Re: MSFT Domain Controller: One Forest for servers and user/computer m

[Dexter Caldwell <Dexter.Caldwell () FURMAN EDU>]

Sounds like overkill to me. There is certainly no need for two forests in
my opinion.  Two domains even will cause you some amount issues in that
you won't gain much security if the resources in your Server domain/forest
are AD-authenticated for those in your users/computer domain or forest. 
That is because you'd have to setup trusts bestween the domains anyway. 
In AD, trusts are two-way transitive by default.  Also, if your users ever
needed to log into the server domain, then I'm pretty sure if the trust is
not two-way transitive, then it does not show in the drop-down box which
could create training issues.  In the end, it depends how you lay out your
resources, in terms of what resources are actually in the server domain,
but keep in mind, if you have things you don't want to be accessible to
users through the domain and you just want it for management, that's fine.
But management is different then security in A/D.  Security in AD is a way
of giving someone access to a domain resource.  (Not keeping them from
compromising the computer.  Infrastructure and external security is best
for that, IMHO.

Hope this helps,


Dexter Caldwell
Information Security Administrator
Computing & Information Services
Furman University
3300 Poinsett Hwy
Greenville, SC 29613
email: dexter.caldwell () furman edu
office: 864-294-3566
facsimile: 864-294.3001
The EDUCAUSE Security Constituent Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU> writes:
> Dear Colleagues,
> � �  �  �  �  �  We are currently studying the restructring of university
> domain controller and I need your advice:
> - We have around 250 servers (80% windows servers) hosting applications
> (web servers, CMS, ERP, LMS, etc...)
> - We have around 8000 computer on campus (85% windows, 15% MAC/others)
>
>
> The case: we need to centralize the management of the around 200 servers
> by joining a domain controller for pushing patches, inventory, etc). As
> for end PC, we need to join them to a domain to push softwares, updates,
> � policies, remote support, centralized authentication, group policies,
> roaming profiles, etc..
>
>
> The question: Should we build 2 forests (isolated from each other): one
> for servers and and one for user/computer management? Or should we have
> one forest with 2 sub doamin?
>
>
> Concerns: I'm afraid that if the user/computer domain was compromised, an
> intruder might be able to propagate to the servers domain and compromise
> the whole infrastructure.
>
>
> Please advise....
>
>
>
>
>
> Best Regards,
> Marmina Abdel-Malek
> IT Security Officer
> The American University in Cairo
> Tel : +202-2615-3561
> Fax: +202-2797-4909
> Email: [ mailto:marmina () aucegypt edu ]marmina () aucegypt edu
> web: [ http://www.aucegypt.edu ]www.aucegypt.edu