This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 94%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJZ%3C/text%3E%3C/svg%3E)
HI wee need create another AD domain with third level and we discuss which way to go.
We have two options
what is reason to choose one or another (what is difference between this solution in practise) because all solution is practically create trust between domains
What wee need is to users from existing forest an domain to authenticate to sharepoint whcih will sit in new domain or forest, which aproach to choose and why?
Also wee need user password change on app servers which will be sit in new domain
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 79%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
Hello,
To answer your question your best option will be a new tree because it will ease administration however you can create a new forest under this circumstance :
Regards,
Hi @J Z ,
Basically the tree is the domain, the forest can contain many trees (domains). A forest and domain get created the first time a domain is created in Active directory, you also have sites which are like the limbs of the tree.
Within the scope of a forest, a domain is a container. Objects in that container inherently trust each other and the security services located in that same container. Each time you create a new domain container in a forest, a two-way, transitive trust relationship is automatically created between the new domain and its parent domain. Trusts are logical relationships established between domains to allow pass-through authentication in which a trusting domain honors the logon authentications of a trusted domain. Because all domain containers within a forest are joined together by two-way transitive trusts, objects within one domain container also inherently trust all other objects and security services located in every domain container located in that forest.
You could choose according to your actual needs. Please refer to this article for more information about the differences:
What Are Domains and Forests?
Reference:
difference between Active Directory Forest and Tree
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi @J Z , have you checked my suggestions? Do you need more assistance? Any updates are welcomed.
Hi there,
To avoid confusion you can create a new forest and authenticate the sharepoint in the forest.
The main difference between Tree and Forest in Active Directory is that a Tree is a collection of domains while the forest is a set of trees in an active directory. In brief, a tree is a collection of domains whereas a forest is a collection of trees.
You can follow up on this article to learn about how trust relationships work for resource forests in Azure Active Directory Domain Services. This will throw some light on your way of understanding.
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/concepts-forest-trust
----------------------------------------------------------------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept it as an answer--
