Best Practices: Active Directory Forests

IT administrators have been working with and around Active Directory since the introduction of the technology in Windows 2000 Server. Windows 2000 Server was released on February 17, 2000 but many administrators began working with Active Directory in late 1999 when it was released to manufacturing (RTM) on December 15, 1999.

Best Practices for AD Forests

There is a good amount of guidance around Active Directory forests published on the internet. Below are some of the recommended practices surrounding forests:

  • Always start with a single forest.

Then, if you have requirements that cannot be met with a single forest implementation, begin adding forests as necessary. Better yet, go back and validate the requirements first. Using multiple forests in a production environment is often unnecessary and adds management overheard and unneeded complexity. With a backend technology that everybody expects to be always running, you should opt for a simple implementation that is implemented and maintained based on good practices, as opposed to a multi-forest implementation with a large number of domain controllers. For many environments, a single production forest will meet or exceed requirements. Additionally, it is a good idea to have a second non-production forest to use for development, testing, and quality assurance.

  • Avoid the empty forest root domain.

Upon initial release of Active Directory, Microsoft recommended using an empty forest root domain which would form a security boundary for enterprise objects stored in the root domain such as the Enterprise Admins group. However, not long thereafter, the guidance changed and the empty forest root was no longer recommended by default. Administrators found that maintaining the empty forest root domain added to the administrative overhead of their environment without returning much value. Today, the latest thinking is forest reduction. Minimize the total number of forests.

  • If using two-way forests trusts, consolidate forests.

Each forest that you maintain requires administrative overhead. In addition, each forest increases the complexity of your environment which also makes it harder to secure, maintain, and recover. If you are using two-way trusts between forests, you should strongly consider consolidating forests because a two-way trust between forests is effectively a single forest with extra overhead.

More information about Active Directory basisc you will find in our AD tutorial for begginners.