Re: AD design question
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Sun, 6 May 2007 06:47:08 -0700
Phil,
The reason you state on the second option, and your assessment of
the general flavor of opinions on it
- One forest, domain model is simple, and the suggested way to goare in my estimation incorrect.
unless there are political or admin delegation reasons
Political/admin separation issues can be more easily accomodated
with multiple domains, yes. Implementing a single domain is simple,
yes. But, whether operationally, over the life of the implementation
either of these remain true is quite another matter. What is the most
simple to implement initially may in fact become least simple to run
in the required fashion. What is "simple"? Define your criteria.
Others have indicated, I feel correctly, that
1) single domain, single forest is most inexpensive
2) empty root does not gain all that much - do not get me wrong,
there are things that are gained.
3) a rogue admin has the most simple time subverting infrastructure
in single domain/single forest, next most simple time doing what
ought not in multidomain/single forest, and least simple in the
multiforest - but these statements are all assuming that steps have
be taken to retain what barriers can exist, that "less than informed"
deployment/configuration choices have not been made.
What I have not seen in response to your post is that you need to
detail what are your required objectives, and beyond those what
are your desired objectives for the deployment.
For example, if a required objective is that HR, Accounting, Student
Records, etc. must be treated as sensitive data and secured as well as
is possible for inappropriate access, then the most simple route to
achieve this is a multi-forest deployment. In a single forest deployment
you will be needing to make certain that every machine joined is always
properly configured to non-default settings if the use of that machine is
to include touching sensitive data.
Again, you need to lay out all of the requirements of the deployment,
not just what is most simple or least costly (which both have at least
two parts - up front, and operationally over lifespan); you need to
rank those objectives (must have, should have levels 1,2, 3); and you
need to define your criteria for deciding (ex. long-term total costs have
top priority, or meeting data privacy requirements trumps, or . . . and
such and such has next greatest weight, etc.)
In my opinion, and I am at one of the largest universities in north america,
multi-forest can potentially be the most economically conserving over the
long term, considering cost of correct configuration, cost of breach, etc.
even though it does have higher up-front deployment costs and timelines.
Roger
<phil2627@xxxxxxxxx> wrote in message
news:1178312811.523579.14990@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
We are in a school district with 500 staff and 4000 non staff. We
are
still undecided on the model, but know the following
- only real secure model is separate forest, where staff could be in
one and non staff in the other and setup trusts to have certain staff
access resources in other forest
- One forest, domain model is simple, and the suggested way to go
unless there are political or admin delegation reasons
- empty domain model would not "secure" the enterprise admin
accounts. But, can Domain admins in a child domain access the
enterprise admin group without physical access to the servers ?
We would like to go with the single domain as, if we secure the
administrator account, no user should be able to gain access to the
domain admin or enterprise admin group.
With the Empty Root model the enterprise account is in it's own
domain
which somewhat secures it, but this model requires more hardware.
If someone could please explain how a person in a child domain can
gain access to the enteprise account and compromise the security of
the forest overall I can go on with completing our single domain
model. Thanks.
.
- References:
- AD design question
- From: phil2627
- AD design question
- Prev by Date: Re: Deployment GPO for Office 2007 Professional Plus
- Next by Date: Re: AD design question
- Previous by thread: Re: AD design question
- Next by thread: Re: AD Attribute that represents GC checkbox.
- Index(es):
Relevant Pages
|
Loading
