What is a forest in Active Directory?
Active Directory has a logical structure made up of forests, domains, organizational units and objects, which are organized in a hierarchical manner. At the top of this hierarchy is the forest, which is the most important and top-most level logical container. Forests contain domain trees, which in turn contain domains and organizational units.
Forests share a common schema, global catalogue, directory configuration and a security boundary. The trees in the forest have a transitive trust relationship with each other. As a result, a user belonging to any domain within the forest can access all other resources within the same forest.
Forests possess three forest-wide directory partitions. They are Schema, Configuration and Domain. The schema partition defines all the classes, objects and attributes that can be used within the forest. The configuration partition manages the forest topology, forest and domain settings. It also contains a list of all the domains, Domain Controllers and Global Catalogue. The schema and configuration replicate to all domains within the forest. The domain partition contains all the objects created within the domain. It replicates only within the domain.
Active Directory Forest Structure
There are three main models that are used while designing forests. They are:
· Organizational forest structure
· Resource forest structure
· Restricted Access forest structure
An organization is open to use a combination of these structures, based on their requirements. Each of these models has their own advantages and shortcomings and is implemented for specific use cases.
Organizational Forest Structure
The organizational forest structure is the standard configuration, where all the users and resources are stored and managed together and are independent. This structure provides autonomy to the users and resources, while isolating data and services to anyone outside of the forest. However, forest level trusts can be established to provide access to resources that are present outside the forest.
This structure can be used in small organizations, where all the resources are contained in a single forest. However, for large organizations separate forests may be created for each division. This provides autonomy and isolation to individual departments.
Resource Forest Structure
The resource forest structure separates users and resources into different forests. Here, the users are contained in the organizational forest, while the resources are contained in additional forests. Resources may be accessed by the users by means of forest level trusts. This enables the users in organizational forests to access resources in the resource forests. The major advantage of this model is service isolation. As a result, problems occurring in one forest do not affect the other forests, while allowing them to operate normally.
Restricted Access Forest Structure
The restricted access forest structure has multiple forests that are isolated. No trust relationship exists between the forests. Users from other forests cannot access resources in the restricted access forest. This structure is employed in high security environments owing to the strong isolation boundaries.
Single Forest Vs Multi-forest
In the different types of forest structures, it was seen that multiple forests can be established. But most Active Directory configurations employ only a single forest as it is considered to be best practice.
Multi-forests provide isolation, and as a result offer an extra layer of security. Resources within a forest cannot be accessed outside the forest. However, multi-forest environments are complex to manage and increase the overhead. Hence they are generally used only in very large organizations. For example, consider a company A that acquires another company B. Both the companies have been using Active Directory to manage their resources. In the event of the acquisition, A and B can have separate forests for their users and resources. This is much less complex than migrating company B’s users and resources over to A’s forest and domains. A transitive trust can be established between the forests, allowing the two, forests to be merged on a logical level. This reduces the work to be carried out by the IT administrators and helps save time and resources.
Active Directory Trusts
Trusts in Active Directory may either be transitive or non-transitive. In transitive trusts, the trust is extended between the parent and child objects in the domain and also each object that the child trusts. These are established by default. In non-transitive trusts, the trust is limited to the domain within which it was created. Trusts can further be classified as one-way or two-way. The different types of trusts in Active Directory are listed as follows.
1. Tree-Root Trust
2. Parent-Child Trust
3. Realm Trust
4. External Trust
5. Shortcut Trust
6. Forest Trust
What are Forest Trusts in Active Directory?
Forest trust is a transitive trust created between two forest root domains and valid for all domains within the forest. They must be created by a privileged administrator can be either one-way or two-way. If a forest trust is established between forests 1 and 2, they are also valid between the child domains of these forests. A cross-forest trust allows trust to be managed between multiple Active Directory forests. This type of trust can be used in the scenario of company A acquiring company B and a trust being established between the two forests or in the event of mergers between organizations.
Creating an AD Forest
1. To create a new Active Directory domain forest, install Windows Server.
2. To promote the server to a Domain Controller, install the Active Directory Domain Services role and the DNS Server role.
3. The Active Directory Domain Services Configuration wizard is launched.
4. Select the Domain Controller for a new domain option and click Next.
5. Select the Create a new domain tree option and click Next.
6. Select the Create a new forest of domain trees option and specify a root domain name.
7. The rest of the steps can be followed according to the prompts.
What is Red Forest in Active Directory?
The Red Forest Active Directory level refers to the Enhanced Security Administrative Environment (ESAE). It is used to manage privileged identities and provides enhanced security protection. The Red Forest is based on the Active Directory administrative tier model design. This model is composed of three levels of security and comprises only the administrative accounts.
Tier 0: This level is responsible for the direct control of enterprise identities. Tier 0 includes Domain Controllers, administrator user accounts, service user accounts and identity management resources.
Tier 1: This layer is responsible for the control of enterprise servers and applications. It includes server operating systems, enterprise applications and cloud services.
Tier 2: This layer is responsible for the control of workstations and devices. It includes standard user accounts, devices and workstations.
Advantages and Disadvantages of Active Directory Forests
With Active Directory forests, authentication and authorization processes across an organization are centralized and made easier to manage. This includes applying group policy settings across various levels of hierarchy.However, they are more vulnerable to security threats. While this can be solved using multi-forests, they are still not secure enough and they are more expensive. This can be overcome by following certain best practices such as using a single forest model, using GPOs to restrict users and implementing a least privilege model.