The base unit of Active Directory is a domain. Let’s say that we want to create a saadz26.sg-host.com domain and set up our first domain controller (DC).
Once we do that, we have an active directory infrastructure with our single domain controller. We can then add other domain controllers and other components of active directory, but we start with at least a single domain. If we don’t have a single domain and at least one domain controller, we don’t have active directory.
You will notice that domains in Active Directory follow DNS naming convention. That’s because active directory is fully integrated with DNS.
Tree
We might need more than a single domain in our infrastructure. In that case we would come up with a tree infrastructure.
So, our single domain now has branches, IT and Accounting branch. In a tree infrastructure, we have trust on all our DCs. For example, if we have users on an accounting.saadz26.sg-host.com domain, we can grant them permission to access resources on any server in our infrastructure.
In a tree infrastructure we actually create, what we call, child domains. When they are create in, what we call, the same forest, the trust relationship is transitive. This means that users on any subdomain can be trusted on any other domain or subdomain in our forest. Any user or any part of this tree structure can be trusted elsewhere throughout the organization.
However, they are only trusted if they have been granted permissions. If we never grant some user the permission for some resource, they won’t be able to access it. Just because a user is part of our tree, this does not give them permissions for particular resources.
Forest
So, when we start with the parent domain and then create child domains in the same forest, there’s an automatic trust relationship built in.
If we just started with saadz26.sg-host.com domain and it was the only domain that we ever created, we would still have a forest. The forest is the totality of all of our active directory infrastructure. If we create a child domain, then we’ll have a tree structure, just because again we have something else branching off from our original parent domain. So, in that case we have a tree and a forest, and instead of our forest containing a single domain, in our case it contains a total of three domains.
The other way we look at forests is when we have more than a single namespace. Let’s say we have a saadz26.sg-host.com and we add another division, for example, utilizelinux.org.
So, utilizelinux.org is still part of our same company, but another division. Since it is another namespace, we think of it as another forest.
However, keep in mind that we can join those two domains. If we do that, we will get a two-way transitive trust between those two namespaces.
Trust
Let’s say that, again, we have two sepparate namespaces, saadz26.sg-host.com and utilizelinux.org. So, those two domains are not joined, there is no relationship. If we want to enable users from one domain to access resources on another, we could create a forest trust between those two forests. This would basically give us the same relationship we mentioned, in which the user can try to access any resources which they have been granted permissions for, throughout both utilizewidnows.com and utilizelinux.org.
We may also go only a certain level. Maybe we don’t want, for example, our saadz26.sg-host.com users to access resources on it.utilizelinux.org subdomain, but can access utilizelinux.org domain.
So, we can create a trust relationship that is only valid between saadz26.sg-host.com and utilizelinux.org, but nut for utilizelinux.org subdomains. When we create a manual trust like that, there is no transitivity. When we create trust between saadz26.sg-host.com and utilizewindows.org, it is only limited to that level. There is no trust between other subdomains, it’s only at that specific level. We could then create a separate trust going any other direction we like. For example, we could set up a trust between utilizelinux.org and accounting.saadz26.sg-host.com.
Manual trusts are something we had to do in the days of NT 4.0. and it was cumbersome. So, if we know in advance that we want to have trust going all the way between our two forests, then we can create the forest trust. That would allow us transitive trust all the way throughout for both trees. Otherwise, we can just create those manual trust relationships to only specific domains in each forest.
Federation
Federation is something that we actually described above. When we first establish a relationship between two forests and we know that both divisions want access all resources throughout all domains and all the children, we can just create a Federation. So, federation is actually kind a trust relationship as well, and by creating a Federation, we automatically create a transitive trust to all the children.