What is an Active Directory Forest?

Active Directory (AD) Organizational Structure: Understanding AD Forests

Active Directory is a vital component of any Microsoft enterprise and often a target for threat actors. As such, it is important not only to secure Active Directory but understand how to best configure and manage its’ components in order to reduce vulnerabilities and help prevent cyberattacks.
The term forest is often referred to when discussing Active Directory (AD), but what exactly does it mean? Navigating the organizational structure of Active Directory can be confusing, so to organize Active Directory in a logical and manageable way, Microsoft defined a hierarchical structure consisting of:
  • Domains
  • Trees
  • Forests
Understanding these components and the Active Directory configuration is crucial to effective management and IT administration. In this blog, we will define each of them, their elements, and how they work together.

What is Active Directory?

To understand what a forest is, you must first understand Active Directory and its purpose. Active Directory (AD) is a database used to allow administrators to manage authentication of user accounts and authorize user access to network resources. Active Directory is based on the Light Weight Directory Protocol (LDAP) standard, which is a directory service installed on a Microsoft Windows server.

Active Directory data contains objects, which represent users, groups, contacts, and devices. These AD objects are categorized into object containers called organizational units (OUs), that look like folders. Objects and containers have unique security identifier (SID) and attributes such as Object Name, Department, City, and so on.

What is a Domain in Active Directory?

A domain is a collection of Active Directory objects, like users, computers, and groups, that share the same authentication database. Domains can be identified using a domain name system (DNS) and use a dedicated server called a domain controller (DC) to authenticate and authorize users and store AD object information centrally, within the domain. Domains are created to establish administrative boundaries between network entities.

An Active Directory root domain, also referred to as a root, is where the Active Directory tree structure starts. It is the first domain at the top of the namespace and defines naming conventions used within the forest. It is the initial scope of authentication and the initial storage location of Active Directory objects.

What is a Tree in Active Directory?

An Active Directory tree is a hierarchical collection of domains within Active Directory. A tree has one starting organizational unit (OU), typically connected to the root domain, and then a series of domains, one below the next, which are known as subdomains. These domains will share a common naming convention. Domains and subdomains are often created to divide up administrative responsibility, however the security boundary of AD is at the forest level.
An Active Directory tree is a hierarchical collection of domains within Active Directory. A tree has one starting organizational unit (OU), typically connected to the root domain, and then a series of domains, one below the next, which are known as subdomains. These domains will share a common naming convention. Domains and subdomains are often created to divide up administrative responsibility, however the security boundary of AD is at the forest level.

What is a Forest in Active Directory?

A forest is the highest level of organization within Active Directory and is used to group one or multiple domains together. An Active Directory forest simply refers to all domains within a single AD installation and represents the security boundary of Active Directory. Forests allow administrators to assign broad policies, while trees and individual domains allow for more granularity in access and security.

Enterprise networks can hold hundreds of users and individual trees, which can have one or more domains or subdomains starting from the first setup domain, called the root domain. All together, these trees are organized into a forest, establishing a security boundary for network objects. It contains all the users, domains, devices, policies, and network objects in the hierarchy underneath.

The Active Directory Forest Model Structure

Understanding the Active Directory hierarchy and proactively managing and monitoring your Active Directory Forests can help reduce your administrative burden and data security threat exposure while providing access to those that need it. An efficient and organized Active Directory Forest is the key to an efficient and productive workflow.
To better understand how Active Directory structural components work together, it is necessary to understand the structure of Active Directory forests and the terms used to define the structure, including: forest trusts, Active Directory schema, and global catalog.

Forest Trusts

  • Forest Trust: An Active Directory forest provides a security boundary to manage relationships for users to access resources. An Active Directory forest trust establishes a link between one or more forests to allow management of objects and resources across forest boundaries.
Parent and child domains within trees are automatically linked together by trust relationships that allow admins to grant users access to resources within the forest without having to reauthenticate by logging in repeatedly. Trust relationships can also be manually created and configured to provide controlled access to shared resources and verify that authentication requests come from trusted sources.

Active Directory Schema

  • Active Directory Schema: The Active Directory schema defines the attributes that are applied against Active Directory objects and their classes.
While Microsoft provides a default schema, it is extensible, so you can add different classes and schema with definitions. The Active Directory Schema stores information that define objects using classes and attributes.

Global Catalog

  • Global Catalog: A global catalog allows the domain controller (DC) to provide information on each of the Active Directory objects within the forest. Global catalogs allow for faster searches across a forest because it contains reference information about all objects within each individual domain.
When you enable the global catalog (GC) feature for a domain controller, the domain controller then becomes a global catalog server. This is important to aid in object searches and processing authentication and authorization requests across AD Domains.
Now that we have a clear understanding of terms and elements of an Active Directory forest, we can now review the forest model types. There are three types of Active Directory forest models: organizational, resource, and restricted access.

Organizational Forest Model

  • Organizational Forest Model: In the organizational forest model, user accounts and resources are contained in the forest and managed independently.

This model is the simplest form and typically the standard configuration. The organizational model can be used to provide autonomy within the forest and isolate services or data from anyone outside the forest. Trust relationships can then be established making it possible for administrators to grant access to resources in the other forest.

Resource Forest Model

  • Resource Forest Model: A resource forest model is where separate forests are created specifically for resources.
Aside from administrative accounts, the forest does not contain user accounts. Trust relationships are then created to allow users to access resources of the resource forest. Resource forest models can be useful in situations, like manufacturing, where protected areas can be isolated to maintain service availability should problems arise.

Restricted Access Model

  • Restricted Access Forest Model: A restricted access model includes multiple separate forests with no trust relationships between them
Users in one forest cannot access resources of another forest, creating a strong, restricted boundary between forests. Restricted access models can be used in environments that require high security levels.

Active Directory Forest Best Practices

Active Directory forests are complicated, dynamic environments, leaving significant room for error and vulnerabilities ripe for attack. Microsoft provides some overall best practices for Active Directory, like managing a password policy, keeping track of inactive users, continuous monitoring, and regular housekeeping. We’ve also compiled a few to help you keep your Active Directory environment stable and secure.


It is best practice to consolidate multiple forests into a single forest, whenever possible. However, if you need an additional layer of security between two Active Directory domains, it may make sense to leverage multiple forests within Active Directory. Keep in mind, each forest you maintain requires additional management.

Active Directory forests can be linked together by establishing forest trusts, as mentioned above, which govern access permissions for user accounts that need access to both Active Directory forests.

Control and Restrict Access

The more access users have in Active Directory, the more potential for security exposure and attack. Apply the principle of least privileged access and give users access to only the resources they need to do their job. If they do not need access to certain domains in the forest, data, or applications, then do not grant it. This helps prevent lateral movement within a network in case of a security breach and limits exposure.

Avoid the Empty Forest Root Domain

Microsoft initially recommended the use of an Empty Forest Root Domain to form a security boundary for objects stored in the Root Domain, such as the Enterprise Admin Group. Administrators, however, found that the Empty Forest Root Domain added additional work without much real benefit. Microsoft has updated its guidance and recommends avoiding the Empty Forest Root Domain as a standard practice, but many organizations continue to use it.

Track and Limit Admin Permissions, Resources, and Enforce Naming Conventions

It is easy to create a mess if you are not vigilant using consistent naming conventions for Active Directory objects. Administrators also need to be extremely careful assigning permissions, especially with nested groups based on parent-child hierarchy. It can be incredibly easy to assign permissions to a group that has nested privileges that provides access to areas that users should not have. Enforcement of naming conventions and permissions assignments is complex and will require the use of 3rd party solutions such as Cayosoft Administrator.


Domain controllers can read and write anything in the Active Directory database, so data security is crucial. Administrators must take proactive steps to minimize threat exposure, including:
  • Managing the potential threat vectors including typical breach targets, such as unpatched software, gaps in antivirus/antimalware, misconfigurations, privilege escalation, etc.
  • Hardening systems against attack (physical access, domain controller operating systems, and secure configurations)
  • Monitoring for potential attack vectors and unwanted changes
  • Detailed planning for threat mitigation, business continuity, and disaster recovery
Your Active Directory provides critical services to keep your business running. Unfortunately, outages are becoming more common, caused by unwanted changes to users or groups data or from ransomware and wiper cyberattacks. Cayosoft Guardian Forest Recovery is the industry’s only comprehensive recovery solution for all major directory recovery scenarios. By combining instant rollback of AD objects and attributes, continuous, real-time change monitoring, and breakthrough, Instant Forest Recovery, you can ensure your Active Directory is secure and is able to be recovered quickly after cyberattacks.

Want to learn more about ways to secure and recover your Active Directory forest?

Learn more about Cayosoft Guardian Forest Recovery, the only all-in-one solution for instantly recovering your Microsoft directories, or schedule a personalized demo to see how Cayosoft can help you ensure your identities recovered after ransomware strikes!

Check out these relevant resources.