Step 4: Select the Forest Root Domain
Published: February 25, 2008
The first domain deployed in an Active Directory forest is called the forest root domain. This domain remains the forest root domain for the life cycle of the Active Directory deployment. It cannot be changed without redeploying the entire forest.
The forest root domain contains the Enterprise Admins and Schema Admins groups. These administrator groups are used to manage forest-level operations, such as the addition and removal of domains and changes to the schema.
A domain that exists in the design can be selected as the forest root, or a dedicated forest root can be selected. Once the forest root domain has been established, it cannot be changed without rebuilding the forest.
Option 1: Use a Planned Domain
When the domain design for a forest indicates a single domain, then this single domain is the forest root domain. This one domain will host all users, groups, computers, and the forest root groups.
If multiple domains exist in the design, one of the domains can be selected to be the forest root domain in addition to managing the users and resources of the domain. The selected domain will define the forest namespace and will need to be the first domain deployed in the environment. Although it will also manage users and resources, it will always maintain its unique status as the domain containing the Enterprise Admins and Schema Admins groups.
Option 2: Dedicated Forest Root Domain
A dedicated forest root domain, also known as an empty forest root, may be added to the existing domain structure to specifically manage the forest level functions. When selected, this domain does not contain any user accounts or resources other than the service administrator accounts for the forest root domain, and it does not represent any region in the domain structure. All domains become children of this domain.
A dedicated forest root is generally chosen for the following reasons:
It should be noted, however, that the forest level functions are not protected from a rogue administrator manipulating the Active Directory database in such a way as to compromise the integrity and security of the directory. This means that while an empty forest root may separate functional administrative groups, it does not grant any additional security to the forest from rogue administrators.
Evaluating the Characteristics
Validating with the Business
In addition to evaluating the decision in this step against IT-related criteria, the effect of the decision on the business should also be validated. The following question has been known to affect forest root placement decisions:
The identity of the forest root domain has been determined at this point. Either a planned domain has been chosen or a new domain has been added to the design as the forest root.