locked
1 Forest vs multiple Forests RRS feed

  • Question

  • I am in the process of evaluating a current Active Directory design.  Currently 1 Forest / 1 Domain.  I am being posed with the question of moving away from this model because of security.  AFter doing some research - adding multiple domains (which is what is being recommended) does not provide any additional security.

    http://www.techrepublic.com/blog/10things/10-tips-for-effective-active-directory-design/1763

    http://www.activedir.org/Articles/tabid/54/ArticleType/ArticleView/ArticleID/68/PageID/53/Default.aspx

    Plus one more link I can't find - it was from a Forum post here about 1 domain vs child domains.  ANyways - so security shouldn't be a valid reason for adding child domains as the Forest is the security boundary.

    So this brings me to my question.  Since security is the biggest driver for this design reconcideration - I should consider migrating to a multiple forest topology.  If a company owned a couple other companies - lets call these owned companies 'business units' and a particular business unit houses extremely sensitive data - would this be a recommendation to consider a multiple forest design and segregate this company to its own forest?  (I know there is not text-book answer).

    Now having said that - lets assume we go with 2 forests.  The parent company and all business units in Forest A / Domain A - and the 'sensitive-data' business unit in Forest B / Domain B.  With our current implementation of Exchange 2007 - what would it take to keep this implementation and the mailboxes as-is?  We obviously have other applications that use AD authentication - these two would have to be modified.  My initial guess is to setup a Forest-Trust.  But if I setup a forest trust - would this undo the benefits of security that the multiple forest gives me?  The users on Forest B would now need to access resources in Forest A and vice-versa.

    Thanks for the help.

    Zach


    Zach Smith

    Friday, June 29, 2012 12:28 PM

Answers

  • How sensitive is the data?   Are the admins going to be separate folks or the same people doing it for both forests? The security issues come into play mostly with those with elevated domain admin rights.  If you trust your limited number of  admins or if the same admins will be administering both forests then the two forest design might be overkill in my opinion.  

    The reason I'm asking is because two jobs ago I was dealing with two branches of the military.  I can't go into any real details but we had two domains in one forest.  In our case we administered both and the domain wasn't a security boundary but an organizational boundary.  We also did a lot to lock down AD in that case.

    Thanks

    Mike



    http://adisfun.blogspot.com
    Follow @mekline

    • Proposed as answer by Meinolf Weber Friday, June 29, 2012 4:08 PM
    • Marked as answer by ZachSmith Monday, July 2, 2012 12:56 PM
    Friday, June 29, 2012 12:44 PM
  • What type of sensitive data you are going place into the AD, i don't think there is any as such apart from the login ID or few information of the users. If there is files/folder then you can restrict the access to who & what with necessary permission. There is not similar benefit of additional security in using multiple forest/domain because there will be few administrator & you can't say they can't goof-up in exposing those information.

    Basically, child domain or different forest were created due to replication constraint, password policy, or due to schema modification required by different Apps. Those issues are been addressed in the new OS like windows 2008. For schema modification, you got ADAM/AD LDS which can be created as an instance & purged.

    I have worked for the banking & financial organization, which are running with 150,000 & above users with just 4-5 domain admin. They have deployed L2/L3 users to monitor the system as well as logs using monitoring tool. Auditing,security etc has been enhanced in windows 2008 & above for maintaining better security & access using role based access.

    I don't believe by creating new domain/forest, you can enhance the security, but there will be more expense cost on the management of the multiple forest nothing more. The money has to be spent on enhancing security by monitoring the resources not on creating new forests.


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Proposed as answer by Meinolf Weber Friday, June 29, 2012 4:08 PM
    • Marked as answer by ZachSmith Monday, July 2, 2012 12:56 PM
    Friday, June 29, 2012 12:52 PM
  • Hi,

    If we want to secure the domain, I suggest we could try to refer to the following article.

    Best Practice Guide for Securing Active Directory Installations

    http://technet.microsoft.com/library/cc773365(WS.10).aspx

    Regards,

    Andy

    • Marked as answer by ZachSmith Monday, July 2, 2012 12:56 PM
    Monday, July 2, 2012 9:37 AM

All replies

  • How sensitive is the data?   Are the admins going to be separate folks or the same people doing it for both forests? The security issues come into play mostly with those with elevated domain admin rights.  If you trust your limited number of  admins or if the same admins will be administering both forests then the two forest design might be overkill in my opinion.  

    The reason I'm asking is because two jobs ago I was dealing with two branches of the military.  I can't go into any real details but we had two domains in one forest.  In our case we administered both and the domain wasn't a security boundary but an organizational boundary.  We also did a lot to lock down AD in that case.

    Thanks

    Mike



    http://adisfun.blogspot.com
    Follow @mekline

    • Proposed as answer by Meinolf Weber Friday, June 29, 2012 4:08 PM
    • Marked as answer by ZachSmith Monday, July 2, 2012 12:56 PM
    Friday, June 29, 2012 12:44 PM
  • What type of sensitive data you are going place into the AD, i don't think there is any as such apart from the login ID or few information of the users. If there is files/folder then you can restrict the access to who & what with necessary permission. There is not similar benefit of additional security in using multiple forest/domain because there will be few administrator & you can't say they can't goof-up in exposing those information.

    Basically, child domain or different forest were created due to replication constraint, password policy, or due to schema modification required by different Apps. Those issues are been addressed in the new OS like windows 2008. For schema modification, you got ADAM/AD LDS which can be created as an instance & purged.

    I have worked for the banking & financial organization, which are running with 150,000 & above users with just 4-5 domain admin. They have deployed L2/L3 users to monitor the system as well as logs using monitoring tool. Auditing,security etc has been enhanced in windows 2008 & above for maintaining better security & access using role based access.

    I don't believe by creating new domain/forest, you can enhance the security, but there will be more expense cost on the management of the multiple forest nothing more. The money has to be spent on enhancing security by monitoring the resources not on creating new forests.


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Proposed as answer by Meinolf Weber Friday, June 29, 2012 4:08 PM
    • Marked as answer by ZachSmith Monday, July 2, 2012 12:56 PM
    Friday, June 29, 2012 12:52 PM
  • Hi,

    If we want to secure the domain, I suggest we could try to refer to the following article.

    Best Practice Guide for Securing Active Directory Installations

    http://technet.microsoft.com/library/cc773365(WS.10).aspx

    Regards,

    Andy

    • Marked as answer by ZachSmith Monday, July 2, 2012 12:56 PM
    Monday, July 2, 2012 9:37 AM
  • Thanks for the help.  I have also had a conference call with our security rep and the information you all posted was basically re-iterated in the conference call.  The two forest design will not give us the security needed and I agree with Awinish that the money is better spent enhancing security and not spent building out the new forest. 

    Also - we would have the same users who manage forest A also manage forest B.  So yea there really isn't a need to build out like that. 

    Thanks for the help!

    Zach


    Zach Smith

    Monday, July 2, 2012 12:58 PM