Re: AD design question

I am in complete agreement with Allan. The cases where you put in a root domain for the purposes of enterprise administration are very rare and specialised.

I've been putting in ADs for 7 years and have never put in multiple Domains let alone multiple forests. Usually becuase the administration model of the organisation has been centralised.

"Allan Jacobs" <allanjnyc@xxxxxxxxxxx> wrote in message news:40291832-0CA7-46F2-B71F-32779DEE6744@xxxxxxxxxxxxxxxx
Hi Phil,

I may be in the minority, but I have never seen the value of the empty root domain, except to solve political issues (which division should "own" the root) or for VARs and consultants to sell more hardware and server licenses. In order to solve most security concerns a well constructed delegation model should be created. Keep membership in the domain admins group very small. Carefully construct an OU structure. Intelligently create shares. If you don't design for security, two extra DCs in an empty root will do little good.

Allan Jacobs
<phil2627@xxxxxxxxx> wrote in message news:1178312811.523579.14990@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
We are in a school district with 500 staff and 4000 non staff. We
are
still undecided on the model, but know the following
- only real secure model is separate forest, where staff could be in
one and non staff in the other and setup trusts to have certain staff
access resources in other forest
- One forest, domain model is simple, and the suggested way to go
unless there are political or admin delegation reasons
- empty domain model would not "secure" the enterprise admin
accounts. But, can Domain admins in a child domain access the
enterprise admin group without physical access to the servers ?

We would like to go with the single domain as, if we secure the
administrator account, no user should be able to gain access to the
domain admin or enterprise admin group.


With the Empty Root model the enterprise account is in it's own
domain
which somewhat secures it, but this model requires more hardware.


If someone could please explain how a person in a child domain can
gain access to the enteprise account and compromise the security of
the forest overall I can go on with completing our single domain
model. Thanks.



.

Relevant Pages

  • Enterprise Root Cas x 2?
    ... I have a AD Forest with two disjointed AD Domians being ... Enterprise Root CA ... Stand Alone Root CA ... As by normal train's of thought I'd install the Root ...
    (microsoft.public.win2000.security)
  • Re: Enterprise Root Cas x 2?
    ... an enterprise subordinate CA in each domain. ... trusted in your forest equally. ... > Enterprise Root CA ... As by normal train's of thought I'd install the Root ...
    (microsoft.public.win2000.security)
  • Root CA in Production -[WP]
    ... I was able to deploy Root CA in the lab running on a Member Server Windows ... 2003 Enterprise. ... We have 2 domains in a forest. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Enterprise CA options greyed out.
    ... server to install Cert services but still got Enterprise and Standalone. ... cannot see how or where im getting the Enterprise Admin access you say i am ... - You can run an enterprise CA on the Standard, Enteprise, or Data Center ...
    (microsoft.public.security)
  • Re: Easy way/script to add another user like me?
    ... have to do to give a user sudo privileges is to add them to the ... # Members of the admin group may gain root privileges ... of cracking the root password because they already know the ...
    (Ubuntu)