1

I have a project to securize my Active Directory infrastructure.

To do that, one of my colleague told me about the possibility to create another AD domain in the forrest just for administration. That is this new domain will contain all administrator group to manage the other domain which contains standard account.

I don't really understand this solution and I would like to have some information about that but I don't find any thing on the Internet..

Does anybody have information about that ?

Thanks in advance

gerem
  • 33
  • 1
  • 3

3 Answers3

1

I think your colleague is talking about a forest model that uses an empty root domain and the one or more child domains. The root domain would store just the Enterprise Admins Group, Schema Admins group as well as the Schema Master FSMO role and the Domain Naming master role. The Enterprise admins group will then have full control on the child domain. the idea was to protect these powerful group from other administrators and potential compromise. your child domain would still have the standard Domain Admins groups as well as the built-in Operator groups. All standard user accounts are created in the child domain.

their might still be some use cases for this model but in general you should try to keep your AD structure as simple as possible, and a single domain model is as simple as it gets.

Interestingly Windows Server 2016 adds more protection for admin groups.

Hope this helps

Michael Brown
  • 3,254
  • 2
  • 11
  • 11
1

What your colleague is referring to is something that was considered an acceptable practice a very long time ago. That is no longer the case (and I'd argue it was of dubious value 15 years ago, even). Because the forest (not the domain) is where your security boundary lies, you get very limited additional security out of this setup (if any), for which you add complexity and have to deal with child domains, which Microsoft no longer recommends using, except for a very limited number of cases (cruise ships being the remaining example of an organization where child domains make sense).

Your colleague is wrong, and you should not do this. Instead, you should do it right, and consider smacking him upside the head for suggesting an implementation that might have had some small value 15 years ago, with the original version of Active Directory. As to how to do it right and harden Active Directory properly, you haven't provided enough information to make any well-informed recommendations, except to say that your colleague's proposal is not a good idea. (Personally, I would ignore any further suggestions from someone who suggested an empty forest root. People who know what they're talking about regarding Active Directory wouldn't suggest such a thing in the first place.)

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
1

It would actually be more secure to have a separate bastion forest for Administrative accounts and groups. You can read more about it here:

Privileged Identity Management for Active Directory Domain Services (AD DS) https://technet.microsoft.com/en-us/library/mt150258.aspx

Let's say you have a production forest with domain controllers in 100 locations. And your bastion forest only has domain controllers at your main data center. If there is an incursion with the production forest, the administrative domain controllers and the database/krbtgt account are less at risk. The bastion forest also typically has more restrictive security settings, and you could have a one-way forest trust (the production forest trusts the bastion forest, but not the other way). The new PIM features for time-limited group membership/access are also a security improvement.

Greg Askew
  • 35,880
  • 5
  • 54
  • 82