Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1488
  • Last Modified:

What is Domain ; Tree and Forest?

Please share me some thoughts on how to explain to others what is a Domain ; Tree and Forest? in short

Please dont share any links
4 Solutions
Forests, trees, and domains

All objects inside a common directory database is known as a domain. Each domain stores information only about the objects that belong to that domain. A tree consists of a single domain or multiple domains in a contiguous namespace. A forest is a collection of Trees and represents the outermost boundary within which users, computers, groups, and other objects exist. The forest is the security boundary for Active Directory.

The Active Directory framework that holds the objects can be viewed at a number of levels. At the top of the structure is the forest.  A forest is a collection of multiple trees that share a common global catalog, directory schema, logical structure, and directory configuration. The forest, tree, and domain are the logical parts in an Active Directory network.

The Active Directory forest contains one or more transitive, trust-linked trees. A tree is a collection of one or more domains and domain trees in a contiguous namespace, again linked in a transitive trust hierarchy. Domains are identified by their DNS name structure, the namespace.

Mike KlineCommented:
It is also important to note that the forest is also the security boundary.  You may see old references to the domain listed as the security boundary but it is not.So you also would create different trees if you want different namespaces.   You can think of it as a "real forest" analogy and that can make it easier.You can have a forest filled with redwood trees.  You can also have a forest filled with redwood and evergreen trees.  Disntint trees (domains) yet in the same forest that share the common soil (schema)ThanksMike
When you set up your first domain controller, then you are creating a forest, a tree and a domain. At this point your forest contains just a single tree and that tree has a single domain.

If you add a child domain to your first domain (eg you add sales.mydomain.lan to mydomain.lan) then you will have a tree of two domains in a single forest. Trees have what is called 'continguous name space' - that is to say the child domain is created by appending a prefix to the existing parent domain name to create a new domain.

A new tree can be created in a forest by using a completly different name (eg anotherdomain.lan)
Krzysztof PytkoActive Directory EngineerCommented:
In few simply words:

Domain - contains users/groups/computers etc (generally objects)

Tree/Forest - contains domains

Tree -> uses root domain namespace for its own domain

(i.e. testenv.local is root domain and its child domains in tree are:


each of subdomain uses common root domain)

Forest -> collects different root domains




each forest can be extended by its own tree(s))
The DS Team posted this a few days ago. They ask for the purpose of forest and domains (sorry for this as it's off the authors topic, but it's funny)


Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now