As a storage administrator, you know that there are several good reasons to use forests, which are those things known in Microsoft-speak as a collection of domains with a shared configuration and schema. They are represented by a single logical global catalog and connected by transitive trusts. A forest owner is a service admin.
One reason they're in use is because Active Directory forests can replace separate systems with separate storage requirements in many applications, such as testing. In effect, a forest is one or more Active Directory domains that are nearly totally separate from the other domains (or collections of domains) on a system. By using forests wisely, you can increase storage use by consolidation.
You can have multiple forests on the same Windows Server 2003 system that are almost entirely independent of each other. Just what "almost entirely" means is determined in large part by the way you structure your forests and, most importantly, how much you trust your administrators.
The most vulnerable point in a forest structure is the administrator. Service administrators, domain administrators, schema administrators and some others can access the forests on a system with administrative privileges.
To protect against possible misuse of forests by administrators, Microsoft recommends that you do the following:
- Minimize the number of service administrators.
- Only let other service administrators
- modify the membership of the service administration groups.
- Be sure to audit changes in service administrator group memberships.
- Log on as a service administrator only when absolutely necessary. Service administrators should have alternate accounts for day-to-day work.
- Restrict physical access to system state backups. Do not store them in insecure areas.
- Restrict access to domain controllers to service administrators.
- Allow only members of the service administrator groups to manage workstations used by service administrators.
Microsoft has an extensive overview of managing Active Directory forests in an article: Multiple Forests Considerations White Paper.
And Microsoft's technical note on the subject, Design Considerations for the Delegation of Administration in Active Directory, is a good read, too.
Rick Cook has been writing about mass storage since the days when the term meant an 80 K
floppy disk. The computers he learned on used ferrite cores and magnetic drums. For the last 20
years he has been a freelance writer specializing in storage and other computer issues.
This was first published in September 2005