Active Directory Logical Structure


Forest is the term used to describe a collection of Active Directory trees. Each tree in a forest has its own distinct namespace. For example, lets say that my company owned another smaller company called Acme Plumbing. If I wanted Acme Plumbing to have its own distinct name and domain, I might end up with a collection of trees, forming a forest, as shown below:

Figure: Active Directory Forest

The domain is part of the same forest as the domain tree, but is still its own domain and tree. Note that there are transitive trust relationships between the root domains of every tree in a forest – this allows users to access resources in the tree and vice versa, while allow them to maintain distinct identities. Note that the first domain created in a forest is considered the forest root. One important feature of a forest is that every single domain shares a common schema – the definition of the different types of objects and associated attributes that may be created with the forest. It is also important to recognize that a forest might be made up of a single tree, containing a single domain. It may be small, but technically it is still a forest!

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.