Using an Empty Root Domain in AD Forests
An empty root domain can increase your system’s security. Here’s why.
January 13, 2002
Today, many Active Directory (AD) architects are designing their directory with an empty root domain or a dedicated forest root. The root domain is the first domain in the forest and holds two powerful administrative groups: the Schema Admins group, which holds the key to updating your schema, and the Enterprise Admins Group, which has powers beyond those of the domain administrator. This root domain also contains the forestwide Flexible Single-Master Operation roles (FSMOs): the Schema Master (the domain controller—DC—on which all schema changes occur) and the Domain Naming Master (the service that keeps domain creation and naming in check throughout the forest). This domain doesn’t, however, contain users. All other objects, (e.g., users, groups) exist in a subdomain other than the root. This design can increase security by limiting access to the Schema Admins and Enterprise Admins group. In a single-domain environment, a Domain Admin can easily grant himself the privileges of the Schema or Enterprise Admin group. By keeping these groups separate, the Domain Admin has rights only over his domain and not to the forest-root domain. One drawback to the empty forest root design, however, is that you need at least one AD server, acting as a DC, in each domain and at least one Global Catalog (GC) in the forest. Future versions of Windows might incorporate multiple partitions on one DC, which would let you consolidate some of your rarely used DCs; however, for now, you need a dedicated server for this purpose. You need to plan this design carefully and fully understand its ramifications before you implement it. For more information about dedicated forest root domains, refer to Peter Salmeri and James Barrett’s Windows & .NET Magazine article "A Dedicated Forest Root," http://www.winnetmag.com, InstantDoc ID15975.
About the Author
You May Also Like