Choosing a Forest Root Domain

After you have determined how many domains you will place in your forest, you need to decide which domain will be the forest root domain. The forest root domain is the first domain that you create in a forest. The two forest-wide groups, enterprise administrators and schema administrators, will reside in this domain.

note-icon Note

If all of the domain controllers for the forest root domain are lost in a catastrophic event, and one or more domain controllers cannot be restored from backup, the enterprise administrators and schema administrators groups will be permanently lost. There is no way to reinstall the forest root domain of a forest.

If your forest contains only one domain, that domain will be the forest root. If your forest contains two or more domains, consider the following two approaches for selecting the forest root domain.

Using an Existing Domain

From the list of domains you have, select a domain that is critical to the operation of your organization and make it the forest root. Because you cannot afford to lose this domain, it will already require the kind of fault tolerance and recoverability that is required for a forest root.

Using a Dedicated Domain

Creating an additional, dedicated domain to serve solely as the forest root carries all the costs of an extra domain, but it has certain benefits that might apply to your organization, such as:

  • The domain administrator in the forest root domain will be able to manipulate the membership of the enterprise administrators and schema administrators groups. You might have administrators who require domain administrator privilege for some part of their duties, but you do not want them to manipulate the forest-wide administrators groups. By creating a separate domain, you avoid having to place these administrators into the domain administrators group of the forest root domain.

  • Because the domain is small, it can be easily replicated anywhere on your network to provide protection against geographically-centered catastrophes.

  • Because the only role the domain has is to serve as the forest root, it never risks becoming obsolete. In the case where you select a domain from your planned list of domains to be the forest root, there is always a chance that particular domain will become obsolete, perhaps due to a change in your organization. However, you will never be able to fully retire such a domain, because it must play the role of forest root.