Hi,
From my understanding it used to be the case that the 'best practice' AD
design was to have a parent domain and then a child domain with users/groups
etc. due to issues with security boundaries separation.
Is it the case that now the classical design is to have one domain and to
have a delegated security model and to closely monitor and restrict group
membership to such groups as schema admins?
if yes, does anyone have any links to references for this view?
regards,
Hi
When security boundaries are needed you need a second forest not a child
domain. In most scenarios child domains are not needed.
-Domain aren't security Boundaries -Only forests are security Boundaries.
-Domains should not be used as administrative boundaries
-Active Directory domains, unlike Windows NT domains, are always part of a
forest, and they are not themselves the ultimate security boundary. For
Windows 2000 and later networks, though, domains are the boundaries for
administration and for certain security policies, such as password
complexity and password reuse rules, which cannot be inherited from one
domain to another. Each Active Directory domain is authoritative for the
identity and credentials of the users, computers, and groups that reside in
that domain. However, service administrators have abilities that cross
domain boundaries. For this reason, the forest is the ultimate security
boundary, not the domain.
-A domain is, in fact, a security boundary, but only regarding to the
management of security policies for Active Directory, it does not provide
complete isolation in the face of possible attacks by service
administrators.
-Reasons to Create Multiple Domains: Meet security requirements,Meet
administrative requirements,Optimize replication traffic,Retain Microsoft
Windows NT domains.
-Do not create multiple domains to accommodate polarized groups or for
isolated resources that are not easily assimilated into other domains. Both
the groups and the resources are usually better candidates for
organizational units (OUs).
*When determining whether to create multiple Domains, keep the following
items in mind:
- DNS structure becomes more complex.
-Increase Hardware cost.
- Domain administrators
Each time a domain is added, a Domain Admins pre-defined global group is
added as well. More administration is required to monitor the members of
this group.
- Security principals As domains are added, the likelihood that security
principals will need to be moved between domains becomes greater. Although
moving a security principal between OUs within a domain is a simple
operation, moving a security principal between domains is more complex and
can negatively affect users.
- Group policy and access control Because group policy and access control
are applied at the domain level, if your organization uses group policies or
delegated administration across the enterprise or many domains, the measures
must be applied separately to each domain.
- Domain controller hardware and security facilities Each Windows Server
2003 domain requires at least two domain controllers to support
fault-tolerance and multimaster requirements. In addition, it is recommended
that domain controllers be located in a secure facility with limited access
to prevent physical access by intruders.
- Trust links If a user from one domain must log on in another domain, the
domain controller from the second domain must be able to contact the domain
controller in the user's original domain. In the event of a link failure,
the domain controller might not be able to maintain service. More trust
links, which require setup and maintenance, might be necessary to alleviate
the problem.
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
Jorge,
Thank you for your informative and extremely quick post. It re-inforces what
I believed to be the best design practive with regard complexity and cost.
Do you know of any Microsoft articles or publications that state this
principle?
I only ask as I am currently designing a new AD forest to integrate after a
buyout and both the place that sold us and the new company that purchased
have the parent - child domain design on the grounds of 'best practice' which
i believe is no longer the case, and am looking for ammunition to build my
case.
regards,
"Jorge Silva" wrote:
> Hi
> When security boundaries are needed you need a second forest not a child
> domain. In most scenarios child domains are not needed.
>
> -Domain aren't security Boundaries -Only forests are security Boundaries.
> -Domains should not be used as administrative boundaries
> -Active Directory domains, unlike Windows NT domains, are always part of a
> forest, and they are not themselves the ultimate security boundary. For
> Windows 2000 and later networks, though, domains are the boundaries for
> administration and for certain security policies, such as password
> complexity and password reuse rules, which cannot be inherited from one
> domain to another. Each Active Directory domain is authoritative for the
> identity and credentials of the users, computers, and groups that reside in
> that domain. However, service administrators have abilities that cross
> domain boundaries. For this reason, the forest is the ultimate security
> boundary, not the domain.
> -A domain is, in fact, a security boundary, but only regarding to the
> management of security policies for Active Directory, it does not provide
> complete isolation in the face of possible attacks by service
> administrators.
> -Reasons to Create Multiple Domains: Meet security requirements,Meet
> administrative requirements,Optimize replication traffic,Retain Microsoft
> Windows NT domains.
> -Do not create multiple domains to accommodate polarized groups or for
> isolated resources that are not easily assimilated into other domains. Both
> the groups and the resources are usually better candidates for
> organizational units (OUs).
>
> *When determining whether to create multiple Domains, keep the following
> items in mind:
> - DNS structure becomes more complex.
> -Increase Hardware cost.
> - Domain administrators
> Each time a domain is added, a Domain Admins pre-defined global group is
> added as well. More administration is required to monitor the members of
> this group.
> - Security principals As domains are added, the likelihood that security
> principals will need to be moved between domains becomes greater. Although
> moving a security principal between OUs within a domain is a simple
> operation, moving a security principal between domains is more complex and
> can negatively affect users.
> - Group policy and access control Because group policy and access control
> are applied at the domain level, if your organization uses group policies or
> delegated administration across the enterprise or many domains, the measures
> must be applied separately to each domain.
> - Domain controller hardware and security facilities Each Windows Server
> 2003 domain requires at least two domain controllers to support
> fault-tolerance and multimaster requirements. In addition, it is recommended
> that domain controllers be located in a secure facility with limited access
> to prevent physical access by intruders.
> - Trust links If a user from one domain must log on in another domain, the
> domain controller from the second domain must be able to contact the domain
> controller in the user's original domain. In the event of a link failure,
> the domain controller might not be able to maintain service. More trust
> links, which require setup and maintenance, might be necessary to alleviate
> the problem.
>
> --
> I hope that the information above helps you.
> Have a Nice day.
>
> Jorge Silva
> MCSE, MVP Directory Services
>
>
Check at Microsoft windows documentation, they've lots of info that can help
you out with that.
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
Posting Permissions
Reply With Quote
Bookmarks