Posted by: James Murray
As a Seattle IT Consultant I have often found myself teaching technology classes for private businesses and for local colleges. When I first started in Technology the concept of a Windows security boundary was very different. Windows used the concept of a workgroup. This was a distributed security model. With Windows NT the idea of a centralized security model based on Windows domains. The security in the future became a little confused because a lot of the distributed security thinking was integrated with the centralized model Windows was using. I think it’s interesting that to really understand Microsoft security it helps to understand the similarities and differences between the way the early thinking about networks, DNS and TCP/IP.
NT 4.0 was a huge step in maturity when compared with Windows for Workgroups. For small companies NT 4.0 was perfect. Yet it didn’t take long for a small company to become a medium size company and then a large company. Large and enterprise companies struggled with NT from the beginning. This was because of the SAM. The SAM (Security Account Manager) is a file that describes the security properties of the entire NT 4.0 domain. This included access the security access to printers, servers, data and more on the network. As the network grew, the SAM file grew. This SAM file would eventually grow so bit and unwieldy that network speeds slowed. Access to every object required a review of the SAM that slowed everything down. The temporary fix was to create a new NT 4.0 domain and put have the objects in one versus another. Two domains grew into 4 domains, then 8 domains and so on. For a company like Boeing, the system was a nightmare of overhead.
Windows 2000 introduced the concept of a forest. In Windows 2000, the domain was the security boundary still, but the forest used Kerberos to manage the security between the domains. By Windows 2008, the forest was the security boundary. Domains in NT were impossible to divide. So in 2000, organizational units were created to divide up the domain. When the security boundary was redefined as the forest rather than the domain, the domain became the delineator of the security boundary.
When I would teach the concept of a forest the question would always come up. What is tree vs. What is a forest? The problem in answering this question is well it really depends on the context the question is being asked. Let’s assume though that we are talking about Windows 2008. If we do then we can answer this question using the Microsoft definitions.
A tree is defined by a namespace. Think of a namespace in the same way you would think of a DNS names space. So the names space, www.xyz.com or xyz.com would be a name space. All names spaces that started with xyz.com, like xyz.com/east and xyz.com/west would be still part of the same names space as xyz.com. So therefore would be part of the same tree. These are also called contiguous names spaces because all these names spaces share the names space xyz.com.
Now what if the company had two non-contiguous name spaces. So lets say in addition to xyz.com, the company also had a namespace called Giraffe.com. This non-contiguous names space would be a second tree. Giraffe.com/east and Giraffe.com/West would be separate subdomains associated only with Giraffe.com and would have nothing to do with the abc.com name space or sub domains.
Now the simplest way to think about a forest is as a container for trees. In other words the forest is a collection of trees. Trees are a collection of domains. Domains are a collection of Organizational Units. The forest is the ultimate root for all security for the entire structure. Network objects (users, computers, files, printers, etc.) are placed in the various locations within the tree structure based on the security requirements of the organization.
In our example we see:
Forest: <insert Your Company Name>
Tree 1: Xyz.com
Sub Trees: xyz.com/East, xyz.com/West
Tree 2: giraffe.com
Sub Trees: giraffe.com/East, giraffe.com/West
One of the questions I’m asked, then, is if there is only one tree in the forest is it still a forest or is it a tree? I think at this point we have to ask another question. What are we really describing? We are describing a database structure using non-database language. A database is made up of file, records, fields and field descriptions. The tree infrastructure description is actually a metaphor that helps us understand the data structure, without becoming database experts. So the question is interesting but unimportant. Yet I’ll ask you, if you see a tree standing out alone in the desert, is it just a tree or is it also a forest?