Forests in Active Directory

IT administrators have been working with and around Active Directory since the introduction of the technology in Windows 2000 Server. Windows 2000 Server was released on February 17, 2000 but many administrators began working with Active Directory in late 1999 when it was released to manufacturing (RTM) on December 15, 1999.

A forest is the top most logical container in an AD DS environment. It was first introduced with Active Directory in Windows Server 2000.

What is AD Forest?

A forest is made up of one or more domains and all of the objects in the domains. In the database, a forest is a just a container, similar to many of the objects below it such as domains and OUs. Importantly, the forest is the defined security boundary for an AD DS environment.

In the early days of Active Directory, the domain was originally defined as the security boundary. Unlikely many of the other components that we discuss in this white paper, there aren’t any direct limitations on the number of forests that you can deploy.

Since they are the top most object, you can create as many as you want, assuming that you have enough physical servers or VMs (don’t take this as a recommendation though!).

There are three forest-wide directory partitions in a forest:

  • Schema

The schema partition defines all of the classes, objects, and attributes that can be used. The schema is shared among all of the domains in the forest. Objects such as users, groups, and OUs are defined in the schema.

  • Configuration

The configuration partition is responsible for managing the forest topology, forest settings, and domain settings. You can find a list of all of the domains, DCs, and GCs in the configuration partition. You can view the configuration partition in a domain named contoso.com by viewing cn=configuration,dc=contoso,dc=com in ADSIEdit.

  • Application

The application partition is used to store application data. A common example of data in the application partition is DNS.

Of the 5 FSMO roles, 2 of the roles are specific to the forest:

  • Schema Master

This role is used for schema updates. As such, the role holder must be online and available to perform a schema update.

  • Domain Naming Master

This role is used to add and remove domains for the forest. As such, the role holder must be online and available to perform domain additions and removals.

More information about Active Directory basisc you will find in our AD tutorial for begginners.

Expert in Microsoft infrastructure and cloud-based solutions built around Windows, Active Directory, Azure, Microsoft Exchange, System Center, virtualization, and MDOP. In addition to authoring books, Brian writes training content, white papers, and is a technical reviewer on a large number of books and publications.