AD design question?

B

bran

We are currently building a new active directory. the question has some up
regarding forest root domain basically empty as a best practice, then adding
child domains below. Is there a security reason for following this best
practice?

thx.
 
P

ptwilliams

This used to be the recommendation but isn't any longer. It was considered
somewhat more secure that it actually is. Also, the less domains the easier
it is to manage.

There are pro's for the empty root, but you'd need a pretty large disparate
environment to utilise them ;-)

--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

We are currently building a new active directory. the question has some up
regarding forest root domain basically empty as a best practice, then adding
child domains below. Is there a security reason for following this best
practice?

thx.
 
C

Chriss3 [MVP]

Hello,
An empty forest root dose not provide more security, or create a numbers of
domains within a forest. the forest is the only security boundary in Active
Directory, If you have requirements to isolate a division of the
organization, then you need to create another forest to keep it secure. How
ever in some countries laws has a role in this for the responsibility.

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup
 
G

Gary Simmons

Youd create a empty root in order to protect the enterprise roles and
activities.. However this is only an administrative segregation, not
a security segregation.

Gary Simmons

(e-mail address removed)
 
M

Massimiliano Luciani [MVP]

bran said:
We are currently building a new active directory. the question has
some up regarding forest root domain basically empty as a best
practice, then adding child domains below. Is there a security reason
for following this best practice?
Click to expand...

Hi Bran,
as Christoffer Andersson said, there is no reason about security.
The reeason for building a forest root domain empty, is only political.
thx.
Click to expand...

Bye
--
Massimiliano Luciani
MCSE:Security MCSA:Security MCDBA
Microsoft MVP ( Windows Server - Networking )

This posting is provided "AS IS" with no warranties and confers no rights
 
K

Kieran

Isn't it also so that your Enterprise and Schema admins (groups) are in a
completely separate domain and while this isn't a perfect solution for
protecting them, it's better than nothing?
 
R

Ryan Hanisco

The reason for wanting them in a different domain is so that you can apply a
more stringent set of security requirements on them without impacting your
downstream user accounts. The aren't immediately visible to users with
domain accounts and would be more easily spoofed in a different domain.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Multi forest and Citrix farm 1
Migration Domain 3
Problem removing metadata for forest root DCs on DC for second Domain 4
School Design for AD 14
AD design and flat AD network 7
AD design question....again 4
Rebuild Forest Root Domain Controller 3
AD Design question 6

Top