AD design question?

  • Thread starter Thread starter bran
  • Start date Start date
B

bran

We are currently building a new active directory. the question has some up
regarding forest root domain basically empty as a best practice, then adding
child domains below. Is there a security reason for following this best
practice?

thx.
 
This used to be the recommendation but isn't any longer. It was considered
somewhat more secure that it actually is. Also, the less domains the easier
it is to manage.

There are pro's for the empty root, but you'd need a pretty large disparate
environment to utilise them ;-)

--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

We are currently building a new active directory. the question has some up
regarding forest root domain basically empty as a best practice, then adding
child domains below. Is there a security reason for following this best
practice?

thx.
 
Hello,
An empty forest root dose not provide more security, or create a numbers of
domains within a forest. the forest is the only security boundary in Active
Directory, If you have requirements to isolate a division of the
organization, then you need to create another forest to keep it secure. How
ever in some countries laws has a role in this for the responsibility.

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup
 
Youd create a empty root in order to protect the enterprise roles and
activities.. However this is only an administrative segregation, not
a security segregation.

Gary Simmons

(e-mail address removed)
 
bran said:
We are currently building a new active directory. the question has
some up regarding forest root domain basically empty as a best
practice, then adding child domains below. Is there a security reason
for following this best practice?
Click to expand...

Hi Bran,
as Christoffer Andersson said, there is no reason about security.
The reeason for building a forest root domain empty, is only political.
thx.
Click to expand...

Bye
--
Massimiliano Luciani
MCSE:Security MCSA:Security MCDBA
Microsoft MVP ( Windows Server - Networking )

This posting is provided "AS IS" with no warranties and confers no rights
 
Isn't it also so that your Enterprise and Schema admins (groups) are in a
completely separate domain and while this isn't a perfect solution for
protecting them, it's better than nothing?
 
The reason for wanting them in a different domain is so that you can apply a
more stringent set of security requirements on them without impacting your
downstream user accounts. The aren't immediately visible to users with
domain accounts and would be more easily spoofed in a different domain.
 
Back
Top