Re: Active Directory Design

From: "Ace Fekay [MVP]" <PleaseAskMe@xxxxxxxxxxxxxx>
Date: Wed, 30 Aug 2006 22:32:40 -0400

In news:%23EHCtfryGHA.5048@xxxxxxxxxxxxxxxxxxxx,
Jorge Silva <jorgesilva_pt@xxxxxxxxxxx> stated, which I commented on below:

Hi

Child domains for this... No.

Can you add the workgroup servers to your domain, and assign the
correct permissions based on existent AD users?
If you want a complete separate security solution the best would be a
separate forest or a Workgroup envoirenment (you already have)
Don't create child domains for this because you can be very sorry,
domains aren't security boundaries.

and you'll see more posts here warning you about the related security
consequences about this type of configuration (child domains)

I agree making them stand alone servers in their own workgroup or a separate
Forest. I think a forest, or by what I mean is just promoting their machine
to a DC, would be overkill. Making them stand alone servers (not joined to
any domain) should be fine.

As far as a domain being a security boundary, it is in the sense of account
authentication. Comparing one domain to another either in its own forest or
different forests, they have their own security principals, such as users,
groups and computer objects, which are domain specific (Domain NC).

Also, if I can add, and I apologize if you already aware of this, we can
also look at a domain as a logical boundary, since no physical aspect
governs boundaries of a domain.

And I agree to forget child domains in this scenario. Funny thing is the
Config Container can be modified by other (child) domain admins, which is
one reason not to go with child domains or additional trees, unless that was
changed. I haven't tested it in 2003 yet. There was something else about
this in ADSI Edit too, but can't remember right now.

Ace

.

References:
- Re: Active Directory Design
  - From: Jorge Silva

Prev by Date: Re: Change Full Computer Name of a DC
Next by Date: Re: Duplicate Profile Folders for domain users-- Please Help?
Previous by thread: Re: Active Directory Design
Next by thread: Re: AD Delagation
Index(es):
- Date
- Thread

Relevant Pages

RE: Microsoft Active Directory security concerns
... for your DMZwith no trusts between it and your internal forest. ... limit the traffic from your DMZ web servers into the internal network. ... shuffling existing accounts into your new domain anyway. ... I have spent most of my time in network security and IDS/IPS technology ...
(Security-Basics)
Re: How to create an additional domain
... servers and so on and must remain separate in terms of security. ... AD domains on one physical network) but can't find anything that tells ... A different forest, a NT4 Domain, a domain in ...
(microsoft.public.windows.server.active_directory)
Re: New Active Directory configuration
... My first design idea is to create a new forest root and then consildate both child domains into OU's rather than renaming the child OU's. ... Reinstall Exchange on the these servers and add them to the new Administrative group. ...
(microsoft.public.windows.server.active_directory)
Single forest Sec boundary?? advise....!
... terms of security that a Forest is the only true boundary. ... In one forest is it possible to secure it in such way ... enterprise admins from the child domains and in the root domain service ... security constraints with in the company, Total separation means total ...
(microsoft.public.windows.server.security)
Another OU vs Child Domain Question
... another forest as the result of a company acquisition. ... there is really no IT staff at the corporate ... I was thinking of switching everything back to child domains and giving them ... login locally to their servers and perform share maintenance, ...
(microsoft.public.windows.server.active_directory)