Re: AD design question

"Brian Desmond [MVP]" <brian@xxxxxxxxxxxxxxxx> wrote in message
news:eUOin3yjHHA.4872@xxxxxxxxxxxxxxxxxxxxxxx
Phil-

I'll qualify this by I ran AD and Exchange for a district that had
slightly more than 100x more staff and 100x more students.


I would imagine there are some pretty unhapply legislators if
only an 8 to 1 ratio of students to fac/staff can be obtained at
that scale !!


I would just go down the path of a single domain/single forest model. I'm
not quite certain what you mean by "secure the administrator account". You
shouldn't even be using the builtin admin account after you setup the
domain. Just delegate out the permissions that need to be handed out and
you'll be fine. 4500 seats is nothing.


Agreed, if costs are the highest priority, and they are willing to
keep all sensitive data isolated outside of the AD (i.e. willing
to sacrifice the SSO objective).

Roger


<phil2627@xxxxxxxxx> wrote in message
news:1178312811.523579.14990@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
We are in a school district with 500 staff and 4000 non staff. We
are
still undecided on the model, but know the following
- only real secure model is separate forest, where staff could be in
one and non staff in the other and setup trusts to have certain staff
access resources in other forest
- One forest, domain model is simple, and the suggested way to go
unless there are political or admin delegation reasons
- empty domain model would not "secure" the enterprise admin
accounts. But, can Domain admins in a child domain access the
enterprise admin group without physical access to the servers ?

We would like to go with the single domain as, if we secure the
administrator account, no user should be able to gain access to the
domain admin or enterprise admin group.


With the Empty Root model the enterprise account is in it's own
domain
which somewhat secures it, but this model requires more hardware.


If someone could please explain how a person in a child domain can
gain access to the enteprise account and compromise the security of
the forest overall I can go on with completing our single domain
model. Thanks.





.

Relevant Pages

  • Re: AD design question
    ... more than 100x more staff and 100x more students. ... I would just go down the path of a single domain/single forest model. ... not quite certain what you mean by "secure the administrator account". ... shouldn't even be using the builtin admin account after you setup the ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD design question
    ... access resources in other forest ... - empty domain model would not "secure" the enterprise admin ... enterprise admin group without physical access to the servers? ... With the Empty Root model the enterprise account is in it's own ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD design question
    ... You shouldn't even be using the builtin admin account after you setup the ... access resources in other forest ... enterprise admin group without physical access to the servers? ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD design question
    ... I may be in the minority, but I have never seen the value of the empty root domain, except to solve political issues or for VARs and consultants to sell more hardware and server licenses. ... - empty domain model would not "secure" the enterprise admin ... enterprise admin group without physical access to the servers? ... With the Empty Root model the enterprise account is in it's own ...
    (microsoft.public.windows.server.active_directory)
  • SOLVED: win2003 srv - problem with authorizing DHCP after dcpromo
    ... the account was only administrator. ... When I logged as enterprise admin, ... So now, when the server is a DC, it is possibly not enough ...
    (microsoft.public.windows.server.setup)