Designing a Windows Server 2008 R2 Active Directory : Understanding the Empty-Root Domain Model

1/24/2011 4:58:50 PM
The schema is the most critical component of AD DS and should, therefore, be protected and guarded closely. Unauthorized access to the schema master domain controller for a forest can cause some serious problems and is probably the best way to corrupt the entire directory. Needless to say, segregation of the keys to the schema from the user base is a wise option to consider. From this concept was born the empty-root domain model, shown in Figure 1.
Figure 1. Empty-root domain model with an unpopulated forest root.

In short, the peer-root domain model makes use of an unpopulated forest root domain that exists solely to segregate the schema master function from the rest of the network.

In Figure 1, the domain is used for all user and computer accounts, whereas the abcschema.root domain is the peer-root domain that holds the schema master role for the company. Most users would not even be aware of the fact that this domain exists, which makes it even more secure.

The one major disadvantage to this design model lies in the hardware costs. Because a separate domain is necessary, at least one extra domain controller will be needed as part of the design plan, and preferably two for redundancy issues. This domain controller for the empty-root domain will not need to be the speediest machine because it will not perform much work, but it should definitely be made redundant, because the forest-specific FSMO roles will be handled by the machine.


Instead of using a physical hardware system for the schema master, an organization could choose to use Windows Server 2008 R2 Hyper-V virtualization and create virtual domain controllers for the empty-root domain. This would help to reduce the costs of deploying the empty-root model. Do be sure to treat these virtual machines with the same respect as you would any other domain controller, with regular maintenance and backups, as losing the forest root would be disastrous for the other domains in the forest.

Determining When to Choose the Empty-Root Model

Security needs vary from organization to organization. A company that performs top-secret work for the military is going to have drastically different security issues than a company that manufactures toys. Consequently, if the needs of your organization require a greater amount of security, the peer-root domain model might be the right one for you.

An additional advantage that this type of environment gives you is the flexibility to rename domains, add domains, and essentially move in and out of subdomains without the need to rename the forest. Although the domain rename tool exists in Windows Server 2008 R2, undertaking this task is still complicated, and using the peer-root model can help to simplify changes. In a merger, for example, if your peer root is named and all your resource domains are located in in the same forest, it becomes much easier to add into your forest by joining it to the domain.

The beauty of the peer-root domain model is that it can be incorporated into any one of the previously defined domain models. For example, a large grouping of trees with published namespaces can have a forest root with any name desired.

The example shown in Figure 2 demonstrates how this type of environment could conceivably be configured. The flexibility of AD DS is not limited by this design model because the options available for multiple configurations still exist.

Figure 2. The empty-root domain model using different domain tree names throughout the forest.

Of course, many organizations often cannot justify the increased hardware costs, and this type of design model can prove to be more costly. Realistically, at least two domain controllers need to be established in the root domain to handle authentication requests and to provide for redundancy within the domain. Keeping these costs in mind, it is important to align your organization’s security requirements with the cost-benefit ratio of this design model.

Examining a Real-World Empty-Root Domain Design Example

CompanyD is a biomedical corporation centered in the San Francisco Bay area. Infrastructure security is highly important for the organization, and the company needs to ensure that directory information is safe and secure in the network environment. The IT organization is centralized, and most employees are located at the main headquarters building.

The administrators of CompanyD originally chose AD DS and Windows Server 2008 R2 to provide for robust security for their environment and to take advantage of the increased functionality. However, management was concerned about limiting access to vital components of the directory service, such as the schema. Further investigation into the varying domain design models for AD DS uncovered the peer-root domain model as a fully functional substitute to the single domain model, but with the added schema security that they desired. This resulted in a forest structure similar to the one shown in Figure 3.

Figure 3. Peer-root domain with schema security for added protection and integrity.

Organizational units were created for each department and placed in the domain. The only user account in the rootd.peer domain is the Administrator account for the forest. Access to this account was limited to a choice group of high-level administrators. This helped to control access to the schema root for the security-conscious organization and provided for the simplicity of a single domain environment for its users.

  •  Windows 7: Managing Software Once It’s Installed (part 3) - Viewing and Managing Startup Programs
  •  Windows 7: Managing Software Once It’s Installed (part 2) - Viewing and Managing Currently Running Programs
  •  Windows 7: Managing Software Once It’s Installed (part 1) - Assigning Default Programs
  •  Designing a Windows Server 2008 R2 Active Directory : Understanding the Federated Forests Design Model
  •  Designing a Windows Server 2008 R2 Active Directory : Understanding the Multiple Trees in a Single Forest Model
  •  Windows 7 : Installing and Running Your Software (part 2) - Using Older Programs with Windows 7
  •  Windows 7 : Installing and Running Your Software (part 1)
  •  Windows 7 : Software Installation - What You Need to Know
  •  Designing a Windows Server 2008 R2 Active Directory : Understanding the Multiple Domain Model
  •  Designing a Windows Server 2008 R2 Active Directory : Understanding the Single Domain Model
    PS4 game trailer XBox One game trailer
    WiiU game trailer 3ds game trailer
    Top 10 Video Game
    -   Anno 2025 - E3 2015 Intro Trailer
    -   Awesome GTA V Sniper Chopper Kill
    -   Awesome GTA V Parachute Video
    -   GTA V Explosive Ammo Rounds with Bikini
    -   Funny GTA V Road Rage Clip
    -   Cool GTA V Motorbike Jump
    -   When a Mouse Jacks Your Truck in GTA V
    -   Pig Riding a Motorbike in GTA V
    -   Using an Uzi While Driving in GTA V
    -   PlayStation 4 Ultimate Player 1TB Edition | Reveal Announcement
    -   Dreamfall Chapters Book Three: Realms [PC] Zoe Trailer
    -   Street Fighter V Trailer
    -   Beyond Flesh and Blood | Beetham Folly Gameplay 1
    -   Uncharted 4: A Thief's End | E3 2015 Gameplay Demo PS4
    -   World of Warcraft | Patch 6.2 Survival Guide
    Game of War | Kate Upton Commercial