Re: AD design question

From: "Brian Desmond [MVP]" <brian@xxxxxxxxxxxxxxxx>
Date: Sat, 5 May 2007 11:56:03 -0400

Phil-

I'll qualify this by I ran AD and Exchange for a district that had slightly
more than 100x more staff and 100x more students.

I would just go down the path of a single domain/single forest model. I'm
not quite certain what you mean by "secure the administrator account". You
shouldn't even be using the builtin admin account after you setup the
domain. Just delegate out the permissions that need to be handed out and
you'll be fine. 4500 seats is nothing.

--
Thanks,
Brian Desmond
Windows Server MVP - Directory Services

www.briandesmond.com

<phil2627@xxxxxxxxx> wrote in message
news:1178312811.523579.14990@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

We are in a school district with 500 staff and 4000 non staff. We
are
still undecided on the model, but know the following
- only real secure model is separate forest, where staff could be in
one and non staff in the other and setup trusts to have certain staff
access resources in other forest
- One forest, domain model is simple, and the suggested way to go
unless there are political or admin delegation reasons
- empty domain model would not "secure" the enterprise admin
accounts. But, can Domain admins in a child domain access the
enterprise admin group without physical access to the servers ?

We would like to go with the single domain as, if we secure the
administrator account, no user should be able to gain access to the
domain admin or enterprise admin group.

With the Empty Root model the enterprise account is in it's own
domain
which somewhat secures it, but this model requires more hardware.

If someone could please explain how a person in a child domain can
gain access to the enteprise account and compromise the security of
the forest overall I can go on with completing our single domain
model. Thanks.

Follow-Ups:
- Re: AD design question
  - From: Roger Abell [MVP]

References:
- AD design question
  - From: phil2627

Prev by Date: Re: AD design question
Next by Date: Re: DNS Integrated
Previous by thread: Re: AD design question
Next by thread: Re: AD design question
Index(es):
- Date
- Thread

Relevant Pages

Re: AD design question
... slightly more than 100x more staff and 100x more students. ... not quite certain what you mean by "secure the administrator account". ... shouldn't even be using the builtin admin account after you setup the ... enterprise admin group without physical access to the servers? ...
(microsoft.public.windows.server.active_directory)
Re: AD design question
... extra DCs in an empty root will do little good. ... access resources in other forest ... - empty domain model would not "secure" the enterprise admin ... With the Empty Root model the enterprise account is in it's own ...
(microsoft.public.windows.server.active_directory)
Re: AD design question....again
... security that requires separate forests. ... In the forest to gain control over the entire forest. ... Note that the problem isn't just with "the administrator" account. ... - empty domain model would not "secure" the enterprise admin ...
(microsoft.public.win2000.active_directory)
Re: AD design question
... access resources in other forest ... - empty domain model would not "secure" the enterprise admin ... enterprise admin group without physical access to the servers? ... With the Empty Root model the enterprise account is in it's own ...
(microsoft.public.windows.server.active_directory)
Re: AD design question
... You shouldn't even be using the builtin admin account after you setup the ... access resources in other forest ... enterprise admin group without physical access to the servers? ...
(microsoft.public.windows.server.active_directory)