Forests

A forest is a collection of one or more domain trees that share the AD DS root domain and schema. The first configured domain in the forest is called the root domain. A forest can either contain only one domain or it can be composed of hundreds of domains in different domain trees. The root forest domain contains a few objects that only exist in the forest root domain:

• Schema master role: This special, forest-wide FSMO role can only exist once in a forest. As mentioned earlier, a schema can only be changed from the domain controller that holds this role.
• Domain-naming master role: This is another special, forest-wide FSMO role that can only exist once in a forest. The domain-naming master role is responsible for adding new domains, so if the domain controller that holds this role isn't online, new domains can't be added to the forest.
• Enterprise Admins group: By default, the Enterprise Admins group has the Administrator account for the forest root domain as a member. The Enterprise Admins group is the most powerful group in the forest, because it's a member of the local Administrators group in every domain in the forest. Members of the Enterprise Admins group have full administrative control in every domain in the forest.
• Schema Admins group: By default, the Schema Admins group has no members. Only members of the Enterprise Admins group or the Domain Admins group (in the forest root domain) can add members to the Schema Admins group. Only members of the Schema Admins group can make changes to the schema.

Every forest has security and replication boundaries. Security boundaries, by default, are very strict. No one from outside the forest can access any resources inside it. If you need to provide access to one forest from another forest, you need to configure forest trust between them. Unlike the forest security boundaries, all the domains in a forest automatically trust the other domains in the forest. With this default configuration, access to resources, such as file shares and websites, is simple for all the users in a forest, regardless of the domain they belong to.

From a replication-boundaries perspective, only configuration and schema partitions from the AD DS database will be replicated to all domains in forest. Because of this, if you want to implement applications with incompatible schemas, you need to deploy additional forests. The global catalog is also part of replication boundaries. This makes it easy to search for AD DS objects from other domains in the forest.