In my continuing adventures with LDAP, I keep coming across the phrase "multi-forest environment".
Whilst I'm pretty certain it doesn't apply to me, I'm very curious to know what it means.
SnapOverflow
In my continuing adventures with LDAP, I keep coming across the phrase "multi-forest environment".
Whilst I'm pretty certain it doesn't apply to me, I'm very curious to know what it means.
In short, it means that you have two or more forests that need to interact. It implies that you are either using Trusts between the forests, setting up Federated Services, or manually inputting your credentials for every single connection.
In my experience, this comes about in one of three ways:
-Your company has acquired or been acquired by another company (and have yet to merge them), or
-You have a Prod and Test environments that you really do want completely separated, or
-The person filling the Architect role in your company doesn't know that you can have more than one domain per forest.
LDAP functional integration gets looser as you go from domain -> forest -> multiple forest levels of trust. Within a domain everything by default is trusted (but possibly not authorized), within a forest transitive trusts allow all member domains to have visibility and to trust objects in other member domains while keeping things like replication traffic and administrative boundaries under control.
Domains that have a close organisational relationship but that need to be kept distinct for any reason belong to a forest in order to simplify large scale administration\organisation. So you might have production.acme.com, test.acme.com, Tokyo.acme.com etc. as separate domains in a single forest. You will have a consistent name space, and schema and (in general) easy mechanisms for accessing or providing access to objects across domains because, by default, you have transitive trusts between all domains within a Forest.
If your organisational structure requires that certain domains have a different schema, or you require that multiple IT groups need direct ownership of their directory services, or you have a need to have more complete administrative separation between some domains then you need a multi-forest design with some trusts between the forests (or possibly just between specified domains).
The above is based on Active Directory but the same principles should apply to any LDAP environment.