The administrator .he/she is part of administrators group and has all rights in the domain.The entreprise admin has all the rights on the forest/domain both are default groups.You can rename your administrator's name and make him part of this group.
The forest root domain makes first the Enterprise Admins and Schema Admins groups.
These are called as service administrator groups which are used to manage forest-level operations such as the addition and removal of domains and the implementation of changes to the schema.
The first domain that you deploy in an Active Directory forest is called the forest root domain. This domain remains the forest root domain for the life cycle of the AD.
Forest root domain
Forest: Schema Admin, Enterprise admin, schema admin, domain admin, local machine administrator
The first is the parent domain, and everything after that is a child domain. So you might have something like. parent.local this would be the first domain of the parent domain child.parent.local is the second or child domain
forest root domain
first domain controller in the forest root domain.
First Domain controller in the forest
Forest Root Domain
Them root server in general is . .com,.org etc but in your domain the first dc in the forest/domain is the one
The domain admin account members are allowed administrative privileges for the entire domain. By default, the group has the local Administrator account on the Domain Controller as its member. A built-in group . After the first time installation of the OS, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group. The Administrators group has built-in capabilities that give its members full control over the system. The group is the default owner of any object that is created by a member of the group.
global forest
The term 'domain' is too general to compare to the idea of a forest. A domain and the AD can be a part of a forest. This includes; domain controllers, child domains, domain functionality, replicators, directory service and so on. The concept of creating a forest was first introduced in the windows 2003 AD architecture. Suffice to say interoperability with server 2000 and NT (which do not recognize the forest) poses limitations and security issues. Hence four levels of functionality. Some are, in my opinion, basically unsound with regards to the security levels of a forest. A forest is not to be taken lightly. It requires much research and preparation. The term 'domain' applies across the board in a forest. Moreover, a forest relies on security. The PC you start the first installation of a forest will be considered the root and will hold the high level admins such as the enterprise and schema admins. Making forest trusts (only on root domain) facilitates communications between domains and ADs that share the same SPN (service principle name) which have to be resolved at a remote location in another forest. The configuration also requires IAS, Kerberos, UPN, SPD, SID namespaces .... What am I forgetting? Thinking about configuring the root forest on the first PC makes you dizzy with abbreviations acronyms, protocols, group security, etc ... Comprehensive research and planning are crucial. Managing forests and domain is hard enough as it is. I'd say this basic principle of security properties could be considered the largest difference between a 'forest' and a 'domain'.
It is required when adding the first domain controller in a forest