-----Original Message-----
From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED]
Sent: Friday, November 21, 2003 12:32 PM
To: Ravdal, Stig; [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Managing Sites in Forest with Empty Rootwell - the terms "operate with greater autonomy" and "being able to be spun off entirely" basically shout for a multi-forest environment. Not a big deal either - especially if you implement each as a single-domain-forest. With 2k3 you even get Kerberos authentication accross forest trusts (and you'd even have trust-transivity to child domains - but you wouldn't need child domains).That's likely too late if you've already migrated, but if not, I'd really think about it. Obviously such a decision has other implications - depending on the rest of the infrastructure, you'd have some extra challenges (e.g. Exchange / Synchronization etc.). However, it would be MUCH easier to split the companies later on if this is already a scenario on the horizon.I'm currently in the process of helping a company prepare for a split - they're a part of the mother company's forest and need their own forest now - it's a mess.../Guido
From: Ravdal, Stig [mailto:[EMAIL PROTECTED]
Sent: Freitag, 21. November 2003 21:08
To: GRILLENMEIER,GUIDO (HP-Germany,ex1); [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Managing Sites in Forest with Empty RootHi Guido,Thanks for the info. I am aware of the security hole so this may really boil down to perception. The client has a requirement that two of their business units operate with greater autonomy - to the point of being able to be spun off entirely should that be the best for business. They frequently aquire new companies and divest smaller organizations and that is what led to the model of a forest of trees (single domains) with an empty forest root (tree/domain).As far as the EA rights are concerned it may be possible for an admin in any tree in the forest to elevate his/her privileges, but it is somewhat unlikely in this organization - the clinets main business unit/company has outsourced all administration to a very large outsourcing company and they have a paper-based procedure for everything - quite bureaucratic really. That is not to say that there couldn't be some disgruntled empoyee that causes trouble down the road.Thanks for the response Guido, I'll also look for the whitepapers.Cheers,Stig-----Original Message-----
From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED]
Sent: Thursday, November 20, 2003 12:06 PM
To: [EMAIL PROTECTED]; Ravdal, Stig
Subject: RE: [ActiveDir] Managing Sites in Forest with Empty RootAs John already said: it's not really wise to try to delegate everything, as otherwise you're giving away the keys to the kingdom afterall... And if this is your only reason for creating that extra empty root domain, then you might as well stick to a clean single-domain-forest model: as soon as you give domain admin rights to someone else in your child domain, you've basically passed out these precious keys.
It's a simple thing for a domain admin to work himself up the tree and become Enterprise Admin - not necessarily what you'd expect, but that's the way it is. MS is finally being public about this - check out the AD Security Whitepaper that was released a while ago. It's best to keep a very small team with EA+DA rights and delegate other tasks on the OU level only.
If you still want to delegate site-administration (even in a single-domain-forest) you'll have to grant numerous permissions on various objects to make this happen - but depending on what you really want to delegate, you may only need a few. Here is a sample from the upcoming AD Delegation Whitepaper from Microsoft (only 5 more days...):
Task
Permissions Required to Perform Task
Create a Site / Add a Site
CC on cn=Sites, cn=Configuration, dc=<ForestRootDomain> (to create obejcts of class Site)
Rename a Site
WP on the corresponding site object, cn=<Site>, cn=Sites, cn=Configuration, dc=<forestRootDomain> to modify the common-name attribute
Specify the location of a Site
WP on the corresponding site object, cn=<Site>, cn=Sites, cn=Configuration, dc=<forestRootDomain> to modify the Location attribute
Associate a Group Policy with a Site
WP on the corresponding site object, cn=<Site>, cn=Sites, cn=Configuration, dc=<forestRootDomain> to modify the GP-Link attribute
Modify Site Group Policy Options
WP on the corresponding site object, cn=<Site>, cn=Sites, cn=Configuration, dc=<forestRootDomain> to modify the GP-Options attribute
Move a Domain Controller between sites
WP on the Server object being moved to modify Common-Name attribute
DC on the object cn=Servers, cn=<Current-Site>, cn=Sites, cn=Configuration, dc=<forestRootDomain> (to delete objects of class Server)
CC on the object cn=Servers, cn=<New-Site>, cn=Sites, cn=Configuration, dc=<forestRootDomain> (to create objects of class Server)
/Guido
-----Original Message-----
From: John Reijnders [mailto:[EMAIL PROTECTED]]
Sent: Donnerstag, 20. November 2003 20:40
To: 'Ravdal, Stig '; '[EMAIL PROTECTED] '
Subject: RE: [ActiveDir] Managing Sites in Forest with Empty Root
If you want to delegate the rights to manage the stuff handled with AD S&S
you need to delegate the "manage replication topology" to the right group.
Site management is a task performed at forest level so delegating this right
means delegating the rights for the complete forest.
Thinking about it ... you could try to limit the role of creating sites to
limited number of users/groups and the give specific admins only the rights
to manage these specific objects (i.e. attaching subnets to this site).
However !!! be really conservative with the delagtion of this right. Doing
the wrong stuff can screw up your complete AD (in all domains within the
forest). I personally prefer limiting this task to a very limited amount of
people.
Cheers!
John
-----Original Message-----
From: Ravdal, Stig
To: [EMAIL PROTECTED]
Sent: 20-11-2003 18:17
Subject: [ActiveDir] Managing Sites in Forest with Empty Root
Hi all,
I'm a newbie to the forum and I think that this is the right place for
this question.
I have setup new forest using an empty forest root (first domain/tree in
forest). In the forest I have an operational domain the second domain in
the forest (and the first of three such single domain/single trees that
will reside in the forest in addition to the empty forest root).
What I would like to do is allow the first operational domain to manage
sites & services. I do not want the empty forest root to do any
administrative tasks beyond holding the "keys to the kingdom" No users
or computers will reside in the empty forest root domain.
How can I delegate the control of the Sites and Services?
Also can I delegate the control of sites and services such that each
domain/tree in the forest can do their own site management?
Thanks,
Stig
________________________________________________________________________
___
This message contains information that may be privileged or
confidential
and is the property of the Cap Gemini/Ernst & Young Group. It is
intended
only for the person to whom it is addressed. If you are not the
intended
recipient, you are not authorized to read, print, retain, copy,
disseminate, distribute, or use this message or any part thereof. If
you
receive this message in error, please notify the sender immediately and
delete all copies of this message.
________________________________________________________________________
___
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Thanks
again Guido,
The
decision is not final so your comments and suggestions are well taken.
Some intel that came back just this morning was that one of the entities has
suggested that the company operate with two forests - corporate and "specialty
companies" where each of the "specialty companies" would be separate
domains.
Again,
migration has not begun yet and the final design is still on the
table.
In
that respect, are there any good articles that you are aware of that discuss the
pros and cons of single forest vs. multiple forests? It would have to be a
fairly recent article because anything that is two years old seems to be
somewhat dated.
Lastly, do you have the URL to the MS whitepaper on forest security that
you mention in your first post? I was unable to find it through a variety
of searches on MS as well as google.
Thanks,
Stig
- [ActiveDir] Managing Sites in Forest w... Ravdal, Stig
- RE: [ActiveDir] Managing Sites in... John Reijnders
- RE: [ActiveDir] Managing Sites in... GRILLENMEIER,GUIDO (HP-Germany,ex1)
- RE: [ActiveDir] Managing Sites in... Thommes, Michael M.
- RE: [ActiveDir] Managing Sites in... Ravdal, Stig
- RE: [ActiveDir] Managing Sites in... GRILLENMEIER,GUIDO (HP-Germany,ex1)
- RE: [ActiveDir] Managing Sites in... Ravdal, Stig
- RE: [ActiveDir] Managing Sites in... GRILLENMEIER,GUIDO (HP-Germany,ex1)
