When to Use Multiple Forests
The decision to use multiple Forests in the design of an Active Directory hierarchy is one that should not be made lightly. Multiple Forest environments are possible to set up. However, they can be difficult and costly to administer. In most single organization environments, a multi-Forest Active Directory design provides no additional business value over a single Forest with multiple domain trees.
Why would an organization be required to implement a multiple Forest environment? The usual scenario is one in which one organization acquires another organization, and both organizations already have Active Directory implemented in a single tree configuration. There is no consensus or no business justification for recreating one of the trees in the context of the other.
The other scenario is one in which two business partners have Active Directory implemented, and they want to exchange information and access to corporate resources between the two companies. In this instance, the best solution would be to put in place a public key infrastructure (PKI), which would enable the sharing of public keys between the two organizations. Public keys can then be used to grant permission to resources in one domain for users in the other domain.
However, there might be the isolated case in which two Active Directory Forests must interoperate and share resources. When the needs cannot be met by PKI, it is possible to establish an explicit, one-way trust between Active Directory directories. By using explicit trusts, it is possible to grant users in one Forest access to resource in another Forest, as demonstrated in Figure 20.6. If an explicit trust is established between two Forests, it is important to actively administer the trust and to make sure that it is required for meeting the business requirements of the respective organizations. If these explicit trusts are established, it is necessary to create them between every domain in each tree that requires access to resources in another domain. Consequently, the process of establishing explicit trusts can become cumbersome.
Figure 20.6. It is possible to establish an explicit trust between multiple domain Forests. However, as illustrated in the diagram, these trust relationships can be complex, can be hard to maintain properly, and should be constantly monitored to make sure they are still justified.
