Step 1: Determine the Number of Forests
Published: February 25, 2008
Every Active Directory implementation will have at least one forest. The first step in Active Directory design is to determine whether one or multiple forests are required to meet the organization’s objectives. If multiple forests are required, then the total number of forests needs to be determined.
Getting this decision correct in the beginning is important. As planning progresses, the assumptions that are driven by this design decision will make changing the configuration more difficult. It is considerably more difficult to collapse forests once they have been established than it is to add additional forests later.
Option 1: Single Forest
When considering the overall design of Active Directory, a single forest implementation is the default.
A best practice is to start with a single forest and let business requirements justify any additional forests.
For extremely large directories, replication could become an issue. Whereas domains are used to partition the directory data and control replication of domain-centric information, forest-wide information—which includes configuration data, schema, and global catalog data—must be replicated.
Option 2: Multiple Forests
The following requirements will dictate a design with multiple forests:
Implementing multiple forests increases the cost of managing the environment. Additional hardware and software are required to maintain and support multiple forests, and additional staff may also be required.
If information sharing across forests is required, then cross-forest trusts are necessary. These trusts support Kerberos in Windows Server 2003 and Windows Server 2008 environments.
Global catalogs do not replicate across forest boundaries. To obtain a unified view across multiple forests, directory synchronization software, such as Identity Lifecycle Manager 2007, must be implemented. Implementing such technologies increases the administrative burden of multiple forests.
How Many Forests?
When the need for multiple forests is confirmed, the exact number of required forests must be determined. Iterate through the forest decision until all of the business requirements have been addressed and the total number of forests required has been identified.
Evaluating the Characteristics
Validating with the Business
In addition to evaluating the decision in this step against IT-related criteria, the effect of the decision on the business should also be validated. The following questions have been known to affect forest design decisions:
Tasks and Considerations
For each forest in the environment, it’s important to consider time synchronization. Kerberos depends on the time of domain controllers, servers, and clients being synchronized within minutes of one another; otherwise, Kerberos authentication will fail. Time is one of the considerations used for assessing the health state of the directory. Active Directory relies on the domain controller that runs the primary domain controller (PDC) emulator role in the root domain to keep the master time for all domains in the forest. There are two options for establishing the time for that domain controller.
The time can be set to synchronize with either an internal source or an external source to the organization. If an internal source is used, it can be synchronized with a time server that is on the Internet. Also, the time source and domain controller can use authentication to ensure a reliable time. If an external time source is used, no authentication is provided.
Manually setting and updating the time is not recommended. The Active Directory environment relies too heavily on the time, and serious problems can occur if the time is not set properly.
A single forest is ideal. It is easier to manage as well as being cheaper to implement, maintain, and support. Multiple forests are necessary if legal, schema, administrative, or application requirements dictate the decision.
“Creating a Forest Design” at https://technet2.microsoft.com/windowsserver/en/library/fba18139-1168-4259-82b3-c3b4c81945981033.mspx?mfr=true
“How to configure an authoritative time server in Windows Server 2003” at https://support.microsoft.com/kb/816042/