In Active Directory, what is a Tree and a Forest

The Domain is the core unit of logical structure in Active Directory. All objects which shares a common directory database, trust relationship with other domain and security policies is known as Domain. Each domain stores information only about the objects that belong to that domain.


All security polices and settings, such as administrative rights, security policies, and Access Control Lists (ACLs), do not cross from one domain to another, thus a domain administrator has full rights to set policies only within domain they belong to.

Domains provide administrative boundaries for objects; manage security for shared resources and a unit of replication for objects.

A Tree
Trees are collections of one or more domains that allow global resource sharing. A tree may consist of a single domain or multiple domains in a contiguous namespace. Adding a domain to a tree becomes a child of the tree root domain. Domain will be called as parent domain to which child domain is attached. A child domain can also have its multiple child domains. Child domain uses the name followed by parent domain name and gets a unique Domain Name System (DNS).

For example, if tech.com is the root domain, you can create one or more Child domains to tech.com such as north.tech.com and or south.tech.com. These "children" may also have child domains created under them, such as sales.north.tech.com.

The domains in a tree have two-way, Kerberos transitive trust relationships. A Kerberos transitive trust simply means that if Domain A trusts Domain B and Domain B trusts Domain C, then Domain A trusts Domain C. Therefore, a domain joining a tree immediately has trust relationships established with every domain in the tree.

A Forest
A forest is a collection of multiple trees that share a common global catalog, directory schema, logical structure, and directory configuration. Forest has automatic two-way transitive trust relationships. The very first domain you create in the forest is called the forest root domain.

Forests allow organizations to group their divisions which use different naming scheme, and may need to operate independently. But as an organization they want to communicate with the entire organization via transitive trusts, and share the same schema and configuration container.