Re: AD design question
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Sun, 6 May 2007 07:24:08 -0700
For the most part I agree, but some of the initial reasons that
MS (before it recognized what some of us were saying - that
only the forest provides an NT4-like security boundary - as
being fact) initially presented with its empty-root design do
in fact remain true.
Consider, a single forest / single domain, which also deals
with the assimilation issue (they used to have their own domain)
via delegation. Will over time those delegatees be granted
domain admin? If not, will those holding DA/EA have the
savy to fully recognize what is being given out in delegations
and keep at all times doing so correctly?
Is it important that "user" account need to pass an extra, albeit
perhaps not that high, hurdle before they are positioned for
obtaining EA?
Is it of value that the control of the overall infratructure be
least vulnerable to disruptions? How valuable is that?
"Allan Jacobs" <allanjnyc@xxxxxxxxxxx> wrote in message
news:40291832-0CA7-46F2-B71F-32779DEE6744@xxxxxxxxxxxxxxxx
Hi Phil,
I may be in the minority, but I have never seen the value of the empty
root domain, except to solve political issues (which division should "own"
the root) or for VARs and consultants to sell more hardware and server
licenses. In order to solve most security concerns a well constructed
delegation model should be created. Keep membership in the domain admins
group very small. Carefully construct an OU structure. Intelligently
create shares. If you don't design for security, two extra DCs in an
empty root will do little good.
Allan Jacobs
<phil2627@xxxxxxxxx> wrote in message
news:1178312811.523579.14990@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
We are in a school district with 500 staff and 4000 non staff. We
are
still undecided on the model, but know the following
- only real secure model is separate forest, where staff could be in
one and non staff in the other and setup trusts to have certain staff
access resources in other forest
- One forest, domain model is simple, and the suggested way to go
unless there are political or admin delegation reasons
- empty domain model would not "secure" the enterprise admin
accounts. But, can Domain admins in a child domain access the
enterprise admin group without physical access to the servers ?
We would like to go with the single domain as, if we secure the
administrator account, no user should be able to gain access to the
domain admin or enterprise admin group.
With the Empty Root model the enterprise account is in it's own
domain
which somewhat secures it, but this model requires more hardware.
If someone could please explain how a person in a child domain can
gain access to the enteprise account and compromise the security of
the forest overall I can go on with completing our single domain
model. Thanks.
.
- References:
- AD design question
- From: phil2627
- Re: AD design question
- From: Allan Jacobs
- AD design question
- Prev by Date: Re: AD design question
- Next by Date: Re: AD design question
- Previous by thread: Re: AD design question
- Next by thread: Re: AD design question
- Index(es):
Relevant Pages
|
