Overview of Deploying the Forest Root Domain

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

The first domain that you create in your Active Directoryforest is automatically designated as the forest root domain. The forest root domain provides the foundation for your Active Directory forest infrastructure. You must create the forest root domain before you create regional domains or upgrade other Microsoft® Windows NT® 4.0 domains in order to join them to an existing forest. In addition, services that are running on forest root domain controllers, such as the Kerberos version 5 authentication protocol, must be highly available to ensure that users maintain access to resources throughout the forest.

Before you deploy your forest root domain, your design team must design your Active Directory logical structure and site topology and plan your hardware requirements for domain controllers that are running the Microsoft® Windows® Server 2003, Standard Edition; Windows® Server 2003, Enterprise Edition; and Windows® Server 2003, Datacenter Edition operating systems. During the forest root domain deployment, you begin to implement the Active Directory design that your design team has provided, including the DNS infrastructure that Active Directory requires.

The forest owner is responsible for deploying the forest root domain. After the forest root domain deployment is complete, deploy the remainder of your Active Directory forest as specified by your Active Directory design. The tasks that you must perform to deploy the remainder of your Active Directory forest depend on whether your design specifies a single domain forest or a multiple domain forest.

  • Single domain forest. If your Active Directory forest design requires only a single domain, then the forest root domain will also contain all your users, groups, and resources. To deploy this model, you can create an organizational unit (OU) structure after the forest root domain deployment is complete. Then you can restructure Windows NT account and resource domains into the forest root domain.

  • Multiple domain forest. In a multiple domain design, the forest root domain can be a dedicated root used only for administration of the forest, or it can contain users, groups, and resources in addition to the forest administration accounts. Once the forest root domain is deployed, the forest owner will create one or more regional child domains to complete the Active Directory forest hierarchy. The regional domains can be created either by upgrading existing Windows NT 4.0 or Microsoft® Windows® 2000 domains or by deploying additional new domains.

For more information about upgrading Windows NT domains, see "Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory" in this book. For more information about deploying additional regional domains, see "Deploying Windows Server 2003 Regional Domains" in this book. For more information about restructuring Windows NT domains, see "Restructuring Windows NT 4.0 Domains to an Active Directory Forest" in this book.