MSFT Domain Controller: One Forest for servers and user/computer management, or two isolated forests?

[Marmina Abdel Malek <marmina () AUCEGYPT EDU>]

Dear Colleagues,
           We are currently studying the restructring of university domain
controller and I need your advice:
- We have around 250 servers (80% windows servers) hosting applications (web
servers, CMS, ERP, LMS, etc...)
- We have around 8000 computer on campus (85% windows, 15% MAC/others)

The case: we need to centralize the management of the around 200 servers by
joining a domain controller for pushing patches, inventory, etc). As for end
PC, we need to join them to a domain to push softwares, updates,  policies,
remote support, centralized authentication, group policies, roaming
profiles, etc..

*The question:* Should we build 2 forests (isolated from each other): one
for servers and and one for user/computer management? Or should we have one
forest with 2 sub doamin?

*Concerns:* I'm afraid that if the user/computer domain was compromised, an
intruder might be able to propagate to the servers domain and compromise the
whole infrastructure.

Please advise....



Best Regards,
Marmina Abdel-Malek
IT Security Officer
The American University in Cairo
Tel : +202-2615-3561
Fax: +202-2797-4909
Email: marmina () aucegypt edu
web: www.aucegypt.edu