forest and Trees introduction
Active directory is based on hierarchy [actually Microsoft love hierarchy in ALL their products ],
SO when start promote server to domain controller in lesson [active directory installation ] , the first question if you remember was what is forest name ?
We choose forest name Pioneers.lab
specifically at that moment we have created the following structure
- One forest which contain
- one tree that containing
- one domain called Pioneers.lab,
Microsoft provide us with ability to extend hierarchical structure of active directory , as we will see in next three scenarios
First scenario : one forest-one tree -one domain
when we promoted first server [ DC101] as domain controller for Pioneers.lab ; actually we have created the first domain in forest
so we get ONE forest with ONE tree with ONE domain , which called Pioneers.lab
all users and group in active directory Pioneers.lab will belong to that : [simply because its the ONLY one
as we see in picture below
second scenario : one forest-one tree -three domains
Let us Suppose that Pioneers.lab domain is located in NY city and the company have opened 2 branches in Ohio and LA then company TOP management decided to create child domain in two branches rather than join their computer to main domain in headquarter
SO .. Simply we purchase new server in Ohio and name it OhioDC1 then install ADDS then promote it as child domain for DC101
Also we did same thing in LA
In this situation we have get : one forest with one tree and three domain [to be more specific one parent domain in NY and two child domains in LA & Ohio
But what is the benefit of this structure ?
OK when create child domain in one tree [as we did for LA.pioneers.lab and Ohio.Pioneers.lab ] then active directory make TRUST between child [LA & Ohio ] and parent domain [NY]
but what does that mean for me ?
Well it means that the user in LA.pioneers.lab [for example Nancy@LA.pioneers.lab ] can access resources [printers ,folder, document, computers ] in other domains using same identity
as seen in picture below
third scenario : one forest- two trees - seven domains
Now again pioneers company grow up and extend beyond USA [around the world ]
lets to suppose also that we have another international sister company called leaders.lab which headquarter in Paris and also has three branches in London , Tokyo , Rome [as Arab , I call it Roma 🙂 ]
company board decided to combine all branches in one hierarchical structure
So beside of 3 domains in USA [NY , LA , and Ohio ] , we have installed four servers in world four cities as the following :
In headquarter Paris: install active directory and promote it as new tree called [Leaders.Lab] but for exist forest [Pioneers.lab] , so PARIS become parent domain for tree [Leaders.Lab]
Later we have installed active directory in the other three branches [London , Tokyo , Roma ] as child domain from tree [Leaders.Lab]
SO our hierarchical Active Directory forest become as the following
We have one forest with two trees and 7 domains
ALL domain has been connected with trust , SO any users in any domain can be authenticated by another domain and can access resources in other domain if permitted
You may ask : do I have to create child domain and another tree for my domain forest ?
The answer NO , until your company structure grow to require that level of hierarchical
Currently this is the basic article about forest and tree, and we are looking to discuss it in details later in advance d level