You might have several domain trees in your organization that you need to share resources. To solve this problem, you can join the trees to form a forest.
A forest is a collection of trees that donít necessarily form a contiguous namespace (although each tree must be contiguous). This arrangement might be useful if your company has multiple root DNS addresses, as in the Figure.
As the Figure shows, two root domains connect through a transitive, two-way Kerberos trust (much like the trust between a child and parent). Forests always contain a domainís entire domain tree. You canít create a forest that contains only part of a domain tree.
When you promote a server to a domain controller (DC), DCPROMO creates a forest. Forest creation canít occur at any other time, although this restriction will change in the OS that follows Windows 2000.
You can add as many domain trees to a forest as you want. All the domains in a forest can grant object access to any user in the forest. Thus, the administrator doesnít need to manually manage the trust relationships.
Creating a forest provides the following benefits.
You might prefer not to join trees into a forest. Instead, you can create normal trusts between individual tree elements.