Step 4: Select the Forest Root Domain

  • Article

Published: February 25, 2008

 

The first domain deployed in an Active Directory forest is called the forest root domain. This domain remains the forest root domain for the life cycle of the Active Directory deployment. It cannot be changed without redeploying the entire forest.

The forest root domain contains the Enterprise Admins and Schema Admins groups. These administrator groups are used to manage forest-level operations, such as the addition and removal of domains and changes to the schema.

A domain that exists in the design can be selected as the forest root, or a dedicated forest root can be selected. Once the forest root domain has been established, it cannot be changed without rebuilding the forest.

Option 1: Use a Planned Domain

When the domain design for a forest indicates a single domain, then this single domain is the forest root domain. This one domain will host all users, groups, computers, and the forest root groups.

If multiple domains exist in the design, one of the domains can be selected to be the forest root domain in addition to managing the users and resources of the domain. The selected domain will define the forest namespace and will need to be the first domain deployed in the environment. Although it will also manage users and resources, it will always maintain its unique status as the domain containing the Enterprise Admins and Schema Admins groups.

Option 2: Dedicated Forest Root Domain

A dedicated forest root domain, also known as an empty forest root, may be added to the existing domain structure to specifically manage the forest level functions. When selected, this domain does not contain any user accounts or resources other than the service administrator accounts for the forest root domain, and it does not represent any region in the domain structure. All domains become children of this domain.

A dedicated forest root is generally chosen for the following reasons:

  • Operational separation of forest service administrators from domain service administrators.
  • Protection from operational changes in other domains.
  • Serves as a neutral root so that no region appears to be subordinate to another region.

It should be noted, however, that the forest level functions are not protected from a rogue administrator manipulating the Active Directory database in such a way as to compromise the integrity and security of the directory. This means that while an empty forest root may separate functional administrative groups, it does not grant any additional security to the forest from rogue administrators.

Evaluating the Characteristics

Cost

Use a planned domain

No additional costs are required as a planned domain is being used as the forest root.

Low

Empty root domain

Dedicating an empty root domain to host the forest root will incur extra hardware and software costs for the computers to run the domain and maintain its availability.

High

Validating with the Business

In addition to evaluating the decision in this step against IT-related criteria, the effect of the decision on the business should also be validated. The following question has been known to affect forest root placement decisions:

  • Are any mergers or acquisitions planned? Changes in the corporate structure could affect the placement of a forest root.

Decision Summary

The identity of the forest root domain has been determined at this point. Either a planned domain has been chosen or a new domain has been added to the design as the forest root.

This accelerator is part of a larger series of tools and guidance from Solution Accelerators.
Download

Get the IPD Active Directory Domain Services
Solution Accelerators Notifications

Sign up to learn about updates and new releases
Feedback

Send us your comments or suggestions