When to Use Multiple Trees
Many of the issues previously described regarding multiple domains in a single tree also hold true for multiple domains and trees in a single Forest. All the trees in a Forest share a common schema and a common security context, through a two-way, transitive trust with the root domain for the Forest. The sharing of a common schema, common configuration information, and a common security environment is what distinguishes a Forest from a set of unrelated domain trees. However, some differences between a single tree and multiple trees in a Forest might drive organizations to consider the implementation of a Forest.
Discontiguous Namespace
Perhaps the greatest motivating factor in considering the implementation of a Forest with multiple trees, rather than a Forest with a single tree, is an organizational requirement for multiple namespaces. The need for multiple namespaces can arise for several reasons:
The organization might be involved in a business that requires distinct and unrelated namespaces on the Internet, while still requiring centralized administration and organization-wide access to resources.
The organization might be growing through acquisition and might not want to immediately dissolve namespaces inherited from businesses that have been acquired.
The organization might be involved in partnerships in which the partner does not want to maintain an Active Directory structure and would like to leverage an existing Active Directory structure.
All these scenarios can be accommodated through the implementation of a single Forest with multiple domain trees, as shown in Figure 20.5. However, it is important to note that despite the fact that there is a discontiguous namespace in a Forest, there is still a single schema operations master to which all schema changes must be applied and there is a single GC for the entire Forest. It is possible to configure multiple DCs to be GC servers to host the GC.
Figure 20.5. A Forest is composed of multiple domain trees linked by a transitive trust relationship from the root domain of each tree to the Forest root.
Access Control
Another reason to implement a Forest of multiple trees is to control access to resources by external users, such as partners or vendors. Organizations can set up partner or vendor user accounts in a separate tree in the Forest and make it easier for enterprise administrators to control access to sensitive corporate domain resources.