Re: Reasons for Empty (headless root) Root

Wow, that is certainly eye opening.. would you care to describe offline on
how domains can affect other domains (I can email you directly). I dont know
where I got the idea that they were secure, but I guess it was taught to me
somewhere.. :(

That was primarily the reason for going to a new domain, as well as part of
the reason of the creation of our other domain.. that's some serious bad
vibe there.

I am very interested in learning more about how the security is between
domain and domain vs forest. I feel like all that I know about Windows
domains is bunk right now.


"Joe Richards [MVP]" wrote:

> Do you disagree with me by saying a domain is also a security
> boundary in that the administrative control is cut off from
> other domains such that it cannot directly affect them?

Yes I completely disagree with that statement. That is why MSFT says the
forest is a security boundary, not the domain. It is why a bunch of us
beat up on MSFT back in 2000 when they tried to say the domain was a
security boundary. I quickly and easily compromised a root domain from a
child domain for the first time in about May 2000 showing how simple it
was and nothing has changed. I won't go into details but it is quite
trivial for a DA or even Serv Op in Domain 1 to go screw with Domain 2.

Domains are sort of a replication boundary, the config and schema
replicate across all DCs in a forest and also obviously GCs replicate
across domain NC boundaries.

Domains are sort of a Group Policy boundary, you can have GPOs that are
set on sites which are forest scope.

Domains are a password policy boundary, that is definitive. Well that is
until until Longhorn, and then fine grained password policy blows that
out the window as well removing one of the only truly technical reasons
to have multiple domains.


I think that if you think you put the second domain in place only to
give another set of folks DA over it and you think they can't hurt
anything else in the forest, you are under serious misunderstandings of
how Windows Active Directory security works and likely you never should
have moved from a single domain forest configuration. Multiple domain
forests should have all domains managed by the same set of
domain/enterprise admins and that number of domain admins should not
number more than 3-5. Everyone else should have minimal delegated rights
into the directory and no one else should have direct access to the DCs.

The walls that separate domain admins in different domains in the same
forest are made out of razor thin tissue paper.



--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Chelis Guifoyle wrote:
When I say more security I mean in that, the forest in itself is protected by
the fact that certain active security principals would be moved off into a
separate boundary being that child domain. These principals that would
normally have had free reign to do things in the root, would now be isolated
to only do things in their domain vs affecting the entire forest via the
root....

Do you disagree with me by saying a domain is also a security boundary in
that the administrative control is cut off from other domains such that it
cannot directly affect them?

I guess one could argue about how the root (er initial domain) was
administered, but that's beside the point....

What is comes down to is our company started a 2nd domain based on
geographical boundaries. This child has its own administrative control to a
degree... their staff administer their own domain for the most part. Now it
comes down to for our team, since we've been on the root from the beginning,
maybe we should follow suit and base it geographically, move everyone off
into a new child, empty out the root, and create only specific accounts in
the root...

What do you think?






"Joe Richards [MVP]" wrote:

You are wrong if you think it gives more security. The forest, not the
domain is the security boundary, what security benefit do you get moving
objects around within the boundary?

My opinion on whether it is good or not depends on the company I am
talking to and their states goals/desires. Most companies, I think it is
a bad idea, in fact, I think they should have a single domain forest.
Other companies, notably some of the Fortune 5 companies I have worked
on I wouldn't have implemented it any other way. Again, depends on the
company and whether it makes sense at that company.


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Chelis Guifoyle wrote:
What is your opinion on why its good vs bad? I'm curious to hear more on the
topic...

The only thing I see is moving users off the forest root which would allow
for somewhat greater security of the forest/enterprise. Am I on the wrong
track here?

Thanks!!

"Joe Richards [MVP]" wrote:

This can be debated for days, it depends entirely on the company and the
goals and what kind of administrative overhead a company is willing to
accept for an empty root. In general smaller companies don't usually do
it but larger companies are more likely to do it but again, it is all
based on things specific to those companies. There is no security
benefit of doing this.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Chelis Guifoyle wrote:
What are the pros and cons or why/why nots for moving off the root domain and
into a child? We already have 2 childs based off geographical means, our
first domain, where most users first originated are still on root. Ideally
we'd like to move these original users to a new domain that is more akin to
the geographical standard already set.

Thanks in advance.



.

Relevant Pages

  • Re: Reasons for Empty (headless root) Root
    ... I am very interested in learning more about how the security is between domain and domain vs forest. ... I quickly and easily compromised a root domain from a child domain for the first time in about May 2000 showing how simple it was and nothing has changed. ... Domains are sort of a replication boundary, the config and schema replicate across all DCs in a forest and also obviously GCs replicate across domain NC boundaries. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Reasons for Empty (headless root) Root
    ... That is why MSFT says the forest is a security boundary, ... Domains are sort of a replication boundary, the config and schema replicate across all DCs in a forest and also obviously GCs replicate across domain NC boundaries. ... Do you disagree with me by saying a domain is also a security boundary in that the administrative control is cut off from other domains such that it cannot directly affect them? ...
    (microsoft.public.windows.server.active_directory)
  • Re: Reasons for Empty (headless root) Root
    ... When I say more security I mean in that, the forest in itself is protected by ... I guess one could argue about how the root was ... Joe Richards Microsoft MVP Windows Server Directory Services ...
    (microsoft.public.windows.server.active_directory)
  • RE: Subdomain security
    ... boundaries effectively. ... The forest is the security boundary in AD, ... They can then be used as launching points into your secure ...
    (Focus-Microsoft)
  • Re: Site or Domain
    ... Domain aren't security Boundaries, ... forest, and they are not themselves the ultimate security boundary. ... Each Active Directory domain is authoritative for the ... Domain controller hardware and security facilities Each Windows Server ...
    (microsoft.public.windows.server.active_directory)
Loading