After you define the domains your organization will use for its Active Directory infrastructure, the next step in creating a domain plan is to define a forest root domain. This lesson explains the process of defining a forest root domain, which includes assessing needs and choosing an existing or a dedicated domain for the forest root.
After this lesson, you will be able to
Estimated lesson time: 10 minutes
A forest root domain is the first domain you create in an Active Directory forest. For example, in the Active Directory deployment for microsoft.com, the Microsoft domain was created first and is the forest root domain of the hierarchy. The forest root domain must be centrally managed by an IT organization that is responsible for making domain hierarchy, naming, and policy decisions. The Enterprise Admins and Schema Admins predefined universal groups reside only in this domain. Administrators in this domain are those who are key to the network design.
IMPORTANT
After the forest root domain (the first domain in the forest) has been created, you cannot create a new forest root domain, a parent for the existing forest root domain, or rename the forest root domain. For this reason, you should carefully select the forest root domain.
To define a forest root domain, you must complete the following tasks:
To define your organization's forest root domain, you must first consult the following documents compiled earlier by your design team:
NOTE
Blank copies of the worksheets are located on the Supplemental Course Materials CD-ROM (\chapt02\worksheets). Completed examples of the work-sheets are located in Chapter 2, "Introduction to Designing a Directory Services Infrastructure."
In addition to assessing the information compiled in these documents, it is imperative that you also assess changes currently planned to business structures, network architecture, or the IT management organization to address growth, flexibility, and the ideal design specifications of the organization.
When choosing a forest root domain, you will either designate an existing domain as the forest root domain or you can designate an additional, dedicated domain to serve as the forest root domain. The latter method provides certain benefits that may apply to your organization, which are explained later. The forest root domain should be a domain that is centrally managed by an IT department that is capable of making naming and policy decisions.
Reasons for Designating an Existing Domain
Designate an existing domain to serve as the forest root domain when
Reasons for Designating a Dedicated Domain
Create a new, dedicated domain to serve as the forest root domain when
Advantages of Using a Dedicated Domain
Adding a domain to serve as the dedicated domain involves the added costs of an extra domain, as defined in the section "Implications of Defining Multiple Domains" in Lesson 1, "Defining Domains." However, using a dedicated domain can provide your organization with the following advantages:
To define a forest root domain
Figure 4.5 shows excerpts from the IT Management Organization Worksheet for Pacific Musical Instruments.
Figure 4.5 IT management organization information for Pacific Musical Instruments
Figure 4.2 showed the domains previously defined for Pacific Musical Instruments. Although the Honolulu headquarters domain was considered briefly as the forest root domain, it was not selected because the forest root domain should be a domain that is centrally managed by an IT department that is capable of making naming and policy decisions. At the Honolulu headquarters, two separate departments handle IT management. One department handles IT management for the Honolulu office only, and the other handles IT management for the entire organization. The design team decided to add a dedicated domain as the forest root domain to separate the two IT management departments located in Honolulu and to reap the benefits of using a dedicated forest root domain. Figure 4.6 shows the forest root domain defined for Pacific Musical Instruments.
Figure 4.6 Forest root domain defined for Pacific Musical Instruments
In this lesson you learned how to define the forest root domain for each forest in an organization by assessing an organization's forest root needs and choosing a forest root domain. When choosing a forest root domain, you will either designate an existing domain as the forest root domain or designate an additional, dedicated domain to serve as the forest root domain. The latter method provides certain benefits that may apply to your organization. The forest root domain should be a domain that is centrally managed by an IT department capable of making naming and policy decisions.