The first domain set up in the forest becomes the forest root domain. This root domain contains two important privileged groups, which are Enterprise Admins and Schema Admins. Members of these security groups can add/remove domains and modify the Active Directory schema.

In the multiple domain model, there are two types to define the forest root domain:

• Dedicated forest root domain: A separate domain to operate as the forest root domain. It will not contain any regular user accounts, objects, or resources. It will contain only the service administrator accounts. All other domains in the forest will be child domains for this root domain. In a single domain environment, domain administrators can add themselves to the Enterprise Admin or the Schema admin group. But when you have a separate root domain, child domain administrators will not be able to add them to these privileged groups without doing that from the forest root domain level. The dedicated forest root domain should not share a geographical naming convention, and it should stand with a separate name from the rest of the child domains. For example, rebeladmin.com can be a root domain name instead of Europe.rebeladmin.com.
• Regional forest root domain: If you're not going to use a separate forest domain, the regional domain can also be selected as the forest root domain. It will be the parent domain for all other regional domain controllers. For example, HQ.rebeladmin.com can be the regional root domain. This domain can contain regular user accounts, groups, and resources.

By now, we have all the required information to design the domain structure. The next step will be to determine domain and forest functional levels.