Re: Single Domain Vs. Multiple Domain for a Global Enterprise (70 countries)

for security sake....

there is NO added advantage in having multiple domain within a forest when
talking about security!
EACH domain admin within EACH AD domain MUST be fully trusted!!!
If not... separate forest...

each domain admin or other person that has physical to whatever DC in the
forest (yes, in the forest, not the domain as that does not matter) can gain
enterprise admin access and do whatever he/she wants

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Domenico Palombo" <dpalombo@xxxxxxxxxxxx> wrote in message
news:1153857044.409513.158410@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
From: "Domenico Palombo" <dpalombo@xxxxxxxxxxxxxx>
Newsgroups: microsoft.public.windows.server.active_directory
Subject: Single Domain Vs. Multiple Domains - Global Enterprise
Date: Tue, 25 Jul 2006 12:47:24 -0700

Hi All,

We have been having this debate for over a year now and was wondering
if I couldn't get some input from any AD experts out there. I even
brought up this issue on a visit to Microsoft HQ in Redmond, and
recieved mixed responses.

We are an organization spanning the globe in 70 countries. We
currently operate as one forest in the US, and one forest in each
individual country. No trusts have been established. We are planning
on migrating to a global AD, however there has been serious debate
about the domain structure -- should we implement a single
forest-single domain, or a single forest-multiple domain model.

Most of our sites are in developing countries with limited bandwidth.
Sites that do not have 128k lines have VSAT installations (with about
500ms latency). We have tested VPN tunnels over these lines and
effective bandwidth goes down to about 56k. The connections in some
countries are flaky, and sometimes we experience outages in locations
for up to a week.

We are estimating about 3,500 users in our directory. We also have a
support model where a network admin is at each country with full domain
admin rights (of their domain.) For ease of management and support,
people have supported the single domain model with host country admins
being given rights over their respective OUs. I still see this is a
major security risk... (I would prefer to have them admins of their own
child domain...yes SID filtering is possible, but the probability of
that happening is a lot lower than someone giving themselves admin
rights in a global domain that they have physical access to DCs).

Maintaining network security standards (and regulatory compliance) is
critical.

I have been an advocate of a multiple domain model simply for the fact
of minimizing replication of global AD data, while also maintaining
security standards. In some countries, physical security of our
servers cannot be gauranteed.

So, there is our scenario...single global domain over a weak WAN with
weak physical security, or multiple child domains in a single forest.

Any advice would be appreciated!!!

Domenico Palombo
MCSE 2003 Security, CISSP, CCSP



.

Relevant Pages

  • Re: Single Domain Vs. Multiple Domain for a Global Enterprise (70 countries)
    ... weak physical security, or multiple child domains in a single forest. ... Most of our sites are in developing countries with limited bandwidth. ...
    (microsoft.public.windows.server.active_directory)
  • RE: Subdomain security
    ... the place I start is with a new Forest. ... themselves Enterprise Admin privlidges very easily. ... you were correct when saying that the only true security boundary ...
    (Focus-Microsoft)
  • Single Domain Vs. Multiple Domain for a Global Enterprise (70 countries)
    ... currently operate as one forest in the US, ... Most of our sites are in developing countries with limited bandwidth. ... support model where a network admin is at each country with full domain ... Maintaining network security standards is ...
    (microsoft.public.windows.server.active_directory)
  • Re: Configure an Empty Root in Active Directory
    ... The link below explains why some consider the empty root domain. ... equal as far as the power of a domain admin in each domain. ... root domain in the forest has been compromised, ... Security Guide for how to improve such with strong password policy, ...
    (microsoft.public.windows.server.security)
  • Re: Are Domains True Security Boundaries?
    ... > Can anyone give me a solid concrete example of what a domain admin could ... The DC in a domain contains certain forest wide configuration information ... security is a major concern to you and you are not up to speed on all of the ... The people in your forest who pose a risk to you are the “service admins” ...
    (microsoft.public.windows.server.active_directory)