Securing Privileged Access - Resource forests


  • In our environment, there is an account forest and 10 resource forests trusting the account forest. The resource forests are a way to isolate enterprise applications from the users.
    Following the Microsoft documentation, I understand that:
       - Tier 0 is in "Direct Control of enterprise identities in the environment...". So, in our implementation, we created an ESAE admin forest with an environment in control of the DCs for the account forest. In this ESAE admin forest resides all the Tier 0 privileged accounts for the account forest.
       - Tier 1 is in "Control of enterprise servers and applications...". Not implemented yet, but we plan to create a "PRIV" forest with a MIM solution for Just in Time administration (time bound admin privileges). For now, the design is restricted to the account forest.
       - Tier 2 is in "Control of user workstations and devices...". Same "PRIV" forest as Tier 0.

    The question is : 1) do we need to strictly follow this tier model for the account forest and each of the resource forests or, 2) are the 10 resource forests considered as Tier 1 infrastructures?

    In case 1), it seems a dedicated ESAE Admin forest will be installed for each of the 11 forests and in case 2), only one ESAE Admin forest for all the forests.
    Wednesday, June 13, 2018 8:16 AM

All replies

  • Hi,

    Thank you for your question.

    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

    Thank you for your understanding and support.

    Best Regards,


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact

    Thursday, June 14, 2018 12:42 PM
  • Hello,

    Regarding your question we had the same question regarding the securisation of our forests and below is what we did (Environment with multiple forest --> More than 10) :

    • 1 forest (Tier 0) to administer all DCs in different forest inlcuding DCs in "Forest B" (Forest A)
    • 1 forest (Tier 1 and 2) to administer all servers, applications and workstation including admin workstation in "Forest A" (Forest B)

    Best Regards,

    Monday, June 18, 2018 12:32 PM