Securing Privileged Access - Resource forests


  • In our environment, there is an account forest and 10 resource forests trusting the account forest. The resource forests are a way to isolate enterprise applications from the users.
    Following the Microsoft documentation, I understand that:
       - Tier 0 is in "Direct Control of enterprise identities in the environment...". So, in our implementation, we created an ESAE admin forest with an environment in control of the DCs for the account forest. In this ESAE admin forest resides all the Tier 0 privileged accounts for the account forest.
       - Tier 1 is in "Control of enterprise servers and applications...". Not implemented yet, but we plan to create a "PRIV" forest with a MIM solution for Just in Time administration (time bound admin privileges). For now, the design is restricted to the account forest.
       - Tier 2 is in "Control of user workstations and devices...". Same "PRIV" forest as Tier 0.

    The question is : 1) do we need to strictly follow this tier model for the account forest and each of the resource forests or, 2) are the 10 resource forests considered as Tier 1 infrastructures?

    In case 1), it seems a dedicated ESAE Admin forest will be installed for each of the 11 forests and in case 2), only one ESAE Admin forest for all the forests.
    Wednesday, June 13, 2018 8:16 AM

All replies

  • Hi,

    Thank you for your question.

    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

    Thank you for your understanding and support.

    Best Regards,


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact

    Thursday, June 14, 2018 12:42 PM
  • Hello,

    Regarding your question we had the same question regarding the securisation of our forests and below is what we did (Environment with multiple forest --> More than 10) :

    • 1 forest (Tier 0) to administer all DCs in different forest inlcuding DCs in "Forest B" (Forest A)
    • 1 forest (Tier 1 and 2) to administer all servers, applications and workstation including admin workstation in "Forest A" (Forest B)

    Best Regards,

    Monday, June 18, 2018 12:32 PM
  • Hello Dokoh,

    Thanks for your answer.

    Could you please describe the implemented trusts between the different forests.

    Also, there is a note in the ESAE documentation regarding applications: "This approach works well for administering Active Directory, but many applications aren't compatible with being administered by accounts from an external forest using a standard trust."  ESAE Administrative Forest Design Approach 

    How did you handle these applications (I think about Exchange for instance)?

    Best Regards,

    Timothée Hoarau

    Monday, July 2, 2018 12:31 PM
  • Hi William,

    Any news ?

    Best Regards,


    Monday, July 2, 2018 12:37 PM
  • Hello,

    Regarding the trust it was a one-way trust and regarding applications like Exchange they were already in a separate forest and not join to the administrative forests

    Best Regards,

    Monday, July 2, 2018 2:11 PM
  • The trust is a one-way trust between each forest (10+) and Forest A, is it ?
    Monday, July 2, 2018 2:43 PM
  • Yes it is exactly that

    Best Regards,

    Monday, July 2, 2018 3:03 PM
  • I suppose then the same goes for Forest B (Tier 1 & Tier 2): 1 trust for each forest.

    Do you exclusively use the privileged accounts in Forest B to manage applications in each other forests or do you sometimes use an account of the other forests?

    Thanks again for you answers.

    Best Regards,


    Tuesday, July 3, 2018 1:16 PM
  • Most of the time privileged accounts in Forest B but some application don't allow that.

    For example with the version of Exchange we were using it was not possible to administer it from Forest B so we were using credential from Exchange forest

    Best Regards,

    Tuesday, July 3, 2018 2:06 PM