Forests vs Trusts

[Joshua]

Hi,

We are confronted with two options. Build two domains in one forest.
Or build two domains in two forest completely separated, then
establish a trust.

We have a few sites using each of these two options, and at present,
we're not too sure what the difference is. We do feel that a two way
trust is easier to manage as we can always break that trust if
required, whilst I do not have hte same belief regarding same forest
domains.

Can anyone tell me if the above belief is incorrect, or why there is
any point to us using the domain/forest model?

 

[Simon Geary]

There are very few reasons to create 2 forests but here are some:

The two domains require a different schema
The administrators in each domain do not trust each other
You have regulatory requirements to keep the two isolated

You are correct that it would be easier to isolate the two domains if they
were in different forests so if that is a primary concern for you then maybe
two forests would be appropriate. The best way to start a design is to begin
with a single forest and then look at reasons for introducing a second one.
How important is it to have the ability to isolate domains? Having two
forests introduces an extra layer of complexity and administration so if you
don't really need them to be isolated and just think it might be useful at
some point then maybe one forest would suffice.

 

[Joshua]

I'm wondering what the administrative overhead you speak of actually
is.
You've presented a reason I "might" under certain circumstances prefer
to use two forests and a trust, but I don't see any reason to go the
other way.
There must be one. MS have gone to a lot of effort to introduce the
forest model, surely it presents something useful. If "administrators
trusting each other" is all it is, well if I administrate both domains
that doesn't make a difference to me.

 

[Simon Geary]

The admin overhead from a second forest just means that you will have two
lots of everything: two namespaces, two replication schedules, two DNS
services, two schemas, two lots of things that can go wrong.
If you use Exchange you are going to have to synchronise the GAL between the
two forests if you want all users to have the same address book.
There are no right or wrong answers here I suppose, AD is flexible enough to
accommodate many different designs but if you go down the two forest route
here you will be making extra complexity for yourself so you should satisfy
yourself that you have a good reason to go down this path. If you are the
admin for both forests why would you want to sever the trust relationship
anyway?

 

[Joshua]

OK, that sheds some light on it.
Through coincedence, our clients which utilise multiple domains happen
to be the clients which don't run exchange, so we've never run into
the GAL issue before.

With two domains in one forest, I would still refer to that as "two
DNS services" as each domain would have its own DNS.

There are many possible reasons for severing the trust. The splitting
of a company or impending regulatory reasons both apply to us.

I guess we'll brew over it and come up with a decision based on this.