1 00:00:06,510 --> 00:00:10,620 In this lesson, we'll talk about what is an AIDS forest. 2 00:00:10,650 --> 00:00:14,830 A forest is a top level container in AIDS. 3 00:00:14,850 --> 00:00:23,610 Each forest in a collection of one or more domain trees that share a common directory schema and a global 4 00:00:23,610 --> 00:00:24,510 catalog. 5 00:00:24,590 --> 00:00:32,910 A Domain Tree is a collection of one or more domains that share a contiguous namespace. 6 00:00:32,910 --> 00:00:39,060 The first domain that you create in the forest is called the Forest Root Domain. 7 00:00:39,060 --> 00:00:47,700 The forest root domain contains a few objects that do not exist in other domains in the forest because 8 00:00:47,700 --> 00:00:55,170 you always create these objects on the first domain controller, a forest can consist of as few as one 9 00:00:55,170 --> 00:01:03,330 domain with a single domain controller, or it can consists of hundreds of domains across multiple domain 10 00:01:03,330 --> 00:01:04,110 trees. 11 00:01:04,110 --> 00:01:09,000 The following objects exist only in the forest root domain. 12 00:01:09,000 --> 00:01:18,030 We've got schema master role, which exists only in the forest root domain because it is a special forest 13 00:01:18,030 --> 00:01:20,010 wide domain controller role. 14 00:01:20,040 --> 00:01:24,210 Only one schema master exists in any forest. 15 00:01:24,210 --> 00:01:31,140 You can change the schema only on the domain controller that holds the schema master. 16 00:01:31,140 --> 00:01:35,250 Another object is the domain name in master role. 17 00:01:35,250 --> 00:01:40,320 This is also a special forest wide domain controller role. 18 00:01:40,350 --> 00:01:45,690 Only one domain name in master exists in any forest. 19 00:01:45,690 --> 00:01:52,410 Only the domain name in master can add new domain names to the directory. 20 00:01:52,440 --> 00:01:56,310 Next stop the Enterprise Admins Group. 21 00:01:56,310 --> 00:02:04,350 By default, the Enterprise Admins Group has the administrator account for the forest root domain as 22 00:02:04,350 --> 00:02:13,110 a member in the Enterprise Admins Group is a member of the local administrators group in every domain 23 00:02:13,110 --> 00:02:14,310 in the forest. 24 00:02:14,310 --> 00:02:23,670 This allows members of the Enterprise Admins Group to have full control administrative rights to every 25 00:02:23,670 --> 00:02:26,010 domain throughout the forest. 26 00:02:26,010 --> 00:02:33,990 And the last object that exists only in the forest domain is the Schema Admins group. 27 00:02:33,990 --> 00:02:38,280 By default, the schema admins group has no members. 28 00:02:38,280 --> 00:02:47,130 Only members of the Enterprise Admins Group or the domain admins group in the forest domain can add 29 00:02:47,130 --> 00:02:49,800 members to the Schema Admins group. 30 00:02:49,830 --> 00:02:55,500 Only members of the Schema Admins group can make changes to the schema. 31 00:02:55,530 --> 00:03:00,930 Now some words about security boundary and replication boundary. 32 00:03:00,930 --> 00:03:06,030 An Active Directory forest is a security boundary by default. 33 00:03:06,030 --> 00:03:13,110 No users from outside the forest can access any resources inside the forest. 34 00:03:13,110 --> 00:03:21,330 Typically, the organization creates only one forest, although you can create multiple forests to isolate 35 00:03:21,330 --> 00:03:26,610 administrative permissions among different parts of the organization. 36 00:03:26,610 --> 00:03:34,290 By default, all the domains in the forest automatically trust the other domains in the forest. 37 00:03:34,290 --> 00:03:43,080 This makes it easy to enable access to resources such as file shares and websites for all the users 38 00:03:43,080 --> 00:03:47,850 in the forest, regardless of the domain to which they belong. 39 00:03:47,880 --> 00:03:57,030 So please remember that by default the domains in a forest automatically trust the other domains. 40 00:03:57,030 --> 00:03:58,170 In the forest. 41 00:03:58,170 --> 00:04:07,350 We've got also replication boundary and Active Directory forest is the replication boundary for the 42 00:04:07,350 --> 00:04:12,720 configuration and schema partitions in the Active Directory database. 43 00:04:12,720 --> 00:04:18,840 As a result, all the domain controllers in the forest must share the same schema. 44 00:04:18,840 --> 00:04:26,970 Because of this, organizations that want to deploy applications with incompatible schemas need to deploy 45 00:04:26,970 --> 00:04:28,590 additional forests. 46 00:04:28,590 --> 00:04:35,460 The Active Directory forest is also the replication boundary for the global catalog. 47 00:04:35,490 --> 00:04:42,930 The global catalog makes it possible to find objects from any domain in the forest. 48 00:04:42,930 --> 00:04:52,590 For example, the global catalog is used whenever user, principle, name or UPM signing credentials 49 00:04:52,620 --> 00:04:59,670 are used, or when exchange server address books are used to find users. 50 00:04:59,670 --> 00:05:04,980 So to wrap up, the following objects exist only in the forest root domain. 51 00:05:04,980 --> 00:05:05,340 This. 52 00:05:05,480 --> 00:05:13,760 In my master role, the domain name in Master Role, the Enterprise Segments Group and the Schema Admins 53 00:05:13,760 --> 00:05:14,360 Group. 54 00:05:14,390 --> 00:05:23,840 Only members of enterprise admins or domain admins for forest domain can add members to the Schema Admins 55 00:05:23,840 --> 00:05:29,290 group, and only members of Schema Admins Group can make changes to the schema. 56 00:05:29,300 --> 00:05:40,220 And we've got security boundary which is for a forest boundary and all domains in a forest automatically 57 00:05:40,220 --> 00:05:42,860 trust the other domains in the forest. 58 00:05:42,860 --> 00:05:50,870 And we've got replication boundary which exists for configuration and schema partitions, replication 59 00:05:50,870 --> 00:05:56,420 in the Active Directory database and for the global catalog.