Skip to content

๐ŸŒฒ Forests

Using a DNS name is useful for management, as it allows for the creation of subdomains. For example, a company can have a root domain called etherdrake.local, with subdomains for different departments, such as it.etherdrake.local or sales.etherdrake.local.

Active Directory offers numerous ways to organize infrastructure. Consequently, organizations use subdomains differently; some create them for departments, while others use them for different offices.

          etherdrake.local
                |
        .-------'--------.
        |                |
        |                |
 it.etherdrake.local hr.etherdrake.local
        | 
        |
        |
 webs.it.etherdrake.local

This tree of domains is known as a Forest. The name of the forest is the same as the name of the root domain of the tree.

PS C:\Users\User> Get-ADForest


ApplicationPartitions : {DC=DomainDnsZones,DC=etherdrake,DC=local, DC=ForestDnsZones,DC=etherdrake,DC=local}
CrossForestReferences : {}
DomainNamingMaster    : dc01.etherdrake.local
Domains               : {etherdrake.local}
ForestMode            : Windows2016Forest
GlobalCatalogs        : {dc01.etherdrake.local, dc02.etherdrake.local}
Name                  : etherdrake.local
PartitionsContainer   : CN=Partitions,CN=Configuration,DC=etherdrake,DC=local
RootDomain            : etherdrake.local
SchemaMaster          : dc01.etherdrake.local
Sites                 : {Default-First-Site-Name}
SPNSuffixes           : {}
UPNSuffixes           : {}

Forest information with Get-ADForest

Within a forest, each domain maintains its own database and Domain Controllers. However, users in any domain can access resources in other domains within the same forest.

This means that even an autonomous domain is not isolated from a security perspective. By default, a user from one domain can access resources in all other domains within the same forest. By contrast, users cannot access resources in other forests by default, making the forest the primary logical structure for security isolation.

Since each domain has its own Domain Controllers, a rapidly growing department may require dedicated controllers to handle its requests. This can be achieved by creating a new subdomain, and users will retain access to computers in other subdomains within the same forest.

Functional Modes

Similar to Windows computers, domains and forests have their own "version," called a functional mode. The available features depend on the domain or forest's functional mode.

Each mode is named after the minimum Windows Server operating system required to run it. The following functional modes are available:

  • Windows2000
  • Windows2000MixedDomains
  • Windows2003
  • Windows2008
  • Windows2008R2
  • Windows2012
  • Windows2012R2
  • Windows2016
PS C:\Users\Administrator\Downloads> (Get-ADForest).ForestMode
Windows2016Forest
PS C:\Users\Administrator\Downloads> (Get-ADDomain).DomainMode
Windows2016Domain

Get the mode of the forest/domain

For example, if you encounter a domain or forest in Windows2012 mode, you can infer that all its Domain Controllers are running Windows Server 2012 or newer. Being aware of the functional mode is essential for using certain domain features. For instance, the Protected Users group requires the Windows2012R2 mode.