Varonis debuts trailblazing features for securing Salesforce. Learn More

Varonis announces strategic partnership with Microsoft to acclerate the secure adoption of Copilot.

Learn more

What is an Active Directory Forest?

4 min read
Last updated March 17, 2022

An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, users, computers, and group policies.

“But wait?” you say. “I thought Active Directory was just one domain?”

A single Active Directory configuration can contain more than one domain, and we call the tier above domain the AD forest. Under each domain, you can have several trees, and it can be tough to see the forest for the trees

This additional top-level layer creates security challenges and increased potential for exploitation, but it can also mean greater isolation and autonomy when necessary: the trick is to understand AD forests and different strategies to protect them.

Get the Free PowerShell and Active Directory Essentials Video Course

active directory forest diagram

How to Create a Forest Design?

Say you want to create a forest, or (and more likely) you have inherited a forest that you need to clean up. It’s common to see several different domains and GPOs in one or more forests that try to coexist due to earlier attempts at consolidation or acquisition.

First, determine if there are any organizational requirements that require a completely separate set of security policies. Frame the conversation with a focus on data security:

  • Are there over-arching policies you can set at the AD forest level?
  • Do you need additional domains with different security policies or segregated network connectivity?
  • Are there legal or application requirements that require separate domains in the forest?

Once you have the “autonomy and isolation” requirements documented, the design team can build the forest, domains, and GPOs according to each team or organization’s needs.

How Many Forests are Required?

In some cases, it might be necessary to create separate AD forests based on the autonomy or isolation requirements. Adding additional forests multiplies the complexity to manage the AD schema. There are some considerations to make if you decide to add another forest to your AD schema:

  • Can you achieve sufficient isolation without creating a second forest?
  • Do all of the stakeholders understand the ramifications of separate forests?
    • Management of 2 separate forests means you will have double the application servers and IT costs.
  • Do you have the resources to manage another forest?
    • A single IT team should not manage both AD forests. Security professionals recommend one (1) IT team per forest for segregation of duties.
    • Best practice is to migrate new or acquired domains into a single AD forest.

Single Forest vs Multi-Forest Active Directory Design

A single AD forest is a simpler solution long-term and generally considered best practice. It’s possible to create a secure environment without the additional overhead of a 2nd AD forest with multiple domains by leveraging GPOs, established data owners, and a least privilege model.

Multi-forests do provide an extra layer of security across the two domains, but at a significant increase to IT cost. Multi-forests do not make you more secure by default. You still need to configure GPOs and permissions appropriately for each AD forest.

Forest Design Models

types of active directory forest design models

There are three primary ways to design an AD forest: you can mix and match those designs to meet your organization’s security needs. Every Active Directory has at least one AD forest, and there are cases where multiple AD forests are required to meet business and security objectives. Here are a few different Forest Models. Each model has different advantages and disadvantage, and unique use cases.

Organizational Forest Model

In an organizational forest, user accounts and resources are stored and managed together. This is the standard configuration.

Characteristics of an organizational forest model:

  • Provides autonomy to users and resources in the forest
  • Isolates services and data from anyone outside the forest
  • Trust relationships between forests can allow access to some resources that live in outside forests

Resource Forest Model

A resource forest separates user accounts and resources into different forests. You would use this configuration to separate a manufacturing system or mission-critical system from the primary forest, so any problems with one forest allow the other to continue operation.

Characteristics of a Resource Forest Model:

  • Users live in the organizational forest
  • Resources live in one or more additional forests
  • Only alternative administrative user accounts live in the resource forests
  • Trusts enable resource sharing with the users
  • This model provides service isolation, so if one forest goes down the others will continue to operate as normal.

Restricted Access Forest Model

A restricted access forest totally isolates the users and resources in it from other forests. You would use this configuration to completely secure data and limit users to specific datasets.

Characteristics of a Restricted Access Forest Model:

  • No trusts exist to other forests
  • Users from other forests are not able to access resources in the restricted access forest
  • Users need a 2nd computer to access the restricted forest
  • Can be housed on a completely separate network if necessary

Active Directory Forests Best Practices

AD forests have been around since 2000, so there are many different theories about the best way to configure Active Directory and forests. Current best practices include:

  • When possible, consolidate to a single forest
  • Secure resources and data via GPO and apply a least privileged model
  • Use GPOs to further limit users ability to create new folders without following a set process. The least privileged permissions model.
  • Give your domain admins a 2nd admin account they use only when required per the change management process.
  • If you have multiple AD forests with trust relationships, consider consolidation.
  • If you need to create a restricted access forest, make sure it is truly restricted. As secure as we want the primary forest to be, a restricted access forest should be Castle Black. Put a 700’ wall around it and keep it there.

active directory forest best practices

If Active Directory holds the keys to the kingdom, the AD forest is the keyring for some of those keys: it’s important not only to secure Active Directory, but to understand how to configure and manage the AD forest in order to prevent data breaches and reduce security vulnerabilities.

Want to learn more about how to protect Active Directory – regardless of how many AD forests you have?  Learn about 5 FSMO Roles in Active Directory.  Prefer an audio/visual experience instead?  We’ve got you covered: watch an on-demand webinar on 4 Tips to Secure Active Directory.


What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Try Varonis free.
Get a detailed data risk report based on your company’s data.
Deploys in minutes.
Keep reading
Speed Data: Film, Foodies, and the Future of Tech With David Ulloa
Dr. David Ulloa, Chief Security Information Officer at IMC Companies, shares the best line of defense against a sophisticated threat actor.
Varonis joins Marsh McLennan Agency’s Cyber Resiliency Network
Varonis is teaming up with Marsh McLennan Agency. Together, we'll help organizations improve their cyber resilience with industry-leading DSPM solutions.
DSPM Report Highlights Risks That Lead to Significant Data Breaches  
Varonis' new DSPM report reveals that typical companies are widening their blast radius by oversharing permissions, excess ghost users, lack of MFA, and more.
Speed Data: Thinking From a Cyberattacker's Perspective With Dalal Alharthi
Dr. Dalal Alharthi talks about the importance of organizations anticipating a breach and seeing the world through the eyes of an attacker.