Introduction (Multiple Forest Considerations in Windows 2000 and Windows Server 2003)

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

The Active Directory infrastructure necessarily provides a certain amount of forestwide oversight that enables administrators in the forest root domain to manage schema data, configuration data, and domain controllers. The control granted to these administrators carries with it the potential for misuse by malicious administrators. In addition, where autonomy or isolation is required, the level of security afforded by a single domain might not be adequate. In particular, large organizations might have organizational, legal, or operational requirements that warrant dividing control between separate forests.

The need to deploy multiple forests might be recognized and accommodated during initial deployment planning, or might occur as an unplanned requirement of an organizational change after deployment. Both cases have important ramifications, as follows:

  • Planned multiforest deployment: During planning for multiple forests, be sure that you carefully weigh the advantages against the added costs of implementation.

  • Unplanned multiforest deployment: If business decisions result in a merger, acquisition, or divestiture that creates a need to add one or more forests to the deployed environment, be prepared for a gradual process of implementing multiple forests and enabling collaboration across forests.

The division of a Windows deployment into multiple Active Directory forests must be undertaken with the understanding that some of the functionality that is available by default in a single Active Directory forest requires additional configuration in a multiforest deployment.

Note

Some single-forest functionality is not available in multiforest deployments for applications using Active Directory. For example, certain mailbox-related features are not available in multiforest deployments that implement Microsoft Exchange 2000 Server, and require a workaround solution. For information about these features and solutions, see “Features that are Unavailable Across Forests” later in this paper.

To coordinate the data and services of multiple forests to serve a single organization, the following functionality requires additional configuration:

  • Domain Name System (DNS) name resolution across forest boundaries.

  • Microsoft Exchange 2000 Server and later functionality, including synchronization of address list information across multiple forests and synchronization of free and busy calendar information.

  • Access to resources across the forests.

  • Infrastructure data synchronization across the forest boundaries.

  • Application data synchronization across multiple forests.

Note

This paper does not provide step-by-step configuration instructions. Microsoft intends to issue a deployment guide to address deployment information.

In this paper, the rationale for each additional configuration is explained, as well as an overview of the planned and unplanned conditions for, and effects of, deploying multiple forests.

What This Paper Does Not Cover

It is not a goal of this paper to provide recommendations for when to deploy multiple Active Directory forests rather than a single Active Directory forest. If you are planning to deploy multiple forests, it is assumed that you have analyzed operational, organizational, and legal requirements for Active Directory and have determined that one or more requirements are consistent with creating multiple Active Directory forests.

Preliminary reading to examine these conditions includes the following:

  • For a detailed explanation of the conditions that warrant partitioning a Windows network between multiple forests to achieve service autonomy, service isolation, or data isolation, see “Design Considerations for Delegation of Administration in Active Directory.” You can view this document on the Microsoft TechNet Web site at https://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/plan/addeladm.mspx.

  • For general Active Directory deployment planning information, see “Best Practice Active Directory Design for Managing Windows Networks.” You can view this document on the Microsoft TechNet Web site at https://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/plan/bpaddsgn.mspx.

  • In addition, this paper does not provide:

  • Prescriptive step-by-step instructions for how to configure features in multiple forests. Microsoft intends to issue a deployment guide with instructions for how to implement configuration changes.

  • Recommendations for whether to merge or “bridge” multiple forests when companies merge, or instructions for how to do so.

  • Instructions for how to spin off a separate forest in preparation for a divestiture.