AD DS Forest Models
Continuing on the theory concept – let’s take a look at another kind of models regarding the AD DS design; Forest Models.
The following text and images are all copied from the Microsoft 70-647 2nd Edition Training Kit.
Organizational Forest Model
In the organizational forest model, user accounts and resources exist in the same forest and are managed separately. The organizational forest model is used to provide service autonomy, service isolation, or data isolation.
Use the organizational forest model when you need to provide exclusive or inclusive control of the AD DS infrastructure or when you need to prevent administrators from controlling or viewing a subset of data in the directory or on member computers joined to the directory.
The figure below illustrates the organizational forest model.
Resource Forest Model
In the resource forest model, a separate forest is used to manage resources. Resource forests do not contain user accounts other than those required for services. Forest trusts are established so that users from other forests can access the resources contained in the resource forest. Resource forests, illustrated in the figure below, provide service isolation.
Use the resource forest model when you need to provide exclusive control of the AD DS infrastructure.
Restricted Access Forest Model
In the restricted access forest model, illustrated in the figure below, a separate forest is created to contain user accounts and data that must be isolated from the rest of the organization. Restricted access forests provide data isolation.
Use the restricted access forest model when you need to prevent administrators from controlling or viewing a subset of data in the directory or on member computers joined to the directory.