• United States

AD forest best practice

Apr 14, 20043 mins
Access ControlEnterprise Applications

* How many Active Directory forests are enough?

Last issue I told you about some presentations that I had seen recently that varied widely in the number of Active Directory forests deployed at an enterprise. While the number deployed will certainly vary from organization to organization, still there should be some rules that tend to support either a single forest or dozens.

My friend Howard Marks, chief scientist at Networks Are Our Lives recommends that in planning an Active Directory deployment you should first choose one of three models based on your organization’s degree of centralization/de-centralization of control. These are:

* Model #1: Strong Central Control – Under this model, all business units share a centralized Directory Services (DS) infrastructure. This is an ideal model for a single forest.

* Model #2: Hybrid/Subscription – Here, business units can decide to either opt-in or opt-out of the centralized infrastructure. Multiple forests will be needed: a single centralized one plus a small number of others for the “opting out” organizations.

* Model #3: Distributed Infrastructure – In this case, each business unit maintains a separate DS infrastructure. That’s a separate forest for each business unit.

While it’s not necessary for Model #3 sites to have one forest for each business unit (or more), the “political” issues – issues of data ownership, server ownership and service ownership lead to the conclusion that there’ll be less acrimony and confrontation should there be many forests with separate administration.

Windows 2003 makes the multiple forest scenario somewhat easier to implement and maintain since it supports: cross-forest authentication; cross-forest authorization; Microsoft Group Policy Management Console (MGPMC), for managing all Group Policy-related tasks; and Active Directory/Application Mode (AD/AM) so that individual applications can maintain their own directory structure.

So large organizations, with decentralized business units and autonomous offices are prime candidates for multiple forest installations. Remember, though, the setup of the company I mentioned in the last newsletter – whose project started me thinking about forests – large number of users, many offices, very decentralized. Yet, the company’s IT consultant, Sinclair Knight Merz (SKM) chose to go with but a single forest for all of the company’s internal users.

SKM may have discovered new methods that will make its design work well. Or else, being new to Windows networking, the company may be unaware of the research that shows that early adopters of Active Directory tended to choose fewer forests than was ideal, and their networks suffered for it.

We’ll follow up with SKM later in its project to see how it’s going, but I’d wager it’ll be adding some forests before it’s through.