本文来自《windows server Active Directory 2008 Resource kit 》第五章活动目录设计部分,对俺这种涉世不深的毛头小子,第一次看到非单森林模型时,还是有点好奇的。
 
Forest Design Models

At a high level, there are three common forest design models used when creating the forest design. Most organizations will require one of these forest design models, although you may need to use a combination of designs in some organizations.
设计创建森里时,有三种常见的设计模型。大部分组织只需要其中的一种,在某些组织里也许你会需要将这三种设计模型进行组合。
 
1、Organizational Forest Model

In the organizational forest model, the forests are designed along some organizational criteria.For example, an organization with multiple business units or geographical locations, or an organization that was formed by acquisitions or mergers, may choose to use an organizational forest model. To enable access to resources between the organizational entities, you can configure forest trusts between forests or external trusts between specific domains in each forest. See Figure 5-4 for an illustration of the organization forest model.
在一个组织森林模型里,森里的设计常常是按照某些组织结构进行的。例如,一个拥有许多商业单位(子公司)或者分布于许多地理位置(跨国公司)的组织,或者一个许多合伙人组成的组织,会选择使用一个组织森里模型。为了能够访问不同组织的资源,你得配置森林内外部的域的相互信任。
p_w_picpath
In this model, all user accounts and shared resources related to each organizational entity are stored within the relevant forest. By creating separate forests, you can ensure administrative autonomy and isolation between the business units.
在这种模型中,所有的用户资源和共享资源都是和组织结构相关联的,并储存在各自森林内部。通过创建独立的森里,你能够确定不同的商业单元间的管理独立性。
 
2、Resource Forest Model

In the resource forest model, user and group account management is isolated from resource management by creating separate forests for each function. All user and group accounts are stored in one or more account forests, and all shared resources are configured on servers in one or more resource forests. The resource forests do not contain user accounts other than administrative accounts and service accounts required by applications.
在资源森里模型中,用户和组管理独立于资源管理,这是通过分别创建独立的森林来实现的。所有的用户/组保存在一个或多个帐号森林中,而所有的共享资源则保存在另外的资源森林中。资源森林里并不包含除了管理/服务帐号外的其他帐号。
In the resource forest model, you must configure trusts between the two forests. In most cases, this will be a one-way forest trust configured so that users in the account forest can access the resources contained in the resource forest. You can enable two way trusts, external trusts, or forest trusts with selective authentication in this model. See Figure 5-5 for an illustration of the organization forest model.
在资源森里模型,你必须配置森林间的信任。在大多数的案例中,这通常是单向信任,这样帐号森里的用户仅能访问资源森里里的资源。你可以启用双向信任、额外信任或者有选择性认证的森林信任
p_w_picpath
 
3、Restricted Access Forest Model

The restricted access forest model is a variation on the organizational forest model. In a restricted access forest model, a separate forest is created to contain user accounts and shared resources that must be isolated from the rest of the organization. The restricted access forest is different than the organizational forest in that no trusts are configured between the two domains.
受限访问森林模型是一种组织森林模型的特例。在受限访问森林模型里,一个森林包含帐号和资源但与其他组织是隔离的。和组织森林模型不同,受限访问森里模型里的域不配置信任关系。
The restricted access forest is designed to ensure administrative isolation. This means that no user account in a forest outside the restricted access forest can have any permissions or access to any data in the forest. If users in the organizational forest require access in the restricted access forest, they must have a separate user account created in this forest and must have two client computers, each joined to a different forest. See Figure 5-6 for an illustration of the restricted access forest model
受限访问森里设计用于确保管理独立性。这意味着不同森里的帐号不能相互访问。如果需要访问就必须在需要访问的森里里单独配置帐号而且必须得有两台客户端计算机,每一台加入一个域。
p_w_picpath