Archived from groups: microsoft.public.win2000.active_directory (
More info?)
The reason for wanting them in a different domain is so that you can apply a
more stringent set of security requirements on them without impacting your
downstream user accounts. The aren't immediately visible to users with
domain accounts and would be more easily spoofed in a different domain.
--
Ryan Hanisco
MCSE, MCDBA
FlagShip Integration Services
"Kieran" <spamie_s_p_a_m@tpg.com.au> wrote in message
news:uSCD6LyIFHA.2480@TK2MSFTNGP10.phx.gbl...
> Isn't it also so that your Enterprise and Schema admins (groups) are in a
> completely separate domain and while this isn't a perfect solution for
> protecting them, it's better than nothing?
>
> "Massimiliano Luciani [MVP]" <maxl-p@online.libero.it> wrote in message
> news:untFQ3A9EHA.1452@TK2MSFTNGP11.phx.gbl...
>> bran wrote:
>>> We are currently building a new active directory. the question has
>>> some up regarding forest root domain basically empty as a best
>>> practice, then adding child domains below. Is there a security reason
>>> for following this best practice?
>>
>> Hi Bran,
>> as Christoffer Andersson said, there is no reason about security.
>> The reeason for building a forest root domain empty, is only political.
>>
>>> thx.
>>
>> Bye
>> --
>> Massimiliano Luciani
>> MCSE:Security MCSA:Security MCDBA
>> Microsoft MVP ( Windows Server - Networking )
>>
>> This posting is provided "AS IS" with no warranties and confers no rights
>>
>
>