none
ESAE and Tier model approach - location of the privileged accounts and administrative workstations

    Question

  • I would like to clarify the Microsoft postioning concerning the location of the privileged accounts and administrative workstations with the ESAE and Tier model approach.

    • In one documentation found here, the privileged accounts and workstations are located inside the production forest:

    • However, the link provided as a reference for MIM above the figure in the previous documentation (Privileged Identity Management for Active Directory Domain Services (AD DS)) put the administrative account for Jen (BASTION/Jen) in the forest dedicated to MIM (with PAM trust, thus SID history..., that's another story) to administer an HR database inside the production forest:

    Can someone please confirm the location of the privileged accounts and administrative workstations with the ESAE and Tier model approach?


    Wednesday, July 11, 2018 4:05 PM

All replies

  • Hello Timothée,

    I'm not from Microsoft but regarding your question if you look deeper in the article you will find your answer :

    • ESAE Administrative Forest Design Approach

    "While this approach does add a forest to an Active Directory environment, the cost and complexity are limited by the fixed design, small hardware/software footprint, and small number of users"

    "Workstation Hardening : Build the administrative workstations using the Privileged Access Workstations (through Phase 3), but change the domain membership to the administrative forest instead of the production environment"So

    So in resume when you have a Administrative Forest workstations of your administrators should be in the Administrative Forest and the privileged accounts too (Administrative accounts)

    Best Regards,

    Wednesday, July 11, 2018 4:41 PM
  • Hello Dokoh,

    Thanks for your quick answer.

    Your remark is completely valid for Tier 0. As indicated in the 1st figure of the question, admin workstations and privileges are located inside the ESAE forest.

    However, in the sentence "... change the domain membership to the administrative forest instead of the production environment" the term "administrative forest" refers to the ESAE forest (Tier 0) and not the PRIV forest (Tier 1&2) as stated in the article:

    " This section contains an approach for an administrative forest based on the Enhanced Security Administrative Environment (ESAE) reference architecture "

    " This figure depicts an ESAE forest used for administration of Tier 0 Assets and a PRIV forest configured for use with Microsoft Identity Manager's Privileged Access Management capability "

    "A dedicated administrative forest is a standard single domain Active Directory forest dedicated to the function of Active Directory management"

    "An administrative forest design should include the following considerations:

                       Limited scope – (…)The objective is to limit the functions of the forest and admin users"

                       Trust configurations – (…) to designated Tier 0 admin accounts in the admin forest. "

    The article does not give reference for Tier 1&2 privileges and workstations apart from the figure where they are located inside the production forest.

    Friday, July 13, 2018 7:49 AM
  • Your are totally right on that so in my point of view what it can mean is that you should have a PAW in the ESAE forest and another admin workstation in the priv forest for Tier 1&2.

    Regarding accounts location administrative account in ESAE for Tier0 and another administrative account in the priv forest for Tier1&2

    Best Regards,

    Friday, July 13, 2018 3:18 PM
  • Any ESAE's PAW workstation meant for T0 administration like 'Domain Admins' should be joined to ESAE forest. The user accounts performing Corp's 'Domain Admin' tasks will exist in ESAE forest.
    Sunday, July 15, 2018 8:47 AM