RE: [ActiveDir] Security Domain

[Gil Kirkpatrick]

Title: Message

Hey Brad,   Although it is still considered a best-practice, from a security standpoint, an empty root doesn't buy you anything. It is still possible for a "rogue" domain admin to escalate their privelege level and compromise the Configuration and Schema NCs, for instance. See Design Considerations for Delegation of Admininistration in Active Directory:   "Note that a dedicated forest root only provides protection against accidental or unintended misuse of privilege; owners of non-root domains can still use malicious methods to attempt to manipulate groups in the root domain."   The doc is at http://www.microsoft.com/technet/treeview/default.asp?url="">.   -gil -----Original Message----- From: Brad Martin [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 24, 2002 10:59 AM To: Active Directory Mailing List Subject: [ActiveDir] Security Domain In building our new Active Directory structure I'm planning on deploying our forest with two domains, the root domain being a "security" domain, with no users (except a couple MIS people for administration), but with a number of our servers, and a second domain on the tree for users and client machines.  The reasons I've heard for doing this is to protect the Schema, and the various Administrator groups from being compromised by people who can log into the domain.  Is there anything else that doing this will protect?  I'm going to have to have a nice bullet point list to present to prove to management that it's worth their while to spend $10,000 to build an almost unused domain.   Brad Martin Go Daddy Software [EMAIL PROTECTED] 480.505.8800 ext. 250