Multiple domains give added netowrk security

Consider assigning separate domains for branch offices in Active Directory to create more security for your Windows network.

Every domain controller (DC) holds all the passwords for all the users in the domain. Think about that before you put a DC in a small branch office with a receptionist, three sales people and a front door lock you wouldn't trust to protect your DVD collection.


Most companies will get along just fine with a Win2k network built on a single domain. You can delegate administrative duties by breaking the network into Organizational Units. You can simplify user support through the use of Groups. You can even connect to branch offices via low bandwidth lines by configuring machines into sites and telling Active Directory which connections between sites need to be used with care.

The simplest way to support a small branch office is to install a server, promote it to DC status, and use that single local DC to support the small staff. Before you commit to that architecture, though, take off your network administrator's hat and put on your network security hat. Each DC in an AD network contains a replicated copy of the AD that every other DC contains. That means the DC you are about to install in an unsecured storefront in Nowhereville contains every password for every user in the domain. Sure the passwords are encrypted, but so were the passwords in Windows NT and it's easy to find programs to download that will read an NT SAM. I'm not sure if there is a widely available "cracker" capable of attacking the AD files and producing clear text, but I sure wouldn't bet my job on it.

If you've got unsecured offices, consider isolating those offices from the rest of the network by assigning them their own domains. It's a little more work to administer, but it will make sleeping a lot easier.

For details on configuring and administering multiple domains, read: http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/WINDOWS2000/en/server/help/sag_SEconceptsDomArch.htm.


Kevin Sharp is a registered professional engineer, writer, and yoga teacher living in Tucson, Arizona, and gains his expertise from a variety of professional activities. His writing interests have produced books and articles on the economic impact of technology on manufacturing and distribution organizations.


This was first published in November 2001
This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close