Re: AD design question....again

What do you want to secure against? If you are just going to have students and teachers as users and one set of admins, you shouldn't need security that requires separate forests. You get separate forests when you can't trust the different sets of admins.

On your final question "can someone explain how someone in a child domain can compromise the forest security"... No I hope no one does tell you. It isn't something people should be explaining in public forums because there is nothing you can do about it. Just know that it is indeed quite easily possible for someone with control of any single DC In the forest to gain control over the entire forest. At the very end of the scale someone could start with ONLY physical access to a DC and at the other end you could start with someone with server op or administrator rights on a DC with no physical access. It is just a matter of hops to get to Enterprise Admins. Just as soon as Microsoft changes the core design of AD enough such that this type of escalation can be completely blocked and I apply it for all of my customers, I would be happy to describe how to do this in rich detail.

Note that the problem isn't just with "the administrator" account. Any account with too many rights to the domain or DCs is a problem. This includes EAs, DAs, ServOps, PrintOps, Backup Ops, people with interactive logon rights to DCs, people with ability to modify system files or services on DCs including printers.

Set up a single domain forest if you have no real reasons to do otherwise and have a small set of people, say 3-5 tops who are DA/EA level rights and everyone else are normal users with some people with delegated rights to manipulate data in the directory.

The main technical reason for having separate domains in a single forest is the desire to have different password policies. In longhorn AD due out at the end of this year it is no longer necessary to have multiple domains to have multiple policies.


Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition

---O'Reilly Active Directory Third Edition now available---

phil2627@xxxxxxxxx wrote:
We are in a school district with 500 staff and 4000 non staff. We are
still undecided on the model, but know the following
- only real secure model is separate forest, where staff could be in
one and non staff in the other and setup trusts to have certain staff
access resources in other forest
- One forest, domain model is simple, and the suggested way to go
unless there are political or admin delegation reasons
- empty domain model would not "secure" the enterprise admin
accounts. But, can Domain admins in a child domain access the
enterprise admin group without physical access to the servers ?

We would like to go with the single domain as, if we secure the
administrator account, no user should be able to gain access to the
domain admin or enterprise admin group.

With the Empty Root model the enterprise account is in it's own domain
which somewhat secures it, but this model requires more hardware.

If someone could please explain how a person in a child domain can
gain access to the enteprise account and compromise the security of
the forest overall I can go on with completing our single domain
model. Thanks.