RATE THIS ANSWER
+1
Click to Vote:
- 1
0
Last Answered:
Feb 8 2008 0:47 AM GMT
by TimH
It depends upon the nature of your organization, IT security policies and administration overhead.
By default, a user or administrator in one forest cannot access another forest, which means that the forest is a security boundary. A multi-forest design allows for security boundaries within corporate networks, thus improving the overall network security. In addition, different divisions within a large corporation should consider a separate forest for added security isolation.
Of course, some users might need to access data in another forest. For this need, administrators can create trust relationships between domains in the forests and use SID filtering, which is a mechanism that prevents the "Domain Trust" vulnerability from occurring between forests.
It carries higher administrative and support costs, and complicates collaboration and messaging. However, it provides the highest level of security.
Additionally there can be only one Exchange organization per forest and Exchange organizations cannot sync/share data between organizations (such as calendar free/busy data). Each Exchange organization operates with an independent address book as well. From a messaging/collaboration perspective, the preferred structure would be one forest with multiple domains.
Active Directory, Domain management, Domain controller, Domain migration, Exchange 2007
We have 8 different domain/forests around the world. We now want to put all those 8 domain into a new world wide domain where our Exchange 2007 is setup. I think the best way is to import those 8 domains into the new domain as a multiple forests so all domains has there own forests insted of having only one forest and a lot of chield domain. Dose any have experince in doing this. And dose any knows what is bedst practis to do eigheter multiple forests or multiple domains in one forests. 
