Creating a new forest
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Creating a new forest
When you create the first domain controller in your organization, you are creating the first domain (also called the forest root domain) and the first forest.
The top-level Active Directory container is called a forest. A forest consists of one or more domains that share a common schema and global catalog. An organization can have multiple forests.
A forest is the security and administrative boundary for all objects that reside within the forest. In contrast, a domain is the administrative boundary for managing objects, such as users, groups, and computers. In addition, each domain has individual security policies and trust relationships with other domains.
Multiple domain trees within a single forest do not form a contiguous namespace; that is, they have noncontiguous DNS domain names. Although trees in a forest do not share a namespace, a forest does have a single root domain, called the forest root domain. The forest root domain is, by definition, the first domain created in the forest. The Enterprise Admins and Schema Admins groups are located in this domain. By default, members of these two groups have forest-wide administrative credentials.
When to create a new forest
A first step in the Active Directory design process is to determine how many forests your organization needs. For most organizations, a single forest design is the preferred model and the simplest to administer. However, a single forest may not be practical for every organization.
With a single forest, users do not need to be aware of directory structure because all users see a single directory through the global catalog. When adding a new domain to a forest, no additional trust configuration is required because all domains in a forest are connected by two-way, transitive trusts. In a forest with multiple domains, configuration changes need be applied only once to update all domains.
However, there are scenarios in which you might want to create more than one forest:
When upgrading a Windows NT domain to a Windows Server 2003 forest. You can upgrade a Windows NT domain to become the first domain in a new Windows Server 2003 forest. To do this, you must first upgrade the primary domain controller in that domain. Then, you can upgrade backup domain controllers, member servers, and client computers at any time.
You can also keep a Windows NT domain and create a new Windows Server 2003 forest by installing Active Directory on a member server running Windows Server 2003. For more information, see Upgrading from a Windows NT domain.
To provide administrative autonomy. You can create a new forest when you need to segment your network for purposes of administrative autonomy. Administrators who currently manage the IT infrastructure for autonomous divisions within the organization may want to assume the role of forest owner and proceed with their own forest design. However, in other situations, potential forest owners may choose to merge their autonomous divisions into a single forest to reduce the cost of designing and operating their own Active Directory or to facilitate resource sharing. Another alternative is to provide for some delegation of administrative authority that enables the benefits of both approaches. For more information, see "Best Practice Active Directory Design for Managing Windows Networks" on the Microsoft Web site or "Design Considerations for Delegation of Administration in Active Directory", also available on the Microsoft Web site.
Operations master roles in a new forest
When you create the first forest in your organization, all five operations master roles are automatically assigned to the first domain controller in the forest. As new child domains are added to the forest, the first domain controller in each of the new child domains is automatically assigned the following roles:
Relative identifier master
Primary domain controller (PDC) emulator
Infrastructure master
Because there can be only one schema master and one domain naming master in a forest, these roles remain in the forest root domain. In an Active Directory forest with only one domain and one domain controller, that domain controller owns all the operations master roles. For more information, see Operations master roles.
Adding new domains to your forest
A domain stores only the information about objects located in that domain, so by creating multiple domains within a new forest, you are partitioning or segmenting Active Directory to better serve a disparate user base.
The easiest domain structure to administer is a single domain within a single forest. When planning, you should start with a single domain and only add additional domains when the single domain model no longer meets your needs. For more information about creating domains, see Domains.
Before creating a new forest
Active Directory requires DNS to function and both share the same hierarchical domain structure. For example, microsoft.com is a DNS domain and an Active Directory domain. Because of the reliance that Active Directory has on DNS you must thoroughly understand Active Directory and DNS concepts before creating a new forest. For more information, see Checklist: Creating a new forest.