Choosing a Regional or Dedicated Forest Root Domain
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
If you are applying a single domain model, then the single domain functions as the forest root domain. If you are applying a multiple domain model, then you can choose to deploy a dedicated forest root domain, or select a regional domain to function as the forest root domain.
Dedicated Forest Root Domain
A dedicated forest root domain is a domain that is created specifically to function as the forest root. It does not contain any user accounts other than the service administrator accounts for the forest root domain, and it does not represent any region in your domain structure. All other domains in the forest are children of the dedicated forest root domain.
Using a dedicated forest root provides the following advantages:
Operational separation of forest service administrators from domain service administrators. In a single domain environment, members of the Domain Admins or built-in Administrators groups can use standard tools and procedures to make themselves members of the Enterprise Admins and Schema Admins groups. In a forest that uses a dedicated forest root domain, members of the Domain Admins or built-in Administrators groups in the regional domains cannot make themselves members of the forest-level service administrator groups by using standard tools and procedures.
Because a domain is not a security boundary, it is possible for a malicious service administrator, such as a member of the Domain Admins group, to use nonstandard tools and procedures to gain full access to any domain in the forest or to any computer in the forest. For example, service administrators in a nonroot domain can make themselves members of the Enterprise Admins or Schema Admins group.
- Because a domain is not a security boundary, it is possible for a malicious service administrator, such as a member of the Domain Admins group, to use nonstandard tools and procedures to gain full access to any domain in the forest or to any computer in the forest. For example, service administrators in a nonroot domain can make themselves members of the Enterprise Admins or Schema Admins group.
Protection from operational changes in other domains. A dedicated forest root domain does not represent a particular region in your domain structure. For this reason, it is not affected by reorganizations or other changes that result in the renaming or restructuring of domains.
Serves as a neutral root so that no region appears to be subordinate to another region. Some organizations might prefer to avoid the appearance that one country/region is subordinate to another country/region in the namespace. When you use a dedicated forest root domain, all regional domains can be peers in the domain hierarchy.
In a multiple regional domain environment in which a dedicated forest root is used, the replication of the forest root domain has minimal impact on the network infrastructure. This is because the forest root only hosts the service administrator accounts. The majority of the user accounts in the forest and other domain-specific data is stored in the regional domains.
One disadvantage to using a dedicated forest root domain is that it creates additional management overhead to support the additional domain.
Regional Domain as a Forest Root Domain
If you choose not to deploy a dedicated forest root domain, then you must select a regional domain to function as the forest root domain. This domain is the parent domain of all the other regional domains and will be the first domain that you deploy. The forest root domain contains user accounts and is managed in the same way that the other regional domains are managed. The primary difference is that it also includes the Enterprise Admins and Schema Admins groups.
The advantage to selecting a regional domain to function as the forest root domain is that it does not create the additional management overhead that maintaining an additional domain creates.
Select an appropriate regional domain to be the forest root, such as the domain that represents your headquarters or the region that has the fastest network connections. If it is difficult for your organization to select a regional domain to be the forest root domain, you can choose to use a dedicated forest root model instead.
In a Windows Server 2003 environment, global availability of the forest root is not as important as it is in Windows 2000 because forest-wide application partitions automatically replicate the forest-wide locator record zone to all domain controllers that are running DNS. Any domain controller can be used to write updates to the forest-wide locator records zone. In a Windows 2000 environment, DNS does not use a forest-wide application partition; therefore, it is recommended that a dedicated forest root be used to make the zone containing the writable copy of the forest-wide locator records highly available. For more information about DNS and the forest-wide application partition, see "Designing a DNS Infrastructure to Support Active Directory" later in this chapter.
Forest Root Alternatives With Single Global Domain Model
This model consists of a forest that contains a dedicated forest root domain and one additional global domain. The global domain contains all the user, computer, and group accounts for the entire organization. Figure 2.20 shows an example of a forest with a single global domain with and without a dedicated forest root.
Figure 2.20 Single Global Domain Model With and Without Dedicated Root
Forest Root Alternatives With Multiple Regional Domains
This model consists of a dedicated forest root domain or a regional domain that is designated to be the forest root, and multiple regional domains that are children of the forest root, as shown in Figure 2.21.
Figure 2.21 Multiple Regional Domains With and Without a Dedicated Forest Root
In the case of multiple regional domains, a third alternative is to make each regional domain a separate tree in a single forest. While this design is fully supported, it is not recommended because of the complexity of the DNS deployment.
Figure 2.22 Forest with Multiple Trees