Two or more moderately complex Active Directory (AD) "forests" can be linked so that users in one forest can easily access resources in the other forest. In this case involving fictitious example companies, ABC Limited has acquired XYZ Corporation.

Both firms were using .NET Server–based AD forests before the acquisition. ABC is a Canadian firm with a U.S. subsidiary. ABC has three domains (represented by triangles) in its tree—a root domain, abc.com, and two subsidiaries. All are linked by native AD two-way transitive trusts (represented by solid connecting lines). Its U.S. subsidiary, abcus.com, has a separate tree consisting of a main domain and a separate domain for its software development group. This tree and the abc.com tree mutually trust each other (also using native AD two-way transitive trusts), but each tree has a different namespace. Because of the transitive trusts, all domains in the ABC forest completely trust each other and share a common schema and global catalog.

Prior to the acquisition, XYZ Corp. had its own forest consisting of a root domain, xyz.com, and separate domains for its two subsidiaries.

After the acquisition, the two companies linked their networks and established a two-way forest trust (represented by the dashed connecting line) between the two forest root domains (the two boldface triangles). Now, each firm can continue to manage its forest autonomously, yet resource owners in either forest can grant access to users or groups from the other forest. For instance, a group of users in devt.abcus.com can use their normal log-ons to access a document, contract1.doc, stored on a file server in west.xyz.com (assuming the document’s permissions allow that group to access it).

Back to associated article: Active Directory Improvements Remove Many Migration Roadblocks