Establishing secure Active Directory boundaries - Part 1

James Michael Stewart, Contributor

The outermost security boundary of Windows 2000 and Windows 2003 Active Directory is the forest. Each and every Active Directory domain is ultimately a member of a forest, even if the domain stands alone. Thus, security needs to be designed from a forest-level perspective rather than from a domain-level perspective as was done for Windows NT 4.0 Active Directory.

However, each domain serves as a boundary for specific sub-elements in an overall security design. For example, domains are the boundaries for delegation of administration for some security policies (e.g. password policies), and for the identity of the objects (users, computers and groups) within each domain.

In regards to delegation specifically, domains define the boundary for data or resource administration while forests are the boundary for service administration. Administration delegation can be used to grant autonomy or isolation. Autonomy is the state where a user has complete control over a service or resource. Isolation is the state where a single user has exclusive control over a service or resource. The specific needs or desires of your organization for autonomy or isolation of administrative control over services and resources will help dictate or guide your AD network design.

If isolation is more important that autonomy, then multiple forests are needed. This in turn requires the establishment of trusts between forests to support teamwork between users and resources from different

Requires Free Membership to View

forests. If autonomy is more important, then users with delegated authority understand that other administrators may share the same privileged access capabilities over the same services and resources. Therefore, a single forest can be used. Ultimately, a design based on autonomy administration delegation is easier to manage and less costly than one based on isolation.

Further points to consider when planning the initial AD design:

  • Forest owners always have administrative access privileges over all domains and thus to the resources and services in the forest and the domains.
  • Domain owners have administrative access to all services and resources within that domain.

Therefore, if different departments or business units cannot be trusted, then an isolation design will be necessary to enforce separation of administrative privileges.

James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.

This was first published in February 2004

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.