Forest Root DC removal

[Kamil]

Hello All,

I have a client the is doing a AD migration and said they were told that
removing the Forest Root DC from the network after everything is installed
is best practice for security reason.

I have never seen or heard of this being done and I have been through
several big AD implementation in pretty secure environments. I have also
spoke to a few other consultants and they haven't heard that either.

Has anyone ever done this or heard that this is best practice? If so, what
are the benefits. It doesn't seem like a good idea.

Thanks,
Kamil

 

[Brian Desmond [MVP]]

Kamil,

Perhaps you should ask your client how they think the forest will operate
without DCs for the root domain. There is no security risk by having a root
domain, and removing all the DCs presents a problem - DCs are required for a
domain to operate.

--
--Brian Desmond
Windows Server MVP
(e-mail address removed)12.il.us
Http://www.wpcp.org

Beta #469090

 

[Charles McMillan]

I can only guess that whom ever gave this advice meant to
add a second DC to the root domain and then move the FSMO
roles from the original DC to the second one and then run
DCPROMO to bring down the original root DC. I can't think
of a legitimate reason for this but I am not a security
expert.

If the person suggested that the forest root DC be simply
removed then you lose the Domain Naming master and the
Schema master for the entire forest, and the RID master
PDC Emulator and Infrastructure master for the root
domain. It would be very unpleasant.

 

[Charles McMillan]

Someone has a pretty good sense of humor. Or else the
person that suggested this to the client is related to a
particular genious that works with me and keeps me
gainfully employed. I would fire him if I had the power
but he is too highly placed and he makes my life
interesting.