Manualshelf

Datasheet

ManualsBrandsWiley ManualsSoftware978-0-470-45852-5
12345678910
Active Directory for Exchange Server 2007
7
Domains establish trust relationships with one another that allow objects in a trusted
domain to access resources in a trusting domain. Since Windows Server 2003, Active
Directory has supported transitive, two-way trusts between domains. When a child domain
is created, a trust relationship is automatically configured between that child domain and
the parent domain. This is a two-way trust, meaning that resource access requests can flow
from either domain to the other. The trust is also transitive, meaning that any domains trusted
by one domain are automatically trusted by the other domain. For example, in Figure 1.1, con-
sider the three domains named wiley.com, sales.wiley.com, and marketing.sales.wiley.com.
When sales.wiley.com was created as a child domain of wiley.com, a two-way trust was
formed between the two. When marketing.sales.wiley.com was created as a child of sales.
wiley.com, another two-way trust was formed between those two domains. Though no
explicit trust relationship was ever defined directly between the marketing.sales.wiley.com
and wiley.com domains, the two domains trust each other anyway because of the transitive
nature of trust relationships.
Domain Forests
A domain forest is a group of one or more domain trees that do not form a contiguous
namespace but might share a common schema and global catalog. There is always at least
one forest on the network, and it is created when the first Active Directory–enabled com-
puter (domain controller) on a network is installed. This first domain in a forest is called
the forest root domain, and it is special because it is really the basis for naming the entire
forest. It cannot be removed from the forest without removing the entire forest. Finally, no
other domain can ever be created above the forest root domain in the forest domain hier-
archy. Figure 1.2 shows an example of a domain forest with multiple domain trees.
FIGURE 1.2 A domain forest consists of one or more domain trees.
wiley.com
sales.wiley.com
marketing.sales.wiley.com
wrox.com
production.wrox.com
dallas.production.wrox.com
A forest defines the outermost boundary of Active Directory; the directory cannot be
larger than the forest. You can create multiple forests and then create trust relationships
between specific domains in those forests; this would let you grant access to resources and
accounts that are outside a particular forest. However, an Exchange organization cannot
span multiple forests.