Designing an Active Directory Forest
Start course

Windows Active Directory Domain Services (AD DS) is a leading identity management solution for organizations of all sizes. An AD DS deployment can be as simple as a single domain controller or as complex as a multi-domain forest spread across the globe. Managing sites, domains, and forests in an AD DS environment is critical to a healthy and reliable Active Directory infrastructure. This course is intended to provide the information needed to successfully manage Windows AD sites, domains, forests, trust relationships, and replication.

In this course, we start by reviewing AD DS forest and domain trusts. Then we examine forest design considerations to create a scalable environment that can meet future demands. Next, we investigate Active Directory sites, site links, and how they relate to the organization's network configuration.  Finally, we evaluate AD DS replication and how site links can optimize replication in an AD DS environment.

Learning Objectives

  • Windows AD domains, forests, and trust relationships
  • Windows AD forests and domain design considerations
  • Creating a two-way forest trust
  • Active Directory sites and site topology
  • Creating an Active Directory site
  • Windows AD sites and replication
  • Creating Active Directory site links

Intended Audience 

  • System administrators with responsibilities for managing hybrid identities
  • Subject matter experts in configuring and managing Active Directory workload on-premises and in Azure
  • Anyone preparing for the Azure AZ-800: Administering Windows Server Hybrid Core Infrastructure exam



Let's move on to Designing an Active Directory Forest. Forest trusts are one of several factors when designing a forest structure. For a simple organization, a single domain may be all that's required. A standalone domain may serve the organization well into the distant future. I've seen many single domain forests in my 20+ years in IT. But if we plan for growth and scalability, we may want to reconsider the single domain forest. For example, let's say we use a standalone domain,, for our root forest domain. This organization is located in the United States, and the domain contains users and groups. Now, there's a merger with another organization in the European Union. 

That organization is added as another domain in the forest. The domain names are now disjointed. If another organization is added, this one in Asia, now we're split by region but the US is not identified in the directory partition name. The same would apply if we used industry names. Let's say that was in the automotive space. The organization enters the aerospace industry and IT Consulting. The directory partitions are disjointed. This could become more complicated if the parent organization splits from the others. Mergers and acquisitions are often complicated. This forest structure adds to that complexity. Also, another consideration is isolating the root forest domain enterprise admin and schema master accounts. 

It's possible for domain admins and members of the built-in administrative groups in the forest root domain to elevate their permissions and gain administrative access to the entire forest. This situation could be problematic if there is a need for domains to have separate administrative boundaries. A more scalable solution is to create a dedicated forest root domain. A dedicated forest root domain is a domain with the only function of being the forest root domain. No users or groups other than the default administrative accounts exist in this domain. Access to the administrative accounts is limited. Its only purpose is to be the root forest domain assigned the root domain namespace. 

Each sub-domain is allocated a namespace based on the organization's requirement. The sub-domain name could be regional, based on location, organizational based on business units, or based on legal requirements considering data sovereignty or regulatory requirements. The dedicated forest root domain also provides administrative boundaries. Each sub-domain has its own domain administrative accounts that do not extend to other domains. As the domains are in the same forest, the transitive forest trust allows cross-domain access to resources. If you find yourself in a position to design a new forest structure, keep these points in consideration to design an environment that's secure and scalable. That's an overview of domain and forest trust with Windows Active Directory. Please join me in the upcoming demonstration to configure a forest trust.


About the Author

Travis Roberts is a Cloud Infrastructure Architect at a Minneapolis consulting firm, a Microsoft MVP, MCT, and author. Travis has 20 years of IT experience in the legal, pharmaceutical, and marketing industries and has worked with IT hardware manufacturers and managed service providers. In addition, Travis has held numerous technical certifications throughout his career from Microsoft, VMware, Citrix, and Cisco.