in this step against IT-related criteria, the effect of the decision on the business should also be validated. The following questions have been known to affect forest design decisions:

Are there any acquisition or divestiture plans in the near future? If the company might be acquired in the near future, it may be prudent to discuss design details with the acquiring company, rather than design a directory that could be discarded once the acquisition is complete.
If the company is acquiring a new business, requirements around that acquisition should be considered during the design phase. For example, unique administration requirements might be introduced during the acquisition.

If a business unit is going to be divested, a separate forest might make the transition easier and simpler.
Are there any impending separation requirements? Pending or known compliance regulations might introduce separation requirements.

Tasks and Considerations

For each forest in the environment, it’s important to consider time synchronization. Kerberos depends on the time of domain controllers, servers, and clients being synchronized within minutes of one another; otherwise, Kerberos authentication will fail. Time is one of the considerations used for assessing the health state of the directory. Active Directory relies on the domain controller that runs the primary domain controller (PDC) emulator role in the root domain to keep the master time for all domains in the forest. There are two options for establishing the time for that domain controller.

The time can be set to synchronize with either an internal source or an external source to the organization. If an internal source is used, it can be synchronized with a time server that is on the Internet. Also, the time source and domain controller can use authentication to ensure a reliable time. If an external time source is used, no authentication is provided.

Manually setting and updating the time is not recommended. The Active Directory environment relies too heavily on the time, and serious problems can occur if the time is not set properly.

Decision Summary

A single forest is ideal. It is easier to manage as well as being cheaper to implement, maintain, and support. Multiple forests are necessary if legal, schema, administrative, or application requirements dictate the decision.

Additional Reading

“Creating a Forest Design” at https://technet2.microsoft.com/windowsserver/en/library/fba18139-1168-4259-82b3-c3b4c81945981033.mspx?mfr=true

“How to configure an authoritative time server in Windows Server 2003” at https://support.microsoft.com/kb/816042/

This accelerator is part of a larger series of tools and guidance from Solution Accelerators.