Active Directory – Part 2: Domains, Trees & Forests
Part 1 covered what Active Directory is and how it works inside a single environment. Part 2 goes one level up: how AD scales across domains, trees, forests, acquisitions, and enterprise boundaries.
The core administrative unit where users, computers, policies, and authentication live.
A group of domains that share a continuous DNS namespace and automatic trusts.
The top-level AD container and the true security boundary.
What Is a Domain?
A domain is the fundamental unit of Active Directory. Everything from Part 1 — the Domain Controller, Kerberos authentication, Group Policy, objects, and attributes — lives inside a domain.
Think of a domain as a single, self-contained administrative boundary. Most small-to-medium organizations run a single domain with one DNS namespace, one set of Domain Controllers, and one shared identity system.
Every domain has a DNS name, such as corp.contoso.com or london.fabrikam.com.
Policies, permissions, and administration are scoped inside the domain unless access is explicitly granted elsewhere.
A domain is not the true security boundary. The forest is the real security boundary in AD.
What Is a Tree?
A tree is a collection of domains that share a contiguous DNS namespace and are connected by automatic trust relationships. The moment you add a child domain to an existing domain, you have created a tree.
contoso.com
├── europe.contoso.com
│ └── uk.europe.contoso.com
└── asia.contoso.comAll of these domains form a single tree because they share the contoso.com namespace. The structure is literally tree-like: a root domain at the top, with branches spreading below.
Trusts: How Domains Talk to Each Other
When two domains exist in the same tree, Active Directory automatically creates a trust relationship between them. A trust means one domain accepts that another domain has already authenticated its users properly.
Trusts inside a tree are usually transitive and two-way. If domain A trusts domain B, and domain B trusts domain C, then domain A can trust domain C through the chain.
What Is a Forest?
A forest is the top-level container in Active Directory. It is a collection of one or more trees that share a common schema, configuration, and Global Catalog, but they do not need to share the same DNS namespace.
The first domain created in an AD deployment becomes the forest root domain. This is a special domain. It cannot be removed without destroying the forest, and it holds forest-wide administrative roles such as the Schema Master and Domain Naming Master.
The Forest as the True Security Boundary
The forest, not the domain, is where Active Directory draws the hard security line. This matters because a highly privileged administrator in one domain may be able to escalate or affect other domains inside the same forest.
If an organization needs genuine separation — for example, after an acquisition where two IT teams must remain isolated — separate forests are usually the cleaner security design.
The Real-World Company Analogy
Imagine a large company called Meridian Group. It owns multiple businesses: Meridian Financial, Meridian Logistics, and Apex Technologies.
Meridian Logistics is simple. It runs one domain: meridian-logistics.com. One office, one IT team, one domain.
Meridian Financial is more complex. It has regional IT teams in the US, APAC, and EMEA. It runs a tree with meridian-financial.com as the root and child domains such as us.meridian-financial.com, apac.meridian-financial.com, and emea.meridian-financial.com.
Apex Technologies was acquired, but it kept its own AD environment. It runs a separate forest: apex-tech.internal. Access between Meridian and Apex must be controlled using a forest trust.
Interactive Explorer
The diagram below shows how domains, trees, forests, and trusts fit together in a real enterprise-style structure.
Domains, Trees & Forests
This diagram shows how a real enterprise can structure Active Directory. A forest contains trees, trees contain domains, and domains contain users, computers, groups, and policies.
The separate forest at the bottom represents an acquired company that kept its own AD security boundary.
A UK analyst in uk.emea.meridian-financial.com needs access to a report in us.meridian-financial.com. Because both domains are in the same tree, no manual trust needs to be created. Permissions still need to be assigned, but authentication can flow through the trust chain.
A baseline password policy can be applied higher in the structure, while regional domains apply additional requirements where needed. This is why OU and domain design matters before Group Policy becomes complex.
Apex Technologies keeps a separate forest after acquisition. A selective forest trust allows controlled access without merging both AD environments into one security boundary.
Schema changes apply at the forest level. If Meridian extends its schema for a major application, that change affects domains inside the Meridian forest, but not the separate Apex forest.
What This Means in Practice
Once you understand domains, trees, and forests, you can read an organization’s AD structure and quickly understand where administrative boundaries exist, what cross-domain access is possible, and where the true security perimeter sits.
Active Directory – Part 3 will continue the fundamentals series and go deeper into the next core building blocks of AD.