by Jason Zandri
Welcome to the third installment of Learn Active Directory Design and Administration in 15 Minutes a Week, a weekly series aimed
at current IT professionals preparing to write the new Windows Active Directory Design and Administration exams (70-219 and 70-217 respectively), as well as newcomers to the field who are trying to get a solid grasp on this new and emerging directory service from Microsoft. This week’s topic is the Active Directory Logical Architecture, specifically, Forests and Trees and the Trust Relationships between them.
Jason Zandri’s third article in the Learn Active Directory Design and Administration in 15 Minutes a Week takes a look at the Active Directory Logical Architecture and specifically Forests and Trees and the Trust Relationships between them.
Active Directory Logical Architecture
As you make preparations for the
installation of your first Windows 2000 Domain Controller
into your environment, whether that be a pristine new forest or
into an existing domain, you need to have a solid
understanding of all the different parts that make up the
Windows 2000 Active Directory.
By definition, the Windows 2000 Active
Directory forest is the collection of one or more Microsoft
Windows 2000 domains that share a common schema,
configuration, and global catalog.
This is not true of the domain
namespace of the domain trees in the forest. If there is a
single tree in the forest, it will have a common domain
namespace. Since there can be more than one domain tree in a
forest (it is not a requirement, but it is allowed) these
different domain trees will have their own individual
All of the domains in a domain tree and
all of the trees in a single forest have the connectivity
benefit of the two-way, transitive trust relationship,
which is the default trust relationship between Windows
2000 domains. A two-way, transitive trust, by definition, is
really the combination of a transitive trust and a two-way
trust. This complete trust between all domains in an Active
Directory domain hierarchy helps to form the forest as a
single unit via its common schema, configuration, and global
The first Windows 2000 domain installed
in the forest is considered to be the forest root domain.
[NOTES FROM THE FIELD] – Much
of this information is an Exam Requirement for both the
70-217 AND the
70-219 exams. Some would argue it is more so for the 217
and I would agree, but if you do not have the underpinnings
from the Administration pieces of 70-217, you’ll be hard
pressed to pull off the Design requirements for 70-219.
By definition, a Windows 2000 Active
Directory domain tree is a set of Windows 2000 domains
connected together via a two-way transitive trust, sharing a
common schema, configuration, and global catalog.
In order to be considered a true
Windows 2000 domain
tree, the domains must form a contiguous hierarchical
namespace with one domain being the domain root.
The first Windows 2000 domain installed
in a tree is considered to be the root domain of that tree.
It would only be considered the forest root domain if it was
also the first domain in the forest.
Let’s say that zandri.net is the first
Windows 2000 domain in a pristine forest. This would make
zandri.net the first Windows 2000 domain installed in the
forest and as such it would be considered as the forest root
domain. Since it is also the first Windows 2000 domain
installed in this tree, it is considered to be the root
domain of the tree zandri.net tree.
[NOTES FROM THE FIELD] – A
single domain, where there is but a single domain in a tree
is called a standalone domain tree. That single tree
constitutes a forest of one tree.
After the zandri.net domain has been
deployed, a child domain called data.zandri.net is then
created as well as sales.zandri.net. Since these two new
domains are children of the parent, zandri.net, they would
be located below it in the hierarchy and it would appear as it
does below, with the zandri.net domain at the top.
If we were to then create a new domain
tree called madison.net and two child trees of
sales.madison.net and data.madison.net, the forest structure
would look something like this:
The root of the whole forest
would be zandri.net (zandri.net is also the root of the
entire zandri.net tree) and the root of the second tree
would be madison.net (madison.net would be only the root of
the madison tree). The child domains of sales.madison.net
and data.madison.net would be directly below madison.net in