Place holder root domain advantage

I've been struggling with a domain design to choose. I've always read that
it is best practice design to create an empty place holder root domain to
hold the enterprise admin group and to hold the forest schema operations
role. Then have another domain to hold all users/groups/computers. The
alternative being one domain, that holds all of the above.

There is obviously additional hardware costs associated with the empty place
holder domain, but there isn't going to be much administrative overhead
since the domain is going to me basically unused.

What are the underlying reasons why the place holder root domain is setup
and should this domain design be favored in a large enterprise organization
vs the single domain model?

Thank you.

Ace
Tue Aug 05 21:50:37 PDT 2008


"Randy Jackson" <jacksors@yahoo.com> wrote in message
news:O9fddT29IHA.4004@TK2MSFTNGP03.phx.gbl...
> I've been struggling with a domain design to choose. I've always read that
> it is best practice design to create an empty place holder root domain to
> hold the enterprise admin group and to hold the forest schema operations
> role. Then have another domain to hold all users/groups/computers. The
> alternative being one domain, that holds all of the above.
>
> There is obviously additional hardware costs associated with the empty
> place holder domain, but there isn't going to be much administrative
> overhead since the domain is going to me basically unused.
>
> What are the underlying reasons why the place holder root domain is setup
> and should this domain design be favored in a large enterprise
> organization vs the single domain model?
>
> Thank you.

You've stated the basic reasons. A place holder for the tree, offering a
contiguous namespace, as well as hiding the EA and Schema Admins.

In the past, back in the early 2000 days, it was the basic thinking to use
an empty root. However, the design mentality of an empty root has changed
with increased features and changes in 2003 security, or basically because
of budget. So the most common designs are simply one domain unless you need
across the pond or business partner migrated domains in a decentralized
delegation. Keep in mind, you can protect a single domain design by keeping
everyone else out of the Domain Admins group and use OU or specific
delegation.

I remember at one point when arguing about having an empty root or just one
domain, that as a child domain admin, I was able to access certain parts of
the containers using ADSI Edit and could have done damage for the forest. So
why bother with the empty root? But like I said, security has changed.

I remember you posted before about Exchange design concerns, but not sure if
we discussed number of users and Sites, or other specifics for a directory
service. How many users? Sites?

--
--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Infinite Diversities in Infinite Combinations

Paul
Wed Aug 06 05:47:24 PDT 2008

This is no longer a recommended strategy. Microsoft now recommends to keep
it as simple as possible with as few domains as your enterprise can use.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Randy Jackson" <jacksors@yahoo.com> wrote in message
news:O9fddT29IHA.4004@TK2MSFTNGP03.phx.gbl...
> I've been struggling with a domain design to choose. I've always read that
> it is best practice design to create an empty place holder root domain to
> hold the enterprise admin group and to hold the forest schema operations
> role. Then have another domain to hold all users/groups/computers. The
> alternative being one domain, that holds all of the above.
>
> There is obviously additional hardware costs associated with the empty
> place holder domain, but there isn't going to be much administrative
> overhead since the domain is going to me basically unused.
>
> What are the underlying reasons why the place holder root domain is setup
> and should this domain design be favored in a large enterprise
> organization vs the single domain model?
>
> Thank you.
>

jacksors
Wed Aug 06 05:57:00 PDT 2008

Thank you Ace, that information is very helpful.

We are presently planning our migration strategy to seperate from our parent
company and form our own independent company.

We will be implementing Windows 2008 ADDS and migrating over approximately
800 user accounts and 900 Exchange mailboxes. I believe the present
environment is Windows 2003 AD (running in 2000 native mode) with Exchange
2003. We will be forming 3 AD sites. One site will be for our corporate
office location, one for our data center facility located offsite, and one
for regional offices in another part of the country. We at present do not
have any international presence but that it is very likely we will. I've been
questioning whether we need to have seperate sites for our data center and
corporate office, but they will be seperated by a WAN link, I think for
replication purposes and making sure users hit a DC on the subnet at
corporate before trying to hit one at the data center we should have seperate
sites defined.

With this fairly simple break out and small number of users (we are
expecting to almost double our size in about 2 yrs) would a single model
domain make the most sense?

If a user was a domain admin in this model, what prevents them from
modifying attributes that can effect the whole forest rather than just the
domain? This domain would hold the forest schema, would domain admins have
access to make changes to that or only Enterprise Admins?

Thanks for your advice.

"Ace Fekay [MVP Directory Services]" wrote:

>
> "Randy Jackson" <jacksors@yahoo.com> wrote in message
> news:O9fddT29IHA.4004@TK2MSFTNGP03.phx.gbl...
> > I've been struggling with a domain design to choose. I've always read that
> > it is best practice design to create an empty place holder root domain to
> > hold the enterprise admin group and to hold the forest schema operations
> > role. Then have another domain to hold all users/groups/computers. The
> > alternative being one domain, that holds all of the above.
> >
> > There is obviously additional hardware costs associated with the empty
> > place holder domain, but there isn't going to be much administrative
> > overhead since the domain is going to me basically unused.
> >
> > What are the underlying reasons why the place holder root domain is setup
> > and should this domain design be favored in a large enterprise
> > organization vs the single domain model?
> >
> > Thank you.
>
> You've stated the basic reasons. A place holder for the tree, offering a
> contiguous namespace, as well as hiding the EA and Schema Admins.
>
> In the past, back in the early 2000 days, it was the basic thinking to use
> an empty root. However, the design mentality of an empty root has changed
> with increased features and changes in 2003 security, or basically because
> of budget. So the most common designs are simply one domain unless you need
> across the pond or business partner migrated domains in a decentralized
> delegation. Keep in mind, you can protect a single domain design by keeping
> everyone else out of the Domain Admins group and use OU or specific
> delegation.
>
> I remember at one point when arguing about having an empty root or just one
> domain, that as a child domain admin, I was able to access certain parts of
> the containers using ADSI Edit and could have done damage for the forest. So
> why bother with the empty root? But like I said, security has changed.
>
> I remember you posted before about Exchange design concerns, but not sure if
> we discussed number of users and Sites, or other specifics for a directory
> service. How many users? Sites?
>
> --
> --
> Regards,
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
> MVP Microsoft MVP - Directory Services
> Microsoft Certified Trainer
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Infinite Diversities in Infinite Combinations
>
>
>

jacksors
Wed Aug 06 06:18:01 PDT 2008

Thanks Paul. What AD version prompted this best practice change?

"Paul Bergson [MVP-DS]" wrote:

> This is no longer a recommended strategy. Microsoft now recommends to keep
> it as simple as possible with as few domains as your enterprise can use.
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Randy Jackson" <jacksors@yahoo.com> wrote in message
> news:O9fddT29IHA.4004@TK2MSFTNGP03.phx.gbl...
> > I've been struggling with a domain design to choose. I've always read that
> > it is best practice design to create an empty place holder root domain to
> > hold the enterprise admin group and to hold the forest schema operations
> > role. Then have another domain to hold all users/groups/computers. The
> > alternative being one domain, that holds all of the above.
> >
> > There is obviously additional hardware costs associated with the empty
> > place holder domain, but there isn't going to be much administrative
> > overhead since the domain is going to me basically unused.
> >
> > What are the underlying reasons why the place holder root domain is setup
> > and should this domain design be favored in a large enterprise
> > organization vs the single domain model?
> >
> > Thank you.
> >
>
>
>

Paul
Wed Aug 06 09:17:58 PDT 2008

If I recall correctly it started with the release of AD (2000).

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"jacksors" <jacksors@discussions.microsoft.com> wrote in message
news:8E3E3EA0-B153-42EF-A814-1FFCD6D713AF@microsoft.com...
> Thanks Paul. What AD version prompted this best practice change?
>
> "Paul Bergson [MVP-DS]" wrote:
>
>> This is no longer a recommended strategy. Microsoft now recommends to
>> keep
>> it as simple as possible with as few domains as your enterprise can use.
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "Randy Jackson" <jacksors@yahoo.com> wrote in message
>> news:O9fddT29IHA.4004@TK2MSFTNGP03.phx.gbl...
>> > I've been struggling with a domain design to choose. I've always read
>> > that
>> > it is best practice design to create an empty place holder root domain
>> > to
>> > hold the enterprise admin group and to hold the forest schema
>> > operations
>> > role. Then have another domain to hold all users/groups/computers. The
>> > alternative being one domain, that holds all of the above.
>> >
>> > There is obviously additional hardware costs associated with the empty
>> > place holder domain, but there isn't going to be much administrative
>> > overhead since the domain is going to me basically unused.
>> >
>> > What are the underlying reasons why the place holder root domain is
>> > setup
>> > and should this domain design be favored in a large enterprise
>> > organization vs the single domain model?
>> >
>> > Thank you.
>> >
>>
>>
>>

jacksors
Thu Aug 07 19:14:00 PDT 2008

Paul,

I have a follow up question. Old best practice said to not use your
routeable internet domain name as the domain for your forest root domain. Is
that still a best practice or do to enhanced security does that no longer
matter as well?

Thanks.

"Paul Bergson [MVP-DS]" wrote:

> If I recall correctly it started with the release of AD (2000).
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> "jacksors" <jacksors@discussions.microsoft.com> wrote in message
> news:8E3E3EA0-B153-42EF-A814-1FFCD6D713AF@microsoft.com...
> > Thanks Paul. What AD version prompted this best practice change?
> >
> > "Paul Bergson [MVP-DS]" wrote:
> >
> >> This is no longer a recommended strategy. Microsoft now recommends to
> >> keep
> >> it as simple as possible with as few domains as your enterprise can use.
> >>
> >> --
> >> Paul Bergson
> >> MVP - Directory Services
> >> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> >> 2008, 2003, 2000 (Early Achiever), NT4
> >>
> >> http://www.pbbergs.com
> >>
> >> Please no e-mails, any questions should be posted in the NewsGroup
> >> This posting is provided "AS IS" with no warranties, and confers no
> >> rights.
> >>
> >> "Randy Jackson" <jacksors@yahoo.com> wrote in message
> >> news:O9fddT29IHA.4004@TK2MSFTNGP03.phx.gbl...
> >> > I've been struggling with a domain design to choose. I've always read
> >> > that
> >> > it is best practice design to create an empty place holder root domain
> >> > to
> >> > hold the enterprise admin group and to hold the forest schema
> >> > operations
> >> > role. Then have another domain to hold all users/groups/computers. The
> >> > alternative being one domain, that holds all of the above.
> >> >
> >> > There is obviously additional hardware costs associated with the empty
> >> > place holder domain, but there isn't going to be much administrative
> >> > overhead since the domain is going to me basically unused.
> >> >
> >> > What are the underlying reasons why the place holder root domain is
> >> > setup
> >> > and should this domain design be favored in a large enterprise
> >> > organization vs the single domain model?
> >> >
> >> > Thank you.
> >> >
> >>
> >>
> >>
>
>
>

Paul
Fri Aug 08 05:47:25 PDT 2008

That is the recommend course strategy, but to be honest we don't follow
that. I don't know if it was security related or just the fact you need to
be able to manage dns and not expose your internal boxes ip addresses, which
we do both.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"jacksors" <jacksors@discussions.microsoft.com> wrote in message
news:18547956-7C98-47CB-8982-22440B57271D@microsoft.com...
> Paul,
>
> I have a follow up question. Old best practice said to not use your
> routeable internet domain name as the domain for your forest root domain.
> Is
> that still a best practice or do to enhanced security does that no longer
> matter as well?
>
> Thanks.
>
> "Paul Bergson [MVP-DS]" wrote:
>
>> If I recall correctly it started with the release of AD (2000).
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "jacksors" <jacksors@discussions.microsoft.com> wrote in message
>> news:8E3E3EA0-B153-42EF-A814-1FFCD6D713AF@microsoft.com...
>> > Thanks Paul. What AD version prompted this best practice change?
>> >
>> > "Paul Bergson [MVP-DS]" wrote:
>> >
>> >> This is no longer a recommended strategy. Microsoft now recommends to
>> >> keep
>> >> it as simple as possible with as few domains as your enterprise can
>> >> use.
>> >>
>> >> --
>> >> Paul Bergson
>> >> MVP - Directory Services
>> >> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> >> 2008, 2003, 2000 (Early Achiever), NT4
>> >>
>> >> http://www.pbbergs.com
>> >>
>> >> Please no e-mails, any questions should be posted in the NewsGroup
>> >> This posting is provided "AS IS" with no warranties, and confers no
>> >> rights.
>> >>
>> >> "Randy Jackson" <jacksors@yahoo.com> wrote in message
>> >> news:O9fddT29IHA.4004@TK2MSFTNGP03.phx.gbl...
>> >> > I've been struggling with a domain design to choose. I've always
>> >> > read
>> >> > that
>> >> > it is best practice design to create an empty place holder root
>> >> > domain
>> >> > to
>> >> > hold the enterprise admin group and to hold the forest schema
>> >> > operations
>> >> > role. Then have another domain to hold all users/groups/computers.
>> >> > The
>> >> > alternative being one domain, that holds all of the above.
>> >> >
>> >> > There is obviously additional hardware costs associated with the
>> >> > empty
>> >> > place holder domain, but there isn't going to be much administrative
>> >> > overhead since the domain is going to me basically unused.
>> >> >
>> >> > What are the underlying reasons why the place holder root domain is
>> >> > setup
>> >> > and should this domain design be favored in a large enterprise
>> >> > organization vs the single domain model?
>> >> >
>> >> > Thank you.
>> >> >
>> >>
>> >>
>> >>
>>
>>
>>

jacksors
Fri Aug 08 07:19:01 PDT 2008

Everything I've read, at least for older AD installations, that a domain
admin in a single forest root domain model, could gain enterprise admin
permissions and modify the schema and cause forest wide damage. I was hoping
to avoid that security issue. Is that scenario even possible in AD 2008?

"Paul Bergson [MVP-DS]" wrote:

> That is the recommend course strategy, but to be honest we don't follow
> that. I don't know if it was security related or just the fact you need to
> be able to manage dns and not expose your internal boxes ip addresses, which
> we do both.
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> "jacksors" <jacksors@discussions.microsoft.com> wrote in message
> news:18547956-7C98-47CB-8982-22440B57271D@microsoft.com...
> > Paul,
> >
> > I have a follow up question. Old best practice said to not use your
> > routeable internet domain name as the domain for your forest root domain.
> > Is
> > that still a best practice or do to enhanced security does that no longer
> > matter as well?
> >
> > Thanks.
> >
> > "Paul Bergson [MVP-DS]" wrote:
> >
> >> If I recall correctly it started with the release of AD (2000).
> >>
> >> --
> >> Paul Bergson
> >> MVP - Directory Services
> >> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> >> 2008, 2003, 2000 (Early Achiever), NT4
> >>
> >> http://www.pbbergs.com
> >>
> >> Please no e-mails, any questions should be posted in the NewsGroup
> >> This posting is provided "AS IS" with no warranties, and confers no
> >> rights.
> >>
> >> "jacksors" <jacksors@discussions.microsoft.com> wrote in message
> >> news:8E3E3EA0-B153-42EF-A814-1FFCD6D713AF@microsoft.com...
> >> > Thanks Paul. What AD version prompted this best practice change?
> >> >
> >> > "Paul Bergson [MVP-DS]" wrote:
> >> >
> >> >> This is no longer a recommended strategy. Microsoft now recommends to
> >> >> keep
> >> >> it as simple as possible with as few domains as your enterprise can
> >> >> use.
> >> >>
> >> >> --
> >> >> Paul Bergson
> >> >> MVP - Directory Services
> >> >> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> >> >> 2008, 2003, 2000 (Early Achiever), NT4
> >> >>
> >> >> http://www.pbbergs.com
> >> >>
> >> >> Please no e-mails, any questions should be posted in the NewsGroup
> >> >> This posting is provided "AS IS" with no warranties, and confers no
> >> >> rights.
> >> >>
> >> >> "Randy Jackson" <jacksors@yahoo.com> wrote in message
> >> >> news:O9fddT29IHA.4004@TK2MSFTNGP03.phx.gbl...
> >> >> > I've been struggling with a domain design to choose. I've always
> >> >> > read
> >> >> > that
> >> >> > it is best practice design to create an empty place holder root
> >> >> > domain
> >> >> > to
> >> >> > hold the enterprise admin group and to hold the forest schema
> >> >> > operations
> >> >> > role. Then have another domain to hold all users/groups/computers.
> >> >> > The
> >> >> > alternative being one domain, that holds all of the above.
> >> >> >
> >> >> > There is obviously additional hardware costs associated with the
> >> >> > empty
> >> >> > place holder domain, but there isn't going to be much administrative
> >> >> > overhead since the domain is going to me basically unused.
> >> >> >
> >> >> > What are the underlying reasons why the place holder root domain is
> >> >> > setup
> >> >> > and should this domain design be favored in a large enterprise
> >> >> > organization vs the single domain model?
> >> >> >
> >> >> > Thank you.
> >> >> >
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>

Paul
Fri Aug 08 08:59:50 PDT 2008

Any admin in a forest, if smart enough can work to gain permissions to
become an enterprise admin. Security boundaries are between forests.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"jacksors" <jacksors@discussions.microsoft.com> wrote in message
news:39F1A95A-605F-4135-854D-A05979434BA1@microsoft.com...
> Everything I've read, at least for older AD installations, that a domain
> admin in a single forest root domain model, could gain enterprise admin
> permissions and modify the schema and cause forest wide damage. I was
> hoping
> to avoid that security issue. Is that scenario even possible in AD 2008?
>
> "Paul Bergson [MVP-DS]" wrote:
>
>> That is the recommend course strategy, but to be honest we don't follow
>> that. I don't know if it was security related or just the fact you need
>> to
>> be able to manage dns and not expose your internal boxes ip addresses,
>> which
>> we do both.
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "jacksors" <jacksors@discussions.microsoft.com> wrote in message
>> news:18547956-7C98-47CB-8982-22440B57271D@microsoft.com...
>> > Paul,
>> >
>> > I have a follow up question. Old best practice said to not use your
>> > routeable internet domain name as the domain for your forest root
>> > domain.
>> > Is
>> > that still a best practice or do to enhanced security does that no
>> > longer
>> > matter as well?
>> >
>> > Thanks.
>> >
>> > "Paul Bergson [MVP-DS]" wrote:
>> >
>> >> If I recall correctly it started with the release of AD (2000).
>> >>
>> >> --
>> >> Paul Bergson
>> >> MVP - Directory Services
>> >> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> >> 2008, 2003, 2000 (Early Achiever), NT4
>> >>
>> >> http://www.pbbergs.com
>> >>
>> >> Please no e-mails, any questions should be posted in the NewsGroup
>> >> This posting is provided "AS IS" with no warranties, and confers no
>> >> rights.
>> >>
>> >> "jacksors" <jacksors@discussions.microsoft.com> wrote in message
>> >> news:8E3E3EA0-B153-42EF-A814-1FFCD6D713AF@microsoft.com...
>> >> > Thanks Paul. What AD version prompted this best practice change?
>> >> >
>> >> > "Paul Bergson [MVP-DS]" wrote:
>> >> >
>> >> >> This is no longer a recommended strategy. Microsoft now recommends
>> >> >> to
>> >> >> keep
>> >> >> it as simple as possible with as few domains as your enterprise can
>> >> >> use.
>> >> >>
>> >> >> --
>> >> >> Paul Bergson
>> >> >> MVP - Directory Services
>> >> >> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> >> >> 2008, 2003, 2000 (Early Achiever), NT4
>> >> >>
>> >> >> http://www.pbbergs.com
>> >> >>
>> >> >> Please no e-mails, any questions should be posted in the NewsGroup
>> >> >> This posting is provided "AS IS" with no warranties, and confers no
>> >> >> rights.
>> >> >>
>> >> >> "Randy Jackson" <jacksors@yahoo.com> wrote in message
>> >> >> news:O9fddT29IHA.4004@TK2MSFTNGP03.phx.gbl...
>> >> >> > I've been struggling with a domain design to choose. I've always
>> >> >> > read
>> >> >> > that
>> >> >> > it is best practice design to create an empty place holder root
>> >> >> > domain
>> >> >> > to
>> >> >> > hold the enterprise admin group and to hold the forest schema
>> >> >> > operations
>> >> >> > role. Then have another domain to hold all
>> >> >> > users/groups/computers.
>> >> >> > The
>> >> >> > alternative being one domain, that holds all of the above.
>> >> >> >
>> >> >> > There is obviously additional hardware costs associated with the
>> >> >> > empty
>> >> >> > place holder domain, but there isn't going to be much
>> >> >> > administrative
>> >> >> > overhead since the domain is going to me basically unused.
>> >> >> >
>> >> >> > What are the underlying reasons why the place holder root domain
>> >> >> > is
>> >> >> > setup
>> >> >> > and should this domain design be favored in a large enterprise
>> >> >> > organization vs the single domain model?
>> >> >> >
>> >> >> > Thank you.
>> >> >> >
>> >> >>
>> >> >>
>> >> >>
>> >>
>> >>
>> >>
>>
>>
>>

jacksors
Fri Aug 08 11:52:00 PDT 2008

Thank you for the info.

"Paul Bergson [MVP-DS]" wrote:

> Any admin in a forest, if smart enough can work to gain permissions to
> become an enterprise admin. Security boundaries are between forests.
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> "jacksors" <jacksors@discussions.microsoft.com> wrote in message
> news:39F1A95A-605F-4135-854D-A05979434BA1@microsoft.com...
> > Everything I've read, at least for older AD installations, that a domain
> > admin in a single forest root domain model, could gain enterprise admin
> > permissions and modify the schema and cause forest wide damage. I was
> > hoping
> > to avoid that security issue. Is that scenario even possible in AD 2008?
> >
> > "Paul Bergson [MVP-DS]" wrote:
> >
> >> That is the recommend course strategy, but to be honest we don't follow
> >> that. I don't know if it was security related or just the fact you need
> >> to
> >> be able to manage dns and not expose your internal boxes ip addresses,
> >> which
> >> we do both.
> >>
> >> --
> >> Paul Bergson
> >> MVP - Directory Services
> >> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> >> 2008, 2003, 2000 (Early Achiever), NT4
> >>
> >> http://www.pbbergs.com
> >>
> >> Please no e-mails, any questions should be posted in the NewsGroup
> >> This posting is provided "AS IS" with no warranties, and confers no
> >> rights.
> >>
> >> "jacksors" <jacksors@discussions.microsoft.com> wrote in message
> >> news:18547956-7C98-47CB-8982-22440B57271D@microsoft.com...
> >> > Paul,
> >> >
> >> > I have a follow up question. Old best practice said to not use your
> >> > routeable internet domain name as the domain for your forest root
> >> > domain.
> >> > Is
> >> > that still a best practice or do to enhanced security does that no
> >> > longer
> >> > matter as well?
> >> >
> >> > Thanks.
> >> >
> >> > "Paul Bergson [MVP-DS]" wrote:
> >> >
> >> >> If I recall correctly it started with the release of AD (2000).
> >> >>
> >> >> --
> >> >> Paul Bergson
> >> >> MVP - Directory Services
> >> >> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> >> >> 2008, 2003, 2000 (Early Achiever), NT4
> >> >>
> >> >> http://www.pbbergs.com
> >> >>
> >> >> Please no e-mails, any questions should be posted in the NewsGroup
> >> >> This posting is provided "AS IS" with no warranties, and confers no
> >> >> rights.
> >> >>
> >> >> "jacksors" <jacksors@discussions.microsoft.com> wrote in message
> >> >> news:8E3E3EA0-B153-42EF-A814-1FFCD6D713AF@microsoft.com...
> >> >> > Thanks Paul. What AD version prompted this best practice change?
> >> >> >
> >> >> > "Paul Bergson [MVP-DS]" wrote:
> >> >> >
> >> >> >> This is no longer a recommended strategy. Microsoft now recommends
> >> >> >> to
> >> >> >> keep
> >> >> >> it as simple as possible with as few domains as your enterprise can
> >> >> >> use.
> >> >> >>
> >> >> >> --
> >> >> >> Paul Bergson
> >> >> >> MVP - Directory Services
> >> >> >> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> >> >> >> 2008, 2003, 2000 (Early Achiever), NT4
> >> >> >>
> >> >> >> http://www.pbbergs.com
> >> >> >>
> >> >> >> Please no e-mails, any questions should be posted in the NewsGroup
> >> >> >> This posting is provided "AS IS" with no warranties, and confers no
> >> >> >> rights.
> >> >> >>
> >> >> >> "Randy Jackson" <jacksors@yahoo.com> wrote in message
> >> >> >> news:O9fddT29IHA.4004@TK2MSFTNGP03.phx.gbl...
> >> >> >> > I've been struggling with a domain design to choose. I've always
> >> >> >> > read
> >> >> >> > that
> >> >> >> > it is best practice design to create an empty place holder root
> >> >> >> > domain
> >> >> >> > to
> >> >> >> > hold the enterprise admin group and to hold the forest schema
> >> >> >> > operations
> >> >> >> > role. Then have another domain to hold all
> >> >> >> > users/groups/computers.
> >> >> >> > The
> >> >> >> > alternative being one domain, that holds all of the above.
> >> >> >> >
> >> >> >> > There is obviously additional hardware costs associated with the
> >> >> >> > empty
> >> >> >> > place holder domain, but there isn't going to be much
> >> >> >> > administrative
> >> >> >> > overhead since the domain is going to me basically unused.
> >> >> >> >
> >> >> >> > What are the underlying reasons why the place holder root domain
> >> >> >> > is
> >> >> >> > setup
> >> >> >> > and should this domain design be favored in a large enterprise
> >> >> >> > organization vs the single domain model?
> >> >> >> >
> >> >> >> > Thank you.
> >> >> >> >
> >> >> >>
> >> >> >>
> >> >> >>
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>

Ace
Fri Aug 08 21:29:01 PDT 2008


"jacksors" <jacksors@discussions.microsoft.com> wrote in message
news:B549073F-A100-402E-A398-7C50D6B92D7F@microsoft.com...
> Thank you for the info.

I would like to add about not using the same external name is it's less DNS
administrative overhead of having to create shadow records internally so
internal folks can access the external website, assuming it's hosted
externally. Also a biggy is that internal folks cannot access an externally
hosted site using the URL without the 'www' portion because that record get
registered by each DC in a domain. There are ways around it, but the truth
of the matter comes back to the additional administrative overhead.

As for a single domain, that's as secure as it's going to get even compared
to having an empty root. Just keep control of your admin and admin rights.

Ace