AD Logical Structure
Forests, domains, trees, and OUs are the organizational containers that define how AD is logically structured and where the security boundaries really lie.
Active Directory organizes everything into a hierarchy. At the very top is the forest, which is the largest container and represents the security boundary for the whole organization. Inside the forest you have domains, which are like departments that manage their own users and computers. Domains can be grouped into trees. Within each domain, administrators create Organizational Units (OUs) to sort users, computers, and groups into logical buckets -- for example, an OU for the Marketing department and another for Engineering. Every individual item, like a user account or a computer, is called an object.
A forest is like a country -- it is the ultimate boundary and everything inside shares a common set of laws. Domains are like states within that country, each with its own local government but still part of the same nation. Organizational Units (OUs) are like cities within a state, used to group people and apply local rules. Trees are simply groups of domains that share a contiguous namespace, much like a region of neighboring states.
Try It Yourself
Key Takeaways
- The forest is the true security boundary in AD, not the domain.
- Domains are administrative boundaries with their own policies and DCs.
- OUs provide fine-grained organization and Group Policy linkage within a domain.
- All domains in a forest share a common schema and Global Catalog.
- Misconfigured OU permissions can lead to privilege escalation.
Attackers look for weak boundaries. Understanding that the forest is the real security boundary -- and that domain compromise often leads to forest compromise -- is essential for both attackers and defenders.