Active Directory forests & domains

Active Directory is the key element in authentication methods for users in Microsoft systems. It also manages the validation of computers and devices connected to a network and can also be deployed as part of a file permissions system.

Microsoft increasingly relies on the Active Directory system to provide user account management for a range of its products. For example, AD is at the heart of the user authentication methodology for Exchange Server.

We get into a lot of detail on the tools we feature below, but if you only have time for a summary, here is our list of the five best tools for managing Active Directory forests and domains:

  1. SolarWinds Access Rights Manager (FREE TRIAL) Supervises AD implementations for Windows, SharePoint, Exchange Server, and Windows File Share.
  2. SolarWinds Admin Bundle for Active Directory (FREE TOOL) Three free tools to help you manage access rights in AD.
  3. Paessler Active Directory Monitoring with PRTG  A three-in-one system monitoring tool that covers networks, servers, and applications. Includes an AD monitor to manage AD replication.
  4. ManageEngine ADManager Plus An attractive front end to Active Directory that will manage permissions to Office 365, G-Suite, Exchange, and Skype, as well as standard Windows utility access rights.
  5. Microsoft Active Directory Topology Diagrammer A nice free tool that generates a layout of your AD structure for interpretation through Visio.

Domains, trees, and forests

The concept of a domain is commonly understood by the networking community. A website is a domain and is identified on the World Wide Web by a domain name. Another use of the term lies in addressing on a network where all computers are within the same address space, or ‘scope.’

In Active Directory terminology, a domain is the area of a network covered by one single authentication database. The store of that database is called a domain controller.

Everyone knows what a forest is in the real world – it is an area that is covered by trees. So, where are the trees in Active Directory?

Several domains can be linked together in a tree structure. So, you can have a parent domain with child domains linked to it. The child domains inherit the address space of the parent, so the child is a subdomain.  The top of the tree structure is the root domain. The whole group of parents and child relationship forms the tree. A child to one domain can also be the parent to other domains.

So, think of a group of domains that share the same root domain address as a tree. Once you can see the trees, you can work out what the forest is: it is a collection of trees.

Distribution and replication

The concept of a forest is complicated slightly by the fact that it is a collection of unique trees. On large networks, it is a common practice to replicate the domain controller and have several copies on different servers around the system — this speeds up access.

If you operate a multi-site WAN you want to have a common network access system for the whole organization. The location of the domain controller can have a serious impact on performance, with users at remote locations having to wait longer in order to log into the network. Having copies of the domain controller locally gets around this problem.

When you have several copies of the same domain controller in different locations, you don’t have a forest.

The central administration module of Active Directory needs to coordinate all of the copies to make sure all of the databases are exactly the same. This requires a process of replication. Although the Active Directory permissions database is distributed around the network, it is not what is officially regarded as a ‘distributed database.’ In a distributed database, the collection of records is split between several servers. So, you would need to visit each server in order to gather the full database. This is not the case with Active Directory because each server (domain controller) has an exact and complete copy of the database.

Benefits of replication

A replicated domain controller has several additional benefits for security. If one domain controller gets damaged accidentally, you can replace all of the original records by copying over the database from another site. If a hacker gets hold of credentials from one of the users on a network, he may try to alter the permissions held in the local domain controller to get high privileges, or wider access to resources on the network. Those changes can be rolled back once spotted.

The constant comparison on domain controller databases provides a key security measure. The replication process can also help you shut down a compromised account all across the system. However, the restoration of an original database and the roll out of updated records requires very regular system sweeps and integrity checks in order to be effective.

The management of replication is a key task for network managers operating Active Directory. The fact that there can be many local domain controllers can give intruders an opportunity to sneak around a segment of the network and steal or alter data before being detected and locked out. The coordination between copies of domain controllers can soon become a very complicated and time-consuming task. It cannot be carried out manually within a reasonable timeframe. You need to use automated methods to keep frequent checks on all domain controllers and to update all servers when a change is made to the permissions that they contain.

Defining a forest

In order to have a forest, you need to have several domain trees. This scenario could exist if you want to have different permissions for different areas of your network. So, you might have a separate domain per site, or you might want to keep the permissions for certain resources or services on your network completely separate from the regular network authentication system. So, domains can overlap geographically.

Your company network may contain many domain controllers and some of them will all contain the same database, while others contain different permissions.

Imagine your company runs services for users on its own network and wants to keep those permissions separate from the resources accessed by staff. It would create two separate domains. If you also run Exchange Server for your company email system, you will have another AD domain.

Although the staff email system will probably have the same domain name as the website, you do not HAVE to keep all domains with the same domain root in the same tree. So, the email system can have a single-domain tree and the user network can have a separate single-domain tree. So, in this scenario, you are dealing with three separate domains, which make a forest.

The Exchange domain may well have just one domain controller, because the actual server for the email system is only resident in one location, and so only needs to access one authentication database. The user domain might only need to be in one location – on the gateway server. However, you could implement an instance of your staff domain controller for each of your company’s sites. So, you may have seven domain controllers, five for the staff domain, one for the user domain, and one for the email domain.

You might want to divide up the internal network into subsections by office function, so you would have an accounts section and a sales section with no interoperability. These would be two child domains of the parent staff domain, forming a tree.

One reason to keep the staff network separate from the user network is for security. The need for privacy on the internal system may even extend to creating a separate domain name for that staff network, which does not need to be made known to the general public. This move forces the creation of a separate tree because you cannot have different domain names included in one tree. Although the email system and the user access system only have one domain each, they also each represent a tree. Similarly, if you decided to create a new website with a different domain name, this could not be merged into the administration of the first site because it has a different domain name.

Splitting up the staff domain to create child domains requires more domain controllers. Rather than just one domain controller per site for the staff network, you now have three per site, making a total of 15 over five sites.

Those 15 staff domain controllers need to be replicated and coordinated with the tree structure relationship between the three original domains preserved on each of the five sites. Each of the other two domain controllers are distinct and won’t be part of the replication procedures of the staff domain. The site has three trees and one forest.

As you can see from this relatively simple example, the complexity of managing domains, trees, and forests can quickly become unmanageable without a comprehensive monitoring tool.

Global Catalog

Although the separation of resources into domains, subdomains, and trees can enhance security, it doesn’t automatically eliminate the visibility of resources in a network. A system called Global Catalog (GC) lists all of the resources in a forest and it is replicated to every domain controller that is a member of that forest.

The protocol that underpins GC is called the ‘transitive trust hierarchy.’ This means that all elements of the system are assumed to be bona fide and not harmful to the security of the network as a whole. Therefore, the authentication records entered in one domain can be trusted to grant access to a resource that is registered on another domain.

Users given permissions to resources in one domain don’t automatically get access to all resources, even within the same domain. The GC feature that makes resources visible to all does not mean that all users can access all resources in all domains of the same forest. All that GC lists is the name of all objects in the forest. It isn’t possible for members of other domains to query even the attributes of those objects in other trees and domains.

Multiple forests

The forest isn’t just a description of all trees run by the same administration group, there are common elements for all domains that are held at forest level. These common features are described as a ‘schema.’ The schema contains the design of the forest and all of the domain controller databases within it. This has a unifying effect, which is expressed in the common GC that is replicated to all controllers within the same forest.

There are some scenarios where you might need to maintain more than one forest for your business. Because of GC, if there are resources that you want to keep completely secret from members of the domains, you would have to create a separate forest for them.

Another reason that you might need to set up a separate forest is if you are installing AD management software. It could be a good idea to create a sandbox copy of your AD system to try out the configuration of your new software before letting it loose on your live system.

If your company acquires another business that already operates Active Directory on its network, you will be faced with a number of options. The way your business deals with the new company will dictate how you operate the network of that new division. If the business of the new company is going to be taken over by your organization and the name and identity of that company will be retired, then you will need to migrate all of the users and resources of the acquired business over to your existing domains, trees, and forest.

If the acquired company will carry on trading under its existing name, then it will be continuing with its current domain names, which cannot be integrated into your existing domains and trees. You could port the trees of this new division over to your existing forest. However, a simpler method is to leave that acquired network as it is and link together the forests. It is possible to create a transitive trust authority between two independent forests. This action must be performed manually and it will extend the accessibility and visibility of resources so that effectively, the two forests merge on a logical level. You can still maintain the two forests separately and that trust link will take care of mutual accessibility for you.

Active Directory Federation Services

Active Directory runs a number of services that authenticate different aspects of your system or aid cohesion between domains. One example of a service is the Active Directory Certificate Services (AD CS) which controls public key certificates for encryption systems, such as Transport Layer Security. The service that is relevant to domains and forest is the Active Directory Federation Services (AD FS).

AD FS is a single sign-on system, which extends the authentication of your network out to services run by other organizations. Examples of systems that can be included in this service are Google G-Suite facilities and Office 365.

The single sign-on system exchanges authentication tokens between your AD implementation and the remote service so once users have logged into your network, they will not need to log in again to the participating SSO remote service.

Managing AD forests and domains

A relatively straightforward structure for Active Directory can quickly become unmanageable once you start creating subdomains and multiple forests.

Generally, it is better to err towards having as few domains as possible. Although separating out resources into different domains and subdomains has security benefits, the increased complexity of a multiple-instance architecture can make intrusion tracking difficult.

If you are beginning a new Active Directory implementation from scratch, it is recommended that you start off with one domain in one tree, all contained by one forest. Select an AD management tool to assist you in the installation. Once you have become adept at managing your domain with your chosen tool, you can consider splitting out your domain into subdomains and also adding on more trees or even forests.

The best Active Directory management tools

Don’t try to get by managing your authentication system without assisting tools. You will get overwhelmed very quickly if you try to do without specialist tools. Fortunately, many Active Directory management and monitoring tools are free, so you don’t have the problem of budget holding you back from trying one out.

There are many AD tools on the market at the moment, so you will end up spending a lot of time assessing software if you try to preview all of them. Just picking the first tool that appears in a search engine results page is also a mistake. To ease your quest, we have compiled a list of recommended tools for AD.


Related: You can read more about these options in the next sections of this guide. For a longer list of AD software, check out 12 Best Active Directory Tools and Software.

1. SolarWinds Access Rights Manager (FREE TRIAL)

SolarWinds Access Rights Manager

The top of the line tool for AD management is the SolarWinds Access Rights Manager. This tool installs on all versions of Windows Server. This Active Directory management tool is able to supervise AD implementations that operate for SharePoint, Exchange Server, and Windows File Share as well as general operating system access.

This tool includes a lot of automation that can help you complete standard tasks with little effort. This category of tasks includes user creation and there is also a self-service portal to enable existing users to change their own passwords.

The Access Rights Manager tracks user activity and resource access around the clock through a logging system. This enables you to discover any intrusion even if it happens outside of business hours or when you are away from your desk.

The utility also has an analysis feature that can help you decide how to optimize your AD implementation. The Access Rights Manager will highlight inactive accounts and help you tidy up your domain controllers by weeding out abandoned user accounts.

Reporting tools in the Access Rights Manager are coordinated to the requirements of data security standards bodies, so you can enforce rules and demonstrate compliance through this AD assistant.

You can get a 30-day free trial of the Access Rights Manager. A cut down version of the tool is available for free. This is called the SolarWinds Permissions Analyzer for Active Directory.

SolarWinds Access Rights Manager Download 30-day FREE Trial

SolarWinds Permissions Analyzer for Active Directory Download 100% FREE Tool

2. SolarWinds Admin Bundle for Active Directory (FREE TOOL)

SolarWinds Admin Bundle

SolarWinds produces another Active Directory monitoring option with their Admin Bundle for Active Directory. This pack of tools includes:

  • Inactive User Account Removal Tool
  • Inactive Computer Account Removal Tool
  • User Import Tool

The User Import Tool gives you the ability to create user accounts in bulk from a CSV file. The Inactive User Account Removal utility helps you identify and close down unused user accounts. With the Inactive Computer Account Removal Tool, you can identify defunct device records in your Active Directory domain controllers. This free tool bundle runs on Windows Server.

SolarWinds Admin Bundle for Active Directory Download 100% FREE Tool Bundle

3. Paessler Active Directory Monitoring with PRTG

PRTG Active Directory

Paessler’s PRTG is a bundle of tools, each of which is called a ‘sensor.’ The utility includes Active Directory sensors that help you monitor your AD implementation. PRTG runs on Windows Server and you can use it for free if you only activate 100 sensors. The price of the paid tool depends on how many sensors you activate.

The AD sensors in PRTG keep track of the replication system of Active Directory. This ensures that the complete database is copied to all domain controller versions that are located around your network. The tool also logs user activity to help you to detect inactive user accounts. You can get a 30-day free trial of the full system with unlimited sensors.

Paessler Active Directory Monitoring PRTG Download 30-day FREE Trial

4. ManageEngine ADManager Plus

ManageEngine ADManager Plus

ManageEngine produces resource monitoring systems and this comprehensive AD management tool is written to the company’s high standard. You can manage Active Directory implementations to manage permissions for Office 365, G-Suite, Exchange, and Skype as well as your network access rights.

ADManager Plus has a web-based interface, so it can run on any operating system. You can create, edit, and remove objects from your domain controller including bulk actions. The tool monitors account usage so you can spot dead accounts and a number of AD management tools can be automated through the utility.

The auditing and reporting function of ADManager Plus help you demonstrate compliance to SOX and HIPAA and other data security standards.

This system is available in Standard and Professional editions. You can get a 30-day free trial of the tool. If you decide not to buy after the trial period ends, the software keeps working as a restricted, free version.

5. Microsoft Active Directory Topology Diagrammer

Microsoft Active Directory Topology Diagrammer

This mapping tool from Microsoft is a really useful free assistant when you are managing a complicated AD implementation. It creates a map in Visio that shows the relationship between all of your domains, trees, and forests. Unfortunately, the latest version of Windows that it can be installed on is Windows 7 and the latest version of Windows Server that can run the tool is Windows Server 2008 R2. You also need to have Visio installed in order to use this tool.

Active Directory management

Now that you understand the basics of Active Directory configurations, you should consider employing a tool to help you manage your implementation. Hopefully, our guide has set you on the path to running AD more effectively.

Do you use any tools to manage Active Directory? Do you use any of the tools on our list? Leave a message in the Comments section below to share your experience with the community.