100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
Windows

Domains, Trees, and Forests

How Active Directory organizes multiple domains into trees and forests to model organizational and trust boundaries.

Active Directory BasicsBeginner9 min readJul 10, 2026
Analogies

Domains, Trees, and Forests

In Active Directory, a domain is the fundamental unit of administration — a collection of users, groups, and computers that share a single directory database and are bound by common security policies. A tree is a set of one or more domains that share a contiguous DNS namespace, such as contoso.com and its child sales.contoso.com. A forest is the top-level container: one or more trees that share a common schema, configuration partition, and Global Catalog, and it represents the ultimate security boundary in AD.

🏏

Cricket analogy: A domain is like a single IPL franchise's roster, a tree is like all franchises sharing the same BCCI tournament structure, and the forest is the entire BCCI itself governing every tournament under one set of rules.

Domains: The Administrative and Replication Boundary

A domain is both a security boundary and a replication boundary: every domain controller within a domain holds a full writable copy of that domain's objects, and Group Policy Objects (GPOs), password policies, and Kerberos trust relationships are scoped primarily at the domain level. Each domain maps to a DNS domain name (e.g., contoso.com) and gets its own dedicated set of FSMO (Flexible Single Master Operations) roles for domain-specific functions like the PDC Emulator and RID Master, which handle time synchronization and unique SID allocation respectively.

🏏

Cricket analogy: Similar to how each national cricket board sets its own domestic playing conditions and central contract rules, even though every board still operates under the shared ICC framework above it.

Trees: Contiguous Namespaces

Domains within the same tree share a contiguous DNS namespace and are automatically linked by two-way transitive trusts — so sales.contoso.com and hr.contoso.com, both children of contoso.com, trust each other and the parent implicitly, without an administrator manually configuring anything. This transitivity means a user authenticated in a child domain can, subject to permissions, access resources anywhere else in the tree, because Kerberos referral tickets chain the trust path from child to parent to the target domain automatically.

🏏

Cricket analogy: Similar to how a player centrally contracted by the BCCI is automatically eligible to play for any state team recognized under that same board, no separate state-level negotiation required.

powershell
# View the forest and its domain trees
Get-ADForest | Select-Object Name, Domains, RootDomain

# List trust relationships for the current domain
Get-ADTrust -Filter * | Select-Object Name, TrustType, TrustDirection

# Confirm the transitive trust path from a child domain
nltest /domain_trusts /v

Trust transitivity in a tree only means domains trust each other for authentication — it says nothing about actual access. A user from sales.contoso.com is only trusted for authentication in hr.contoso.com; whether they can actually open a file or log into a server there still depends on explicit permissions granted on that resource.

Forests: The Ultimate Security Boundary

The forest is AD's true security boundary because it defines a single schema (the set of all possible object classes and attributes, like 'user' or 'telephoneNumber') and a single Global Catalog (GC), a partial, searchable replica of every object in every domain in the forest, hosted on designated GC servers. Two separate forests do not trust each other by default; an administrator must explicitly create a forest trust, and even then, that trust doesn't automatically extend transitively to a third forest unless specifically configured. The forest root domain also uniquely holds two FSMO roles — Schema Master and Domain Naming Master — that apply forest-wide rather than per-domain.

🏏

Cricket analogy: Similar to how the ICC's own rulebook — the LBW law, the DRS protocol — applies identically to every board under it, and one country's board doesn't automatically recognize a completely separate governing body like a breakaway league without a formal agreement.

Because the forest is the actual security boundary — not the domain — a compromised domain admin in any child domain can, through known escalation paths (like exploiting the SID History attribute or DCSync), often gain control of the entire forest. Treat every domain in a forest as only as secure as its weakest domain.

  • A domain is AD's core administrative and replication boundary, holding a full writable directory copy on each of its DCs.
  • A tree is a set of domains sharing a contiguous DNS namespace, linked by automatic two-way transitive trusts.
  • A forest is the ultimate security boundary, sharing one schema, one configuration partition, and one Global Catalog.
  • Forests do not trust each other by default; a forest trust must be explicitly configured.
  • The forest root domain uniquely holds the Schema Master and Domain Naming Master FSMO roles.
  • Trust between domains enables authentication only — actual resource access still requires explicit permissions.
  • A compromised child domain can potentially compromise the entire forest, so forest-wide security posture matters more than any single domain's.

Practice what you learned

Was this page helpful?

Topics covered

#Windows#WindowsServerActiveDirectoryStudyNotes#MicrosoftTechnologies#DomainsTreesAndForests#Domains#Trees#Forests#Administrative#DataStructures#StudyNotes#SkillVeris