Why Organization adopt implementing multi-domain Active Directory environments?

Implementing multi-domain Active Directory environments or multi-domain forests in an organization is adopted just because of the following scenarios


Each Windows Server 2012 R2 functional level domain supports the creation of around 2.15 billion relative identifiers (RIDs) and domain controller is able to create around 2.15 billion objects. These numbers are theoretical approximations and these limits haven’t been reached in a real world production Active Directory environments. When you consider these figures you’ll understand that the primary reason for creating a multi-domain Active Directory forest won’t be because the current domain can’t support the creation of any more objects.
While considerations around replication are one reason, primarily organizations implement multi-domain forests because of issues beyond the strictly technical, including, but not limited to, the following conditions:

Historical naming structure

When an organization have inherited a domain structure from their parent or sister organization which implemented Active Directory first. It might be that there are multiple domains in an environment where Windows Server 2012 R2 is used to host domain controllers because no one got around to altering the structure that was in place when Windows 2000 domain controllers were first introduced.

Organizational and political reasons

Some organizations are conglomerates including several separate companies which share a single administrative and management group. For example, a university in a Commonwealth country might use a structure where each faculty has a separate domain that is a member of the same forest, with users in the Faculty of Arts signing on to the Arts domain and users in the Faculty of Science signing on to the Science domain.

Security considerations

Domains allow the implementation of authentication and authorization boundaries, allowing one set of administrators to manage users and computers from one part of the organization without allowing those same administrators to manage users and computers from another part of the organization. While you can implement a solution to accomplish the same objectives using delegation of privileges, you may have to comply with legislation that is worded in such a way that it’s easier to meet those compliance obligations by segmenting users and computers across separate domains in the same forest.

Even though a single domain forest might appear to be the most appropriate technical solution, it might not be the most appropriate organizational or political solution. Although questions around organizational politics aren’t likely to turn up on the 70-412 exam, they will arise when you go to apply the knowledge tested on the exam in the real world.

When considering the creation of a multi-domain forest, you have the choice between using one or more domain trees. A domain tree is a collection of domains that share a common root domain name in a parent/child relationship. For example, adatum.com, queensland. adatum.com, victoria.adatum.com, melbourne.victoria.adatum.com, and tasmania.adatum.
com could all be domains that are members of the same domain tree. All domains in this tree share the adatum.com suffix. The parent/child relationship between domains in this tree is indicated by the addition to the domain name namespace. In this example, queensland.adatum.com, victoria.adatum.com, and tasmania.adatum.com are all child domains of the adatum.com domain and the melbourne.victoria.adatum.com domain is a child domain of the victoria.adatum.com domain. The depth of the any one branch of a domain tree is limited by a domain having fully qualified domain name length, including periods, of 64 characters.

An Active Directory forest supports multiple domain trees, meaning that you could have Adatum.com as the root domain and a domain tree under Adatum.com, but that you could also have additional domain trees that use separate name spaces that also are child domains of Adatum.com. For example, it’s possible to have contoso.com and fabrikam.com as child domains of Adatum.com. You might use this configuration for conglomerates, where multiple separate public facing business entities are actually all managed centrally.

The advantage of being able to support non-continuous namespaces in a single forest is that all domains in a forest automatically trust one another. This means that in the example where contoso.com and fabrikam.com are child domains of adatum.com, you can assign permissions to objects in the Adatum.com and fabrikam.com domains to a user who signs on to the contoso.com domain.

Articles in this course

  1. Configuring cluster storage & Quorum
  2. BranchCache
  3. Configuring claims-based authentication
  4. Configuring file classification
  5. Configuring VMs
  6. Performing Hyper-V Replica failover
  7. Using Hyper-V Replica in a failover cluster
  8. Configuring Hyper-V Replica Extended Replication & global update manager & recovering multisite
  9. Creating and configuring superscopes and multicast scopes
  10. Implementing DHCPv6
  11. Configuring high availability for DHCP
  12. Configuring DNS registration & DHCP Name Protection
  13. DNS Socket and DNS cache and DNS logging and delegated administration
  14. Understanding IPAM
  15. Installing and configuring IPAM
  16. Managing address space
  17. Configuring IPAM database storage
  18. Configuring recursion
  19. Netmask and GlobalNames zone and zone-level statistics
  20. Implementing DNSSEC
  21. Configuring Hyper-V physical host servers
  22. Using Advanced Boot Options menu
  23. Recovering servers with Windows installation media
  24. Using Windows Server Backup feature
  25. Understanding Backup Operators
  26. Using Shadow Copies feature (Previous Versions)
  27. Configuring Windows Azure Backup
  28. File Server Resource Manager (FSRM)
  29. Implementing file access auditing
  30. Installing Server for NFS component
  31. Introducing DAC
  32. Configuring access policies
  33. iSCSI storage
  34. Using Features on Demand
  35. Installing Data Deduplication component
  36. Using storage tiers
  37. Network Load Balancing fundamentals
  38. Creating and configuring NLB cluster
  39. Configuring port rules
  40. Upgrading NLB cluster
  41. Understanding failover clustering
  42. Creating failover cluster
  43. Configuring cluster networking
  44. Using Active Directory Detached Clusters
  45. Implementing Cluster Aware Updating
  46. Migrating failover cluster
  47. Configuring roles
  48. Assigning role startup priorities
  49. Using node drain
  50. Monitoring services on clustered virtual machines
  51. Performing live migration
  52. Additional migration considerations
  53. Using storage migration
  54. Configuring virtual machine network health protection
  55. Configuring drain on shutdown
  56. Implementing multi-domain Active Directory environments
  57. Implementing multi-forest Active Directory environments
  58. Configuring interoperability with previous versions of Active Directory
  59. Upgrading existing domains & forests
  60. Configuring multiple user principal name (UPN) suffixes
  61. Understanding trust concepts
  62. Configuring external trusts and realm trusts
  63. Configuring forest trusts
  64. Configuring shortcut trusts
  65. Configuring trust authentication
  66. Configuring Security IDentifier (SID) filtering
  67. Configuring name suffix routing
  68. Configuring sites and subnets
  69. Creating and configuring site links
  70. Managing registration of SRV records
  71. Moving domain controllers between sites
  72. Configuring replication to Read-Only Domain Controllers (RODCs)
  73. Monitoring and managing replication
  74. Upgrading SYSVOL replication to Distributed File System Replication (DFSR)
  75. Installing AD FS
  76. Implementing claims-based authentication
  77. Configuring authentication policies
  78. Configuring Workplace Join
  79. Configuring multi-factor authentication
  80. Installing an Enterprise Certificate Authority (CA)
  81. Configuring CRL Distribution Points (CDP)
  82. Installing and configuring online responders
  83. Implementing administrative role separation
  84. Configuring CA backup and recovery
  85. Managing certificate templates
  86. Implementing and managing certificate validation and revocation
  87. Managing certificate enrollment
  88. Managing certificate renewal
  89. Configuring and managing key archival and recovery
  90. Implementing and managing certificate deployment
  91. Installing licensing or certificate AD RMS server
  92. Managing AD RMS Service Connection Point (SCP)
  93. Managing RMS templates
  94. Configuring exclusion policies
  95. Backing up and restoring AD RMS