Is "Forest Root" domain necessary for small domain?

[DanIT]

I have 10 sites, with a total of 500 users. In "Best Practice Active Directory Design for Managing Windows Networks", Microsoft says that it is a "best practice" to have the initial domain in a forest established as a root domain with no general users; the bulk of the users and computers become a child domain of that one. Whew...

Is this how others have done it? I want to create a single domain if possible, as we only have a small number of users. I will break it up into 7 OU's to delegate administration to local admins.

I'd be interested in what others have done. Thanks.

Dan

 

[svsawkar]

A few things to note:

One of the big selling points of the empty root setup is that is allows for better delegation and a bit more security.

If all the DC's in the root domain are lost, the entire forest is gone, but if you only have one domain, you'd be in trouble either way.

Having a root domain also allows for an easier expansion path in the future if yo acquire another company and/or decide you want another domain.

If you decide to keep everything in a root domain, remember that the GUID records for the entire forest will be stored in this root forward lookup zone and that the enterprise admins group is all powerful throughout the forest.

/Siddharth