© 2024 SkillPoint IT. All rights reserved.
Module 10: Creating and Managing Trees and Forests in Active Directory
In Active Directory (AD), trees and forests form the foundation of a scalable, secure, and flexible directory infrastructure. Understanding their design and management is critical for enterprise-level Windows Server administration.
What Is a Tree in Active Directory?
A tree is a hierarchical arrangement of domains that share a contiguous DNS namespace. The first domain created is the root domain, and additional child domains can be added under it.
Example:
Root Domain: corp.example.com
Child Domain: sales.corp.example.com
What Is a Forest in Active Directory?
A forest is the top-level logical container in Active Directory. It contains:
One or more domain trees
A shared schema (structure of objects)
A global catalog for cross-domain searching
A forest root domain
Forests provide administrative boundaries, allowing you to isolate resources, policies, and replication scopes.
Creating a New Forest
To create a new forest:
Install Active Directory Domain Services (AD DS) via Server Manager
Promote the server to a domain controller
Choose “Add a new forest” during configuration
Set the root domain name (e.g.,
corp.local)Complete setup and reboot
📌 This action starts a new forest with its own schema and configuration container.
Adding a Tree to an Existing Forest
To add a new tree:
Use the Active Directory Domain Services Configuration Wizard
Choose “Add a new domain to an existing forest”
Select “Tree domain”
Provide a non-contiguous DNS name (e.g.,
marketing.netadded to a forest withcorp.local)
🌐 This creates a new namespace with automatic two-way trust to the rest of the forest.
Managing Trust Relationships
Transitive Trusts: Automatically created within forests
Forest Trusts: Manually created between two forests for cross-access
Shortcut Trusts: Optimize authentication between distant domains
Use Active Directory Domains and Trusts or PowerShell to manage them
Introduction to Trees and Forests
- What Is a Tree?
- What Is a Forest?
- What Is the Forest Root Domain?
- Characteristics of Multiple Domains
- Reduce Replication Traffic
- Maintain Separate and Distinct Security Policies Between Domains
- Preserve the Domain Structure of Earlier Versions of Windows Server
- Separate Administrative Control
Creating Trees and Forests in Active Directory (Windows Server)
Active Directory (AD) provides a flexible, scalable structure for managing resources in a Windows Server domain. Two core components of this structure are trees and forests, which define how domains are organized and how trust is established across them.
What Is a Tree in Active Directory?
A tree is a collection of domains that share a contiguous DNS namespace and are connected in a hierarchical relationship.
🧾 Example:
Root Domain:
company.comChild Domain:
hr.company.comAnother Child:
it.company.com
Domains in a tree automatically trust each other through transitive trust.
What Is a Forest in Active Directory?
A forest is the top-most logical container in Active Directory. It includes:
One or more domain trees
A shared schema and global catalog
A forest root domain
Forests are used when organizations require:
Different domain namespaces (e.g.,
company.com,partner.org)Separate administrative boundaries
Isolated authentication policies
Steps to Create a New Forest
Install Active Directory Domain Services (AD DS) on a Windows Server:
Open Server Manager > Add Roles and Features
Select Active Directory Domain Services
Promote the Server to a Domain Controller:
In Server Manager > Click the flag > “Promote this server to a domain controller”
Create a New Forest:
Choose “Add a new forest”
Enter a root domain name (e.g.,
corp.local)Set forest and domain functional levels
Set a Directory Services Restore Mode (DSRM) password
Finish Setup and Reboot the server
You now have a fully functioning forest and root domain.
Steps to Create a New Tree in an Existing Forest
To create a new domain tree with a non-contiguous namespace in the same forest:
Launch the AD DS Configuration Wizard on another server
Choose “Add a new domain to an existing forest”
Select “Tree domain”
Enter a new DNS name (e.g.,
sales.org)Authenticate with Enterprise Admin credentials
Complete the configuration
This tree will be automatically trusted by other domains in the forest.
Trust Relationships
Domains in a tree: Connected by transitive, bidirectional trusts
Multiple trees in a forest: Also connected via automatic transitive trust
Forest-to-forest trusts: Must be created manually when needed
- Creating a New Child Domain
- Creates a new domain
- Promotes the computer to a new domain controller
- Establishes a trust relationship with the parent domain
- Creating a New Tree
- Creates the root domain of a new tree
- Promotes the computer to a new domain controller
- Establishes a trust relationship with the forest root domain
- Replicates schema and configuration directory partitions
- Creating a New Forest
- Creates the root domain of a new forest
- Creates the root domain of a new tree
- Promotes the computer to a new domain controller
- Configures a global catalog server
- Starts with the default schema and configuration directory partitions
Trust Relationships in Trees and Forests
In Active Directory (AD), trust relationships allow users in one domain to access resources in another. Trusts are essential when managing multiple domains or forests within an enterprise IT environment.
They ensure secure authentication and authorization across different domain boundaries.
Trusts Within a Tree (Same Forest)
Domains within the same tree or forest are automatically connected through transitive, bidirectional trust relationships. This means:
User A in Domain X can access resources in Domain Y, and vice versa.
Trust is automatically established and maintained by Active Directory.
🧾 Example:corp.local and sales.corp.local trust each other by default.
Trusts Between Trees in the Same Forest
When you create a new domain tree (with a non-contiguous namespace), it still becomes part of the same forest. Trusts are also:
Transitive
Bidirectional
Automatic
🧾 Example:corp.local and marketing.net (in the same forest) trust each other even though they have different namespaces.
Trusts Between Forests (Forest Trusts)
When two different forests need to share resources:
You must create a manual forest trust
Trusts can be:
One-way or Two-way
Transitive or Non-transitive
Forest trusts require:
Both forests in Windows Server 2003 functional level or higher
DNS resolution between the forests
Enterprise Admins to configure the trust
- Transitive Trusts in Windows 2018
- How Trusts Work
- How Kerberos V5 Works
- Shortcut Trusts in Windows 2018
- Nontransitive Trusts in Windows 2018
| Nontransitive Trusts | Nontransitive Trust Exists Between |
|---|---|
| Manually created | A Windows 2018 domain and a Windows 2016 domain |
| One-way | Two Windows 2018 domains in two forests |
| A Windows 2018 domain and a Kerberos V5 realm |
- Verifying and Revoking Trusts
Understanding the Global Catalog in Active Directory
The Global Catalog (GC) is a read-only, partial replica of all objects in every domain in an Active Directory (AD) forest. It is stored on domain controllers that are designated as Global Catalog servers.
While a domain controller holds the full information for its own domain, the GC contains:
A subset of attributes (most commonly searched ones)
All objects from all domains in the forest
This enables efficient directory lookups and cross-domain operations without needing to query every domain individually.
- The Global Catalog and the Logon Process
- Universal group membership information for the account
- Domain information when using user principal names during logon
- Creating a Global Catalog Server
Strategies for Using Groups in Active Directory Trees and Forests
Managing users and resources across multiple domains and forests in Active Directory (AD) can quickly become complex. Using groups strategically helps streamline access control, simplify permissions, and support scalable directory design.
Best Practice Strategy: AGDLP / AGUDLP
The most recommended approach for managing access in trees and forests is the AGDLP or AGUDLP strategy:
AGDLP:
Accounts → in Global groups
Global groups → placed in Domain Local groups
Domain Local groups → assigned Permissions
AGUDLP (for multi-domain forests):
Accounts → in Global groups
Global groups → in Universal groups
Universal groups → in Domain Local groups
Domain Local groups → assigned Permissions
This structure:
Reduces replication traffic
Simplifies administration
Supports cross-domain resource access
Cross-Domain Group Management
In tree and forest scenarios:
Use Universal Groups when members and permissions span multiple domains
Place Global Groups inside Universal Groups when nesting
Use Domain Local Groups for permissions on resources in a specific domain
Example:
Users from
sales.corp.localare added to Global GroupSalesTeamSalesTeamis nested in a Universal GroupAllSalesAllSalesis assigned to a Domain Local GroupSharedDriveAccessPermissions are granted on
files.marketing.corp.local
Using Groups Across Forest Trusts
When forests are connected via forest trusts:
You cannot use Universal Groups across forests directly
Use External Trusts and assign permissions using Domain Local Groups
Create matching Global Groups in each forest and map them to local resources
Consider SID filtering and selective authentication when assigning cross-forest permissions for security.
- Universal Groups and Replication
- The use of universal groups to limit replication to a domain
- The membership in universal groups to other groups rather than user accounts
- Changes to the membership to reduce the frequency of replication
- Nesting Strategy Using Universal Groups
Add User Accounts into Global Groups
Nest Global Groups(optional)
Add Global Groups from Each Domain into Universal Groups
Add Universal Groups into Domain Local Groups in Each Domain
Assign Permissions to the Domain Local Group in Each Domain
- Class Discussion: Using Groups in Trees and Forests
Troubleshooting Tree and Forest Issues in Active Directory: Trusts, Logons & Universal Groups
As organizations grow, managing multiple domains in trees and forests can introduce challenges. Misconfigured trusts, replication delays, or functional level mismatches often lead to problems like login failures or missing group options.
Below are the top issues and solutions you might face when managing Active Directory trees and forests.
- Shortcut Trust Is Not Being Used
Symptoms:
Authentication takes longer than expected
AD queries follow the long trust path instead of the shortcut
Possible Causes:
Shortcut trust not configured properly
DNS resolution issues between domains
Kerberos ticket not issued due to permission issues
Solutions:
Re-verify shortcut trust:
Use Active Directory Domains and Trusts → Right-click domain → Properties → Trusts tab
Check DNS:
Ensure both domains can resolve each other via FQDN
Clear cached Kerberos tickets:
C:\>klist purge
Force authentication using shortcut trust:
C:\>nltest /sc_verify:target.domain
- Cannot Create Universal Groups in Some Domains
Symptoms:
Universal group option is greyed out in ADUC
Cannot convert global/domain local groups to universal
Possible Causes:
Domain functional level is set too low (must be Windows 2000 Native or higher)
You’re working in a mixed-mode domain
Solutions:
Raise the domain functional level:
Open Active Directory Domains and Trusts
Right-click domain → Raise Domain Functional Level
Choose Windows Server 2003 or higher
Use PowerShell to confirm level:
C:\>(Get-ADDomain).DomainMode
- Cannot Log On to a Domain
Symptoms:
“The domain cannot be contacted” or “The trust relationship failed”
Login works only on local cached credentials
Possible Causes:
No available Global Catalog server
Domain controller offline or unreachable
Time synchronization (Kerberos failure)
Trust misconfiguration
Solutions:
Check Global Catalog availability:
PS C:\>Get-ADForest | Select-Object GlobalCatalogs
Verify time synchronization:
C:\>w32tm /query /status
Confirm trust relationship:
C:\>nltest /domain_trusts
Ensure domain controller is online and accessible:
C:\>ping domaincontroller.domain.com
Best Practices
Deploy Package Files to a Test Group of Users First
Use the Strategy:
Create Shortcut Trusts Between Frequently Accessed Domains with Long Trust Paths
Place a Global Catalog Server in Each Heavy Traffic Site
Add comment