Using an Empty Root Domain

Using a dedicated forest root domain comes at a price of additional hardware, which must have enough redundancy built in, and yet these servers will be relatively idle. However, the expense may be justified if any of the following benefits apply to your particular design:

■ By having a separate domain that contains Schema Admins and Enterprise Admins, you eliminate a situation in which regular domain administrators in one of your production domains can potentially gain administrative rights to every other domain in the forest. In the separate forest root domain, you can limit membership in these groups to only those individuals who really need the privileges.

■ Since the forest root domain is there only for infrastructure needs and will not contain many objects, the size of the database will be smaller than in other production domains, making it easier to devise a disaster recovery strategy that may include things like off-site domain controllers accepting replication traffic from the forest root domain.

■ Any business restructuring involving additions or removals of domains is less likely to have a dramatic impact on the rest of the domains in the forest if you have a separate forest root domain. Imagine if you had to spin off one division or a subsidiary company from your forest, and all of its resources happened to have been located in the forest root domain. This would require creating another forest and effectively starting from scratch.

■ The forest root domain forms your namespace. If you have to modify the domain tree structure, the fallout from renaming one domain lower in the structure is significantly less than renaming the forest root domain.

While selecting hardware for your infrastructure servers, if you must find the best compromise between performance and fault tolerance/disaster recovery features, it is not recommended to give up fault tolerance features in favor of performance. The level of hardware performance does matter when it comes to Active Directory, but not at the expense of recoverability.

Figure 4-1 demonstrates a sample infrastructure composition, including all elements discussed so far—domains, trees, and forests.

