Lesson 2: Defining a Forest Root Domain

Previous page
Table of content
Next page

After you define the domains your organization will use for its Active Directory infrastructure, the next step in creating a domain plan is to define a forest root domain. This lesson explains the process of defining a forest root domain, which includes assessing needs and choosing an existing or a dedicated domain for the forest root.

After this lesson, you will be able to

  • Identify the factors in an organization's environment that impact the definition of its forest root domain
  • Indicate the reasons for using existing or dedicated forest root domains
  • Discuss the benefits and implications of using a dedicated forest root domain
  • Analyze an organization's environment to define its forest root domain

Estimated lesson time: 10 minutes

Understanding the Forest Root Domain

A forest root domain is the first domain you create in an Active Directory forest. For example, in the Active Directory deployment for microsoft.com, the Microsoft domain was created first and is the forest root domain of the hierarchy. The forest root domain must be centrally managed by an IT organization that is responsible for making domain hierarchy, naming, and policy decisions. The Enterprise Admins and Schema Admins predefined universal groups reside only in this domain. Administrators in this domain are those who are key to the network design.

IMPORTANT

After the forest root domain (the first domain in the forest) has been created, you cannot create a new forest root domain, a parent for the existing forest root domain, or rename the forest root domain. For this reason, you should carefully select the forest root domain.

Design Step: Defining a Forest Root Domain

To define a forest root domain, you must complete the following tasks:

  1. Assess the domains defined for the organization and its IT management organization.
  2. Choose a forest root domain for your organization.

Assessing Forest Root Domain Needs

To define your organization's forest root domain, you must first consult the following documents compiled earlier by your design team:

  • Business Structures Worksheet. Assess current administrative structure to locate the IT management organization.
  • Network Architecture Worksheet. Assess current network architecture and the domains that have been defined.
  • IT Management Organization Worksheet. Assess current IT management organization structure and analyze how the IT management organization handles decisions and changes to determine the location of the forest root.

NOTE

Blank copies of the worksheets are located on the Supplemental Course Materials CD-ROM (\chapt02\worksheets). Completed examples of the work-sheets are located in Chapter 2, "Introduction to Designing a Directory Services Infrastructure."

In addition to assessing the information compiled in these documents, it is imperative that you also assess changes currently planned to business structures, network architecture, or the IT management organization to address growth, flexibility, and the ideal design specifications of the organization.

Choosing a Forest Root Domain

When choosing a forest root domain, you will either designate an existing domain as the forest root domain or you can designate an additional, dedicated domain to serve as the forest root domain. The latter method provides certain benefits that may apply to your organization, which are explained later. The forest root domain should be a domain that is centrally managed by an IT department that is capable of making naming and policy decisions.

Reasons for Designating an Existing Domain

Designate an existing domain to serve as the forest root domain when

  • Your forest contains only one domain
  • Your forest contains multiple domains, and you can select the domain that is the most critical to the operation of your organization from one of them, but you have no desire to
    • Regulate membership in the Enterprise Admins and Schema Admins predefined universal groups in the forest root domain
    • Create a small forest root domain for easier replication
    • Avoid obsolescence of the root domain name

Reasons for Designating a Dedicated Domain

Create a new, dedicated domain to serve as the forest root domain when

  • Your forest contains multiple domains, and you cannot select the domain that is the most critical to the operation of your organization from one of them. The new domain will be dedicated to the operations associated with enterprise management and should not contain any user or many computer accounts.
  • Your forest contains multiple domains, and you can select the domain that is the most critical to the operation of your organization from one of them, but you want to
    • Regulate membership in the Enterprise Admins and Schema Admins predefined universal groups in the forest root domain
    • Create a small forest root domain for easier replication
    • Avoid obsolescence of the root domain name

Advantages of Using a Dedicated Domain

Adding a domain to serve as the dedicated domain involves the added costs of an extra domain, as defined in the section "Implications of Defining Multiple Domains" in Lesson 1, "Defining Domains." However, using a dedicated domain can provide your organization with the following advantages:

  • Domain administrators in the forest root domain can regulate membership in the Enterprise Admins and Schema Admins predefined universal groups. Using a dedicated root domain, you can restrict the membership of its enterprise-wide administrator groups to only those who need enterprise-wide authority. Those who require administrator capabilities for some of their duties are restricted to regulating membership in administrator groups at the domain level.
  • Because a dedicated forest root domain is small, it can be easily replicated across the enterprise to protect the root from catastrophic events. This ability is critical because if all of the domain controllers in the forest root domain are lost in a catastrophic event and none can be restored, the Enterprise Admins and Schema Admins predefined universal groups will also be lost with no way to reinstall the forest root domain.
  • Because the only purpose of the forest root domain is to serve as the root, there is little chance of it becoming obsolete. If you designate an existing domain as the forest root domain (based on the fact that it is the most critical domain in the organization), there is always the chance that the organization may change, the domain may no longer be critical, and the domain may become obsolete. Once you've named the root domain you cannot change it without rebuilding the entire Active Directory tree.

To define a forest root domain

  1. Obtain a copy of your design team's IT Management Organization Worksheet. Analyze the information on the worksheet to determine which domain should be the forest root domain.
  2. On the network architecture diagram containing the domains defined for the organization, draw a square around the domain you're defining as the forest root domain.

Design Step Example: Defining a Forest Root Domain

Figure 4.5 shows excerpts from the IT Management Organization Worksheet for Pacific Musical Instruments.

click to view at full size

Figure 4.5 IT management organization information for Pacific Musical Instruments

Figure 4.2 showed the domains previously defined for Pacific Musical Instruments. Although the Honolulu headquarters domain was considered briefly as the forest root domain, it was not selected because the forest root domain should be a domain that is centrally managed by an IT department that is capable of making naming and policy decisions. At the Honolulu headquarters, two separate departments handle IT management. One department handles IT management for the Honolulu office only, and the other handles IT management for the entire organization. The design team decided to add a dedicated domain as the forest root domain to separate the two IT management departments located in Honolulu and to reap the benefits of using a dedicated forest root domain. Figure 4.6 shows the forest root domain defined for Pacific Musical Instruments.

click to view at full size

Figure 4.6 Forest root domain defined for Pacific Musical Instruments

Lesson Summary

In this lesson you learned how to define the forest root domain for each forest in an organization by assessing an organization's forest root needs and choosing a forest root domain. When choosing a forest root domain, you will either designate an existing domain as the forest root domain or designate an additional, dedicated domain to serve as the forest root domain. The latter method provides certain benefits that may apply to your organization. The forest root domain should be a domain that is centrally managed by an IT department capable of making naming and policy decisions.


Previous page
Table of content
Next page
MCSE Training Kit Exam 70-219(c) Designing a Microsoft Windows 2000 Directory Services Infrastructure
MCSE Designing a Microsoft Windows 2000 Directory Services Infrastructure Readiness Review; Exam 70-219 (Pro-Certification)
ISBN: 0735613648
EAN: 2147483647
Year: 2001
Pages: 76
Authors: MeasureUp Inc., Jill Spealman
BUY ON AMAZON
Qshell for iSeries
WebLogic: The Definitive Guide
Introduction to 80x86 Assembly Language and Computer Architecture
Introducing Microsoft ASP.NET AJAX (Pro - Developer)
Java Concurrency in Practice
Programming .Net Windows Applications
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy