While most organizations will require only a single forest in their Active Directory (AD) implementation, circumstances exist under which multiple forests may be required. Understanding these circumstances and knowing which multi-forest model to implement are key to building an appropriate AD infrastructure.

The Rationale for Multiple Forests

In general, the implementation of multiple forests is to be avoided. As will be seen, using multiple forests requires dual administration teams which mean an increase in staff. There are circumstances, however, under which an enterprise may be forced into a multi-forest topology. These revolve around isolation and/or autonomy in service delivery and/or data access.

Active Directory Topology This is the second in a series of notes addressing topology decisions in an Active Directory implementation. The other notes will examine topology overview as well as the remaining layers of topology hierarchy: Domains. Organizational Units.

• Service autonomy provides the ability to independently, but non-exclusively, manage an aspect of the enterprise’s infrastructure. It is required if a group wishes administration rights without the approval of a higher level administrator. This is generally not recommended as it removes oversight by the central administrative team and the required capability can be achieved in other ways.
• Service isolation involves the ability to independently and exclusively manage the operations of a component of the enterprise. If an aspect of the enterprise must be kept operational in the event of a service disruption to the rest of the enterprise, as when one division of a company operates on a 24/7 basis while the rest of the company operates 12/5, service isolation is likely required.
• Data autonomy is required when a group within the enterprise requires the ability to independently manage its data, but access to that data does not need to be restricted. Data autonomy is not a reason to implement multiple forests.
• Data isolation is needed when the information assets from two divisions within the same enterprise must, at all costs, be kept separate. A financial institution that handles mergers and acquisitions as well as individual investment portfolios cannot allow the latter group to become privy to data concerning the former (due to the risk that this insider information may inappropriately adjust investor actions). Such a circumstance can only be achieved with multiple forests.

Multi-Forest Models

Three distinct multi-forest models exist:

1. Organizational Forest Model. This model utilizes two or more organizational forests, each of which contains independently administered users and accounts, as well as separate and dedicated resources. Should users in one forest need to access resources in another forest, trust relationships can be established that allow access to the specified resource only, not to the contents of the forest in its entirety.
2. Resource Forest Model. This model makes use of a core organizational forest and one or more related resource forest(s). User accounts are maintained and administered in the organizational forest, but all resources are contained within the resource forest(s) (along with duplicates of the user accounts local to each resource forest should the organizational forest become unavailable). Trust relationships are established between the organizational forest and the resource forests to allow users to access their specified resources.
3. Restricted Access Forest Model. This model supplements an organizational forest with a restricted access forest that is in no way accessible from the organizational forest. Any users that need to access resources in the two forests must maintain separate user accounts within the two forests. This is essentially an organizational forest model with no trusts between the forests.

Linking Reasons to Models

The rationale used to determine whether or not more than one forest is required in the enterprise can indicate which multi-forest model to implement.

Need	Model	Notes
Service Autonomy	Organizational	Two-way trusts required to allow access to non-autonomous resources.
Service Isolation	Organizational	Place resource requiring isolation in secondary organizational forest and establish one-way trust from forest requiring isolation to the one that doesn’t require it.
	Resource	Place resource requiring isolation in resource forest and establish one-way trust from forest requiring isolation to the one that doesn’t require it.
Data Isolation	Organizational	Establish one-way trust from forest requiring isolation to one that doesn’t require it. Users must have accounts in each forest and may need separate workstations.
	Restricted Access	No trust relationships allowed. Users must have accounts in each forest and may need separate workstations.

Recommendations

1. Make sure multiple forests are needed to avoid unnecessary cost. Managing more than one forest means, at the very least, having two sets of top level administration staff. Before committing to this expense, have the group requiring a dedicated forest demonstrate the need for service or data isolation before conceding to the demand. If the case can be clearly made on these grounds, multiple forests can make sense. If the request is simply based on a desire for autonomy, the cost associated with multiple forests is likely not warranted.
2. Select the right multi-forest model to achieve the required division. Whether it is for data isolation or service isolation, an organizational forest model can always be employed. For best results in a service isolation situation, a resource model may be required while optimal data isolation could mean the implementation of a restricted access forest model. The more stringent the need for isolation, the greater the likelihood that specialized forests should be used.
3. Minimize secondary forest membership. The reason for implementing multiple forests is for isolation. That being the case, carefully consider the inclusion of every user account and every resource by assuming null membership as the default and adding users and resources rather than starting with full membership and deleting users. The greater the number of users that can access the forest and the greater the number of resources in it, the greater the likelihood is that isolation will be violated, nullifying the purpose of the secondary forest while still maintaining its cost.

Bottom Line

Using multiple forests in an AD implementation adds complexity and cost. Ensure they’re employed for the right reasons and in the right way to justify the expense.