Determining the Number of Forests Required
Updated: May 3, 2010
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
In order to determine the number of forests that you must deploy, you need to carefully identify and evaluate the isolation and autonomy requirements for each group in your organization and map those requirements to the appropriate forest design models.
Note that if you are coming from a Windows NT 4.0 environment, the decision process for creating your Active Directory logical structure design is different than the decision process for deploying Windows NT 4.0 Master User Domains (MUDs). It is not always appropriate for you to attempt to model your existing Windows NT 4.0 infrastructure when creating your Active Directory forest design.
When determining the number of forests to deploy for your organization, consider the following points:
Isolation requirements limit your design choices. Therefore, if you identify isolation requirements, be sure that the groups actually require data isolation and that data autonomy is not sufficient for their needs. Ensure that the various groups in your organization clearly understand the concepts of isolation and autonomy.
Negotiating the design can be a lengthy process, and it can be difficult for groups to come to agreement about ownership and utilization of available resources. Ensure that you allow enough time for the groups in your organization to conduct adequate research to identify their needs. Set firm deadlines for design decisions and get consensus from all parties on the established deadlines.
Determining the number of forests to deploy involves balancing costs against benefits. A single forest model is the most cost-effective option and requires the least amount of administrative overhead. Although a group in the organization might prefer autonomous service operations, it might be more cost-effective for the organization to subscribe to service delivery from a centralized, trusted IT group, allowing the group to own data management without creating the added costs of service management. Balancing costs against benefits might require input from the executive sponsor.
A single forest is the easiest configuration to manage and allows for maximum collaboration within the environment because:
All objects in a single forest are listed in the global catalog. Therefore, no synchronization across forests is required.
Management of a duplicate infrastructure is not required.
- All objects in a single forest are listed in the global catalog. Therefore, no synchronization across forests is required.
Co-ownership of a single forest by two separate and autonomous IT organizations is not recommended. In the future, the goals of the two IT groups might change, so that they can no longer accept shared control.
Outsourcing service administration to more than one outside partner is not recommended. Multinational organizations that have groups in different countries or regions might choose to outsource service administration to a different outside partner for each country or region. Because multiple outside partners cannot be isolated from one another, the actions of one partner can affect the service of the other, which makes it difficult to hold the partners accountable to their service level agreements.
Only one instance of an Active Directory domain should exist at any time. Microsoft does not support cloning, splitting, or copying domain controllers from one domain in an attempt to establish a second instance of the same domain. For further information about this limitation, see the following section, "Restructuring Limitations."