It depends upon the nature of your organization, IT security policies and administration overhead. By default, a user or administrator in one forest cannot access another forest, which means that the forest is a security boundary. A multi-forest design allows for security boundaries within corporate networks, thus improving the overall network security. In addition, different divisions within a large corporation should consider a separate forest for added security isolation. Of course, some users might need to access data in another forest. For this need, administrators can create trust relationships between domains in the forests and use SID filtering, which is a mechanism that prevents the "Domain Trust" vulnerability from occurring between forests. It carries higher administrative and support costs, and complicates collaboration and messaging. However, it provides the highest level of security. Additionally there can be only one Exchange organization per forest and Exchange organizations cannot sync/share data between organizations (such as calendar free/busy data). Each Exchange organization operates with an independent address book as well. From a messaging/collaboration perspective, the preferred structure would be one forest with multiple domains.

It depends upon the nature of your organization, IT security policies and administration overhead. By default, a user or administrator in one forest cannot access another forest, which means that the forest is a security boundary. A multi-forest design allows for security boundaries within corporate networks, thus improving the overall network security. In addition, different divisions within a large corporation should consider a separate forest for added security isolation. Of course, some users might need to access data in another forest. For this need, administrators can create trust relationships between domains in the forests and use SID filtering, which is a mechanism that prevents the "Domain Trust" vulnerability from occurring between forests. It carries higher administrative and support costs, and complicates collaboration and messaging. However, it provides the highest level of security. Additionally there can be only one Exchange organization per forest and Exchange organizations cannot sync/share data between organizations (such as calendar free/busy data). Each Exchange organization operates with an independent address book as well. From a messaging/collaboration perspective, the preferred structure would be one forest with multiple domains.