answersLogoWhite

0


Best Answer
Multiple Trees in a Single Forest Model(Single Active Directory)

Let's say that your organization would like to look at Active Directory and wants to use an external namespace for your design. However, your environment currently uses multiple DNS namespaces and needs to integrate them into the same design. Contrary to popular misconception, integration of these namespaces into a single AD forest can be done through the use of multiple trees that exist in one forest. One of the most misunderstood characteristics of Active Directory is the difference between a contiguous forest and a contiguous DNS namespace. Many people do not realize that multiple DNS namespaces can be integrated into a single Active Directory forest as separate trees in the forest. For example, Figure 5.6 shows how Microsoft could theoretically organize several Active Directory domains that share the same forest but reside in different DNS namespaces.

Figure 5.6 Sample Active Directory forest with multiple unique trees within the same forest.

Only one domain in this design is the forest root, in this case microsoft.com, and only this domain controls access to the forest schema. All other domains, including subdomains of microsoft.comand the other domains that occupy different DNS structures, are members of the same forest. All trust relationships between the domains are transitive, and trusts flow from one domain to another.

When to Choose a Multiple Tree Domain Model

If your organization currently operates multiple units under separate DNS namespaces, one option may be to consider a design such as this one. It is important to understand, however, that simply using multiple DNS namespaces does not automatically qualify you as a candidate for this domain design. For example, you could own five separate DNS namespaces and instead decide to create an Active Directory structure based on a new namespace that is contiguous throughout your organization. Consolidating your Active Directory under this single domain could simplify the logical structure of your environment while keeping your DNS namespaces separate from Active Directory.

If your organization makes extensive use of its separate namespaces, you may want to consider a design like this. Each domain tree in the forest can then maintain a certain degree of autonomy, both perceived and real. Often, this type of design will seek to satisfy even the most paranoid of branch office administrators who demand complete control over their entire IT structure.

Real-World Design Example

To gain a greater understanding of the times an organization might use this particular design model, let's look at the following AD structure. City A is a local county governmental organization with a loose-knit network of semi-independent city offices such as the police and fire departments that are spread out around the city. Each department currently uses a DNS namespace for name resolution to all hosts and user accounts local to itself, which provides different e-mail addresses for users located in the fire department, police department, and other branches. The following namespaces are used within the city's infrastructure:

  • citya.org

  • firedeptcitya.org

  • policeofcitya.org

  • cityalibrary.org

The decision was made to merge the existing network environments into a single Active Directory forest that will accommodate the existing departmental namespaces but maintain a common schema and forest root. To accomplish this, Active Directory was established with citya.org as the namespace for the root domain. The additional domains were added to the forest as separate trees but with a shared schema, as shown in Figure 5.7.

Figure 5.7 Single Active Directory forest with separate directory trees for departments.

The individual departments were able to maintain control over their individual security and are disallowed from making changes in domains outside their control. The common forest schema and global catalog helped to increase collaboration between the varying organizations and allow for a certain amount of central administration.

This type of domain design is logically a bit messier but technically carries the same functionality as any other single forest design model. All the domains are set up with two-way transitive trusts to the root domain and share a common schema and global catalog. The difference lies in the fact that they all utilize separate DNS namespaces, a fact that must also be reflected in the zones that exist on your DNS server.
This information is taken from following link:
http://www.informit.com/articles/article.aspx?p=32080&seqNum=7.
Best Regards
Sheba Tasaduque
User Avatar

Wiki User

15y ago
This answer is:
User Avatar

Add your answer:

Earn +20 pts
Q: What is single active directory?
Write your answer...
Submit
Still have questions?
magnify glass
imp
Related questions

What is a directory database and service that allows for a single adiminstration point for all shared resources on a network?

Active Directory


Is a directory database and service that allows for a single administration point for all shared resources on a network?

Active Directory


Which technologies provide single sign-on authentication?

Kerberos SESAME Active Directory


How do you access different features to the active directory?

The Active Directory administrative tools can only be used from a computer with access to a domain. The following Active Directory administrative tools are available on the Administrative Tools menu: Active Directory Users and Computers (dsa.msc) Active Directory Domains and Trusts (domain.msc) Active Directory Sites and Services (dssite.msc)


What do active directory clients rely on in DNS to locateresources in active directory?

DHCP


What are the main benefits of the LDAP Active Directory?

The main benefits of using an active directory like LDAP Active Directory are many. One can use an active directory to allow for scheduling to made and updated in a timely manner.


What are some Active Directory tutorial books?

Some books one could use as tutorials for Active Directory are Active Directory Cookbook, Active Directory for Dummies as well as Windows 2000 Active Directory. All have various problem solving techniques one could use and they can be easily referenced.


What do you mean by active directory user?

Active directory users are nothing but the ones those are authenticated or able to access the directory with all the benefits of directory


What does Active Directory use to allow administrators to query and modify users groups and computers?

The DS tools consist of the following commands DSQUERY - search for active directory objects matching criteria DSGET - retrieves selected attributes from active directory objects DSMOD - modify attributes for one or more active directory objects DSADD - create active directory objects DSMOVE - move active directory objects DSRM - removes/deletes active directory objects


Where the Active Directory held?

Active directory is held in the sysvol folder in the C drive.


What is microsoft's directory service called?

Active Directory


When was Active Directory Explorer created?

Active Directory Explorer was created on 2007-07-09.