Multiple Forests Pros and Cons

Seeing multiple forests in a medium-sized business is not uncommon. One of my AD DS clients had about 2,000 people and six forests. They used one for production, one for development, two for extranet applications, and two for development that mimicked the extranet production forests. This was a good, secure design for them. Although not every organization will need to go to this extreme, I often recommend that you have a separate forest in which to test changes to AD DS and software interaction. Creating a secondary version of your production environment will allow you to test changes before they are implemented within your production environment. Most companies that have a test environment have far fewer problems within their infrastructure than those that "shoot from the hip." We've all experienced how a service pack or hotfix has caused instability within a network.

I also like to recommend using a development forest if an organization has developers who need to test their software prior to implementing it within the production forest. Developers need their own forest if they require excess privileges or if they touch AD DS. Often developers think they need Domain Admin access and a domain controller under their desk. It is never a good idea to give anyone this much power over your forest. As I mentioned in the "Schema" section earlier, changes to the schema are not easily undone. Although AD DS in Windows Server 2003 and 2008 is a great deal friendlier than prior versions when it comes to modifying the schema, you should never make any changes without first testing the implementation to determine the ramifications.

I always recommend that developers do their work in a separate forest or, if possible, on virtual-machine technology. Running a virtual system on an existing system is an easy way to mimic the production environment. The drawback is that the computer on which you are running the virtual system needs enough horsepower to run multiple operating systems at the same time. Two premier virtual system software applications are available for free. Microsoft's Virtual Server 2005 R2 is available at http://www.microsoft.com/windowsserversystem/virtualserver/ and EMC's VMWare Server is available at http://www.vmware.com/products/server/.

I also briefly mentioned a forest used for extranet applications. This is one area in which you will need to determine the level of security you require for users who access your infrastructure across the Internet. Some organizations will implement for their perimeter network a completely separate forest from the one they use within their internal network. This adds an additional layer of security to your design. If you were to use the same forest in both locations, you could run the risk of exposing information about your internal network if someone were to hack into your perimeter network. There are other options available, depending on the level of access you need to grant to the external users. In later chapters I will discuss Active Directory Federation Services (AD FS) and Active Directory Lightweight Directory Services (AD LDS).

Figure 3.4 is a flowchart that will assist you in making decisions for your forest design. Within this flowchart, take into account isolation and autonomy needs, and choose the best forest design based on the needs of the organization. Table 3.1 shows the advantages and disadvantages of using a single forest. Table 3.2 compares the multiple-forest pros and cons.

Figure 3.4

Flowchart to determine isolated or autonomous control

Figure 3.4

Flowchart to determine isolated or autonomous control

Multi Forest Design

Table 3.1: Single-Forest Pros and Cons Single-Forest pros

Easier to administer

Easier to troubleshoot A single security boundary Single schema

Easier to support

Single-Forest Cons

Less secure for multiple business units with unknown/untrusted administrators

Forests cannot be merged or split.

Domains cannot join other forests.

Schema differences are sometimes needed between business units.

Cannot agree on change control within a domain.

Users cannot search GCs of other forest without additional software.

Was this article helpful?

+1 -1
Computer Hard Drive Data Recovery

Computer Hard Drive Data Recovery

Learn How To Recover Your Hard Drive Data After A Computer Failure.

Get My Free Ebook


Responses

  • Isembard
    Why implement multiple forests?
    1 year ago
  • uranio
    Why would a company implement multiple forests?
    1 year ago
  • Cameron Stevenson
    Why multiple active directory forests?
    1 year ago
  • ursula
    Do we need separate forest and separate domain what are advantages?
    1 year ago
  • ilta
    Why should i have one windows forest vs multiple domains?
    11 months ago
  • emilia
    Why would a company implememt multiple forests windows server?
    10 months ago
  • Alannah
    Is it better to have multiple domains in a forest, or separate forests?
    8 months ago
  • lisa foerster
    WHY IMPLENTING MULTIPLE DOMAIN N FORESTS?
    7 months ago
  • heribald
    Are multiuse forest good?
    5 months ago
  • simone
    When and why to use separate active directory domains?
    4 months ago
  • ruby black
    Why have an active directory forest vs single domain?
    3 months ago
  • ferruccio
    What scope of security group should we use for mulyi domain and multi forest?
    2 months ago
  • FOSCA
    Does multi domain AD need different connections?
    1 month ago
  • eduardo
    How to determine how many forests your organization needs for active directory?
    16 days ago

Post a comment