Windows 2000 Server introduced the concept of a forest as a logical and administrative grouping of several Windows domains linked together by trust relationships and a DNS namespace. A forest provides ease of use and ease of administration for resources that must be available to the users of different domains. A forest also facilitates the deployment, administration, and use of enterprise applications such as Microsoft Exchange Server.
In Win2K, the domain is no longer a true security boundary; the final border is the forest. As a consequence, the domains in a forest must have a certain amount of trust between them. Organizations that can't live with the domain trust requirements for political, legal, or purely administrative reasons deploy multiple Win2K forests. In smaller organizations, each forest might consist of one domain. Some larger organizations build multiple forests when they merge with or acquire another company. Some companies build two forests for perimeter-security reasons: one forest for the intranet and another one for the demilitarized zone (DMZ).
Defining trust relationships between forests is a major problem in Win2K. From a security-administration point of view, creating these trust relationships is an administrative nightmare that basically puts your Win2K environment back in the Windows NT 4.0 era. (Remember the spaghetti model of trust?) Also, trust definition in general in Win2K is the same as in Win2K's predecessors: very coarse-grained.
Clearly, Win2K doesn't easily support multiple forests. But in Windows Server 2003, Microsoft introduces a new trust type called forest trust that resolves most of the Win2K multiple forest and cross-forest trust problems and shortcomings. A forest trust is basically one trust link between the two root domains of two forests. Windows 2003 also includes a set of important enhancements that facilitate the setup and administration of trust relationships between forests.
Forest Trusts and Transitivity
In Windows 2003, forest trust relationships are transitive, which means that one trust between the two root domains of two forests enables authentication between all domains in the two forests. Figure 1 shows that because of the transitive forest trust between the Compaq.com and Hp.com forests, domain C in Compaq.com automatically has a transitive trust relationship with domains D, E, and F in Hp.com. The same is true for all the other domains in the two forests. Transitive trusts greatly simplify forest trust administration and provide transparent single sign-on (SSO) between all domains in the two forests. To achieve the same level of trust in Win2K, you must define a trust relationship between each domain in one forest and each domain in the other forest.
Forest trusts aren't transitive between multiple forests. If a forest trust exists between the Compaq.com forest and the Hp.com forest and between the Compaq.com forest and the Digital.com forest, a transitive trust doesn't automatically exist between Digital.com and Hp.com. If you required a transparent SSO experience between Hp.com and Digital.com, you would need to establish an explicit forest trust relationship between those two forests.
The Forest Object
The basic enabler behind forest trusts is a new Active Directory (AD) trusteddomain object type called forest. Trusteddomain objects of type forest contain a new attribute called msDS-TrustForestTrustInfo that stores information about the domains in the trusted forest. The stored information is basically security and naming information about the trusted forest's root domain and any top-level name (TLN) restrictions related to the trusted forest's other domains. Windows 2003 uses the information stored in the msDS-TrustForestTrustInfo attribute to route authentication requests and object lookups between forests.
Windows 2003 replicates the trusteddomain objects and their attributes to the Global Catalog (GC). Thus, any machine in the forest can look up those objects and attributes and use their content. To view a trusteddomain object's attributes, you can use the ADSI Edit tool in Windows 2003 Support Tools.
To establish a Windows 2003 forest trust relationship, both forests must be at Windows 2003 functionality level 2. The functionality level of a Windows 2003 domain or forest describes the state of its domain controllers (DCs) and the available feature set; functionality levels are an extension of the mixed mode or native mode concept that exists for domains in Win2K. Forest functionality level 2 is available only when all the forest's domains are at functionality level 2. A domain can be at functionality level 2 only when all its DCs are running Windows 2003. Windows 2003 functionality level 2 is the highest level—the level at which all new Windows 2003 features are available.