As a storage administrator, you know that there are several good reasons to use forests, which are those things known in Microsoft-speak as a collection of domains with a shared configuration and schema. They are represented by a single logical global catalog and connected by transitive trusts. A forest owner is a service admin.

One reason they're in use is because Active Directory forests can replace separate systems with separate storage requirements in many applications, such as testing. In effect, a forest is one or more Active Directory domains that are nearly totally separate from the other domains (or collections of domains) on a system. By using forests wisely, you can increase storage use by consolidation.

You can have multiple forests on the same Windows Server 2003 system that are almost entirely independent of each other. Just what "almost entirely" means is determined in large part by the way you structure your forests and, most importantly, how much you trust your administrators.

The most vulnerable point in a forest structure is the administrator. Service administrators, domain administrators, schema administrators and some others can access the forests on a system with administrative privileges.

To protect against possible misuse of forests by administrators, Microsoft recommends that you do the following:

  • Minimize the number of service administrators.
  • Only let other service administrators

    Requires Free Membership to View

  • modify the membership of the service administration groups.
  • Be sure to audit changes in service administrator group memberships.
  • Log on as a service administrator only when absolutely necessary. Service administrators should have alternate accounts for day-to-day work.
  • Restrict physical access to system state backups. Do not store them in insecure areas.
  • Restrict access to domain controllers to service administrators.
  • Allow only members of the service administrator groups to manage workstations used by service administrators.

Microsoft has an extensive overview of managing Active Directory forests in an article: Multiple Forests Considerations White Paper.

And Microsoft's technical note on the subject, Design Considerations for the Delegation of Administration in Active Directory, is a good read, too.

 


Rick Cook has been writing about mass storage since the days when the term meant an 80 K floppy disk. The computers he learned on used ferrite cores and magnetic drums. For the last 20 years he has been a freelance writer specializing in storage and other computer issues.

This was first published in September 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.