In general, forests are used as security boundaries, domains are used to control replication, and OUs are used to delegate administration.
summay from: http://technet.microsoft.com/en-us/library/cc756901(WS.10).aspx
从这开始看:http://technet.microsoft.com/en-us/library/cc785260(WS.10).aspx
Active Directory Design Principles: Part 1
http://www.packtpub.com/article/active-directory-design-principles-part-1
How Domains and Forests Work
http://technet.microsoft.com/en-us/library/cc783351(WS.10).aspx