Active Directory tree
What is Active Directory (AD) tree?
An Active Directory (AD) tree is a collection of domains within a Microsoft Active Directory network. The term refers to the fact that each domain has exactly one parent, leading to a hierarchical tree structure.
A group of AD trees is known as a forest. Domains within the AD tree structure have a transitive trust relationship, meaning that if a domain joins a tree, it automatically trusts all the other domains in that tree.
Structure and characteristics of an Active Directory tree
Active Directory is Microsoft's directory service that stores and organizes information about objects, such as network resources, shared folders, files and users. It also enables the domain controller to authorize and authenticate users looking to access system resources.
There are various objects or physical entities in the network's AD. Two such objects are AD tree and AD forest.
An AD tree typically begins with a single parent or root, and branches out into multiple peripheral child domains. The domains in the AD tree share the same namespace, and also share a boundary with each other. Two different trees cannot share one namespace.
When a new domain is added under another domain in the tree, a parent-child relation is created between the existing domain and the new domain.
The characteristics of an Active Directory tree are as follows:
- The parent domain's name is appended to the child domain's name.
- All domains in the tree share a common structure/configuration and a common global catalog. The global catalog acts as a repository of data about objects in the tree.
- Multiple child domains have the same configuration to form the common namespace.
- Whenever a new domain joins a tree, a two-way relationship builds among the domains of the tree. All domains in the tree trust each other.
Basic terms in Active Directory tree
Domain. A logical group of network objects that share an AD database. Each domain is parented by one parent.
Trust relationship. Trust is automatically built between parent and child domains, and between domains in the AD tree. Users in different domains can use these trusts to access resources in another domain.
Global catalog server. The server contains partial information about every object in the AD forest. It enables users to find resources in any domain in the forest.
Organizational units (OU). These are containers that hold AD objects like users, computers, printers and shared folders, and are used to set security policies and delegate administrative control.
Understanding the Active Domain tree
Consider a parent domain xyz.com. Any child domain in the parent xyz.com domain will have a specific name that is appended by the parent domain name. For example, a child domain can be admin.xyz.com, marketing.xyz.com, development.xyz.com and so on.
A child domain can also have multiple domains established under it. For instance, the child domain marketing.xyz.com can have central.marketing.xyz.com, email.marketing.xyz.com, etc.
Active Directory tree vs. Active Directory forest
An AD tree is a collection of domains and forest is a collection of trees.
The AD tree is a collection of one or more domains sharing a contiguous namespace and is linked in a transitive trust hierarchy. A forest is a collection of trees that share the same characteristics like a global catalog, directory schema, directory configurations and logical structure.
In a tree, communication within domains occurs as either one-way or two-way trust. However, an object in one forest can only communicate with an object in another forest if the two forests have forest-level trust.
See also: How to integrate Active Directory and vCenter Server and Microsoft Azure AD complements Active Directory. Explore how securing Active Directory also involves good backup practices and getting back on the mend with Active Directory recovery methods.