AD design question?

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

We are currently building a new active directory. the question has some up
regarding forest root domain basically empty as a best practice, then adding
child domains below. Is there a security reason for following this best
practice?

thx.

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

This used to be the recommendation but isn't any longer. It was considered
somewhat more secure that it actually is. Also, the less domains the easier
it is to manage.

There are pro's for the empty root, but you'd need a pretty large disparate
environment to utilise them ;-)

--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

"bran" <lgovedich@yahoo.com> wrote in message
news:%23u5E1U38EHA.1352@TK2MSFTNGP14.phx.gbl...
We are currently building a new active directory. the question has some up
regarding forest root domain basically empty as a best practice, then adding
child domains below. Is there a security reason for following this best
practice?

thx.

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hello,
An empty forest root dose not provide more security, or create a numbers of
domains within a forest. the forest is the only security boundary in Active
Directory, If you have requirements to isolate a division of the
organization, then you need to create another forest to keep it secure. How
ever in some countries laws has a role in this for the responsibility.

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup
------------------------------------------------
http://www.chrisse.se - Active Directory Tips

"bran" <lgovedich@yahoo.com> skrev i meddelandet
news:%23u5E1U38EHA.1352@TK2MSFTNGP14.phx.gbl...
> We are currently building a new active directory. the question has some up
> regarding forest root domain basically empty as a best practice, then
> adding
> child domains below. Is there a security reason for following this best
> practice?
>
> thx.
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Youd create a empty root in order to protect the enterprise roles and
activities.. However this is only an administrative segregation, not
a security segregation.

Gary Simmons

gsimmons.uk@gmail.com

On Wed, 5 Jan 2005 23:33:05 +0100, "Chriss3 [MVP]"
<noSpamHere@chrisse.se> wrote:

>Hello,
>An empty forest root dose not provide more security, or create a numbers of
>domains within a forest. the forest is the only security boundary in Active
>Directory, If you have requirements to isolate a division of the
>organization, then you need to create another forest to keep it secure. How
>ever in some countries laws has a role in this for the responsibility.

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

bran wrote:
> We are currently building a new active directory. the question has
> some up regarding forest root domain basically empty as a best
> practice, then adding child domains below. Is there a security reason
> for following this best practice?

Hi Bran,
as Christoffer Andersson said, there is no reason about security.
The reeason for building a forest root domain empty, is only political.

> thx.

Bye
--
Massimiliano Luciani
MCSE:Security MCSA:Security MCDBA
Microsoft MVP ( Windows Server - Networking )

This posting is provided "AS IS" with no warranties and confers no rights

 

[Kieran]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Isn't it also so that your Enterprise and Schema admins (groups) are in a
completely separate domain and while this isn't a perfect solution for
protecting them, it's better than nothing?

"Massimiliano Luciani [MVP]" <maxl-p@online.libero.it> wrote in message
news:untFQ3A9EHA.1452@TK2MSFTNGP11.phx.gbl...
> bran wrote:
>> We are currently building a new active directory. the question has
>> some up regarding forest root domain basically empty as a best
>> practice, then adding child domains below. Is there a security reason
>> for following this best practice?
>
> Hi Bran,
> as Christoffer Andersson said, there is no reason about security.
> The reeason for building a forest root domain empty, is only political.
>
>> thx.
>
> Bye
> --
> Massimiliano Luciani
> MCSE:Security MCSA:Security MCDBA
> Microsoft MVP ( Windows Server - Networking )
>
> This posting is provided "AS IS" with no warranties and confers no rights
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

The reason for wanting them in a different domain is so that you can apply a
more stringent set of security requirements on them without impacting your
downstream user accounts. The aren't immediately visible to users with
domain accounts and would be more easily spoofed in a different domain.

--
Ryan Hanisco
MCSE, MCDBA
FlagShip Integration Services

"Kieran" <spamie_s_p_a_m@tpg.com.au> wrote in message
news:uSCD6LyIFHA.2480@TK2MSFTNGP10.phx.gbl...
> Isn't it also so that your Enterprise and Schema admins (groups) are in a
> completely separate domain and while this isn't a perfect solution for
> protecting them, it's better than nothing?
>
> "Massimiliano Luciani [MVP]" <maxl-p@online.libero.it> wrote in message
> news:untFQ3A9EHA.1452@TK2MSFTNGP11.phx.gbl...
>> bran wrote:
>>> We are currently building a new active directory. the question has
>>> some up regarding forest root domain basically empty as a best
>>> practice, then adding child domains below. Is there a security reason
>>> for following this best practice?
>>
>> Hi Bran,
>> as Christoffer Andersson said, there is no reason about security.
>> The reeason for building a forest root domain empty, is only political.
>>
>>> thx.
>>
>> Bye
>> --
>> Massimiliano Luciani
>> MCSE:Security MCSA:Security MCDBA
>> Microsoft MVP ( Windows Server - Networking )
>>
>> This posting is provided "AS IS" with no warranties and confers no rights
>>
>
>