A. You might have several domain trees in your organization that you need to share resources. To solve this problem, you can join the trees to form a forest.

A forest is a collection of trees that don’t necessarily form a contiguous namespace (although each tree must be contiguous). This arrangement might be useful if your company has multiple root DNS addresses, as in the Figure.


Click here to view image

As the Figure shows, two root domains connect through a transitive, two-way Kerberos trust (much like the trust between a child and parent). Forests always contain a domain’s entire domain tree. You can’t create a forest that contains only part of a domain tree.

When you promote a server to a domain controller (DC), DCPROMO creates a forest. Forest creation can’t occur at any other time, although this restriction will change in the OS that follows Windows 2000.

You can add as many domain trees to a forest as you want. All the domains in a forest can grant object access to any user in the forest. Thus, the administrator doesn’t need to manually manage the trust relationships.

Creating a forest provides the following benefits.

  • All the trees have a common Global Catalog (GC) that contains specific information about every object in the forest.
  • All the trees contain a common schema. Microsoft hasn’t confirmed what happens if two trees have different schemas before you join the trees, because you currently can’t join two trees. However, this problem will arise in future versions of the OS. I assume the changes will merge.
  • Performing a search in a forest initiates a deep search of the entire tree in the domain you initiate the request from and uses the GC entries for the rest of the forest.

You might prefer not to join trees into a forest. Instead, you can create normal trusts between individual tree elements.