The next step in the process is to define the security boundaries. If you purchase empty land to build a house, what will be the first thing you do? You need to clearly identify the plot's boundaries. Your building/development can't go beyond it. What kind of information do we need to gather in order to identify an identity infrastructure's boundaries? Understanding business operations is vital for this. For example, Rebeladmin Corp. owns a group of companies. The operations of each business are completely different. One is a hosting company and the other one is an IT training institute. They also have a pharmaceutical company. Operations and business requirements are different for each of those companies. In such scenarios, multiple forests will be ideal as none of the companies depend on each other's resources for its operations. Sometimes, even if it's a single company, some business units may need logical separation at least from the directory service point of view. For example, Rebeladmin Corp. has a research and development department. Engineers in that department keep testing new software and services, and most of them are Active Directory-integrated. Their security requirements rapidly change as well. They need to test different group policies for testing purposes. If it's the same Active Directory forest, the activities of these tests will impact the entire directory. Therefore, the best option will be to isolate their activity to a separate forest.