none
Multiple-Forests - Super Admin Forest Model.

    Question

  • Is this still a valid/best model to implement if a company manage lot of forests?

    https://technet.microsoft.com/en-us/library/cc526459.aspx

    No idea when the articel is dated.

    Tuesday, November 29, 2016 12:53 AM

All replies

  • In 2016 this would fall under privileged access management (PAM), and it would use MIM to provision the admin users for just -in-time administration. https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/privileged-identity-management-for-active-directory-domain-services

    If it answered your question, remember to “Mark as Answer”.

    If you found this post helpful, please “Vote as Helpful”.

    Postings are provided “AS IS” with no warranties, and confers no rights.

    • Proposed as answer by Todd Heron Wednesday, November 30, 2016 3:06 AM
    Tuesday, November 29, 2016 3:07 AM
  • Thanks for the reply.

    Does MIM somehow let me RDP in to another forest. I want a centralized database for admins, on not create a superduperadmin in every forest for each admin.

    Tuesday, November 29, 2016 1:34 PM
  • So the best way to explain it, is the actual MS documentation.  Here is a cut and paste below the link to the new 2016 features.  Basically what happens is that the new "bastion" forest is created and that is where your administrators will live.  What MIM does is provision the accounts in the "bastion" forest to have access to your production/user forest.  Those users will be able to RDP and administer the production/user forest and if MIM is in the picture it will do this just-in-time administration so that a domain admin isn't a domain admin everyday.  The domain admin will only be a domain admin for the time that is needed, then the rights will be taken away.

    See this document from MS for planning a bastion environment

    This will be the NEW direction from MS going forward to help secure AD DS and limit who has access.

    What's new in Active Directory Domain Services for Windows Server 2016

    Privileged access management

    Privileged access management (PAM) helps mitigate security concerns for Active Directory environments that are caused by credential theft techniques such pass-the-hash, spear phishing, and similar types of attacks. It provides a new administrative access solution that is configured by using Microsoft Identity Manager (MIM). PAM introduces:

    • A new bastion Active Directory forest, which is provisioned by MIM. The bastion forest has a special PAM trust with an existing forest. It provides a new Active Directory environment that is known to be free of any malicious activity, and isolation from an existing forest for the use of privileged accounts.

    • New processes in MIM to request administrative privileges, along with new workflows based on the approval of requests.

    • New shadow security principals (groups) that are provisioned in the bastion forest by MIM in response to administrative privilege requests. The shadow security principals have an attribute that references the SID of an administrative group in an existing forest. This allows the shadow group to access resources in an existing forest without changing any access control lists (ACLs).

    • An expiring links feature, which enables time-bound membership in a shadow group. A user can be added to the group for just enough time required to perform an administrative task. The time-bound membership is expressed by a time-to-live (TTL) value that is propagated to a Kerberos ticket lifetime.

      Note

      Expiring links are available on all linked attributes. But the member/memberOf linked attribute relationship between a group and a user is the only example where a complete solution such as PAM is preconfigured to use the expiring links feature.

    • KDC enhancements are built in to Active Directory domain controllers to restrict Kerberos ticket lifetime to the lowest possible time-to-live (TTL) value in cases where a user has multiple time-bound memberships in administrative groups. For example, if you are added to a time-bound group A, then when you log on, the Kerberos ticket-granting ticket (TGT) lifetime is equal to the time you have remaining in group A. If you are also a member of another time-bound group B, which has a lower TTL than group A, then the TGT lifetime is equal to the time you have remaining in group B.

    • New monitoring capabilities to help you easily identify who requested access, what access was granted, and what activities were performed.

    Requirements

    • Microsoft Identity Manager

    • Active Directory forest functional level of Windows Server 2012 R2 or higher.


    If it answered your question, remember to “Mark as Answer”.

    If you found this post helpful, please “Vote as Helpful”.

    Postings are provided “AS IS” with no warranties, and confers no rights.

    • Proposed as answer by Todd Heron Wednesday, November 30, 2016 3:06 AM
    Tuesday, November 29, 2016 4:48 PM