The outermost security boundary of Windows 2000 and Windows 2003 Active Directory is the forest. Each and every Active Directory domain is ultimately a member of a forest, even if the domain stands alone. Thus, security needs to be designed from a forest-level perspective rather than from a domain-level perspective as was done for Windows NT 4.0 Active Directory.
However, each domain serves as a boundary for specific sub-elements in an overall security design. For example, domains are the boundaries for delegation of administration for some security policies (e.g. password policies), and for the identity of the objects (users, computers and groups) within each domain.
In regards to delegation specifically, domains define the boundary for data or resource administration while forests are the boundary for service administration. Administration delegation can be used to grant autonomy or isolation. Autonomy is the state where a user has complete control over a service or resource. Isolation is the state where a single user has exclusive control over a service or resource. The specific needs or desires of your organization for autonomy or isolation of administrative control over services and resources will help dictate or guide your AD network design.
If isolation is more important that autonomy, then multiple forests are needed. This in turn requires the establishment of trusts between forests to support teamwork between users and resources from different forests. If autonomy is more important, then users with delegated authority understand that other administrators may share the same privileged access capabilities over the same services and resources. Therefore, a single forest can be used. Ultimately, a design based on autonomy administration delegation is easier to manage and less costly than one based on isolation.
Further points to consider when planning the initial AD design:
- Forest owners always have administrative access privileges over all domains and thus to the resources and services in the forest and the domains.
- Domain owners have administrative access to all services and resources within that domain.
Therefore, if different departments or business units cannot be trusted, then an isolation design will be necessary to enforce separation of administrative privileges.
James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.