Updated: July 31, 2004
Applies To: Windows Server 2003 with SP1
In Windows 2000, the concept of an Active Directory forest that integrates traditional Windows NT Server 4.0 domains is introduced. This integration allows you to enable rich collaboration between domains in the forest. Applications can also use this collaboration. For example, users can search Exchange Server global address lists to locate other users in the forest so that the users can send mail that is based on a variety of attributes.
When this integration was introduced, many of the Windows NT Server 4.0 boundaries disappeared. Domains were no longer completely isolated from one another. They became interdependent of each other, and moving to a single forest required a certain level of consent and trust between the administrators of different domains.
Where this level of trust cannot be achieved, multiple forests must be deployed. In addition, there are scenarios (such as mergers and acquisitions or collaboration across enterprises), where multiple forest deployment already exists. Because of this, a move to a single forest environment is not possible due to the complexity or a lack of trust between organizations.
Windows 2000 Server does not completely address the multiple forest deployment scenario. To enable authentication, administrators must set up trusts between every domain in one forest to every other domain in the other forest. This could lead to so many trusts that they may be difficult to manage. Also, the trust across forests is unlimited, which means that you can either trust every user in the other forest or you can decide to not trust any user. A more limited approach is needed in the scenario across enterprises, where you may want to allow only a specific set of users to authenticate from the other corporation. Trusts across enterprises most likely also have to span firewalls. Windows 2000 trusts have limited support for spanning firewalls.
In the Windows Server 2003 family, the concept of the forest trust is introduced. This concept enables trust between two forests, so that all of the domains in each forest are part of the trust. The problem of unlimited trust is solved by using the Selective Authentication option, which allows only specific users or sets of users to authenticate across the trust. Managing trust across network firewalls is also easier because the administrators can control the specific remote procedure call (RPC) ports that need to be open for the trust to work.