Re: [ActiveDir] Root Place Holder justification

Wed, 26 Apr 2006 09:40:57 -0700 

Thanks Guido,

Mark

-----Original Message-----
From: "Grillenmeier, Guido" <[EMAIL PROTECTED]>
Date: Wed, 26 Apr 2006 17:04:39 
To:<[email protected]>
Subject: RE: [ActiveDir] Root Place Holder justification

There isn't much official documentation available on this topic and if
you search the - archives you'll see it's been discussed many times.
Fact is, that an empty root typically gives a false sense of security.
For most scenarios you can even argue that is reduces the overall
security of an AD forest. 

Here's a nice list of arguments AGAINST an empty forest root domain from
Paul Rich, Senior Architecture Engineer within Microsoft's internal IT:

Empty root domain summary
- Adds complexity
- Adds up front cost
- Adds ongoing cost
- Lengthens disaster recovery
- Complicates group usage and comprehension
- Has user and application owner impact
- Kerberos cross-realm ticket issue
- Lowers security
- Only use is political and at very high cost 

We could discuss each of the above points and add more detail, but for
most this sums it up quite well. The "Lowers security" reason mainly
evelves around the Kerberos cross-realm ticket issue, as the status of a
user's account is not checked when a user's Keberos ticket in another
domain is updated => i.e. in a hire/fire scenario, if a user is still
logged onto a box in his proper domain his Kerberos ticket would not get
renewed in his domain, but it would for an existing session to the root
domain. So the user could continue to use resources and grab data from
them (e.g. retrieve all company contacts from a GC in the root domain -
and if he has write access do other damage etc.)

I've even come accross other technical reasons in the meantime that
speak against an empty forest root - this involves trusts between
different forests and the new forest trust type in Win2003. Empty root
domains doesn't make forest trusts any easier - especially for the
end-user.

/Guido

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Mittwoch, 26. April 2006 16:03
To: [email protected]
Subject: RE: [ActiveDir] Root Place Holder justification

Mark,

I'm in the same place you are: single forest, single domain, but 30 DCs
in a global deployment with 45k users and 37k computers.  Ran that way
for 6 years.

Now we've sold off a business unit of a couple thousand users and they
outsourced to a big 3rd party service provider who insisted they go with
an empty root.  I recommended against it, but the sourcer (whose
initials are E.D.S.) claimed the configuration was supported by
Microsoft and they that had run it by Microsoft for "approval."

I think what it boils down to is that this is their standard service and
that's that.  The guys I'm working with are quite knowledgeable and good
at what they do, but they're the front line people and not the
deep-thinking architects we find at DEC.

AL

Al Maurer 
Service Manager, Naming and Authentication Services 
IT | Information Technology 
Agilent Technologies 
(719) 590-2639; Telnet 590-2639 
http://activedirectory.it.agilent.com 

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Wednesday, April 26, 2006 7:37 AM
To: ActiveDir.org
Subject: [ActiveDir] Root Place Holder justification

Does anyone have any official documentation as to the justification for
a root place holder, pro's and con's ?

Where I am - I have started at one domain and can see no reason to
expand on that - they only have 6 DC's now in a single domain - yet the
partner they have chosen is recomending a root place holder with 5 DC's
and then 8 in the child domain (they are NOT even supplying the tin) and
I wanted some decent amo - a little bit stronger than schema and Ent
admin separation.

I know at DEC the concensus was the desire to eliminate and I believe
Guido and Wook have stated this for the past two DEC's

I have searched this list and can find no relevant articles.

Many thanks

Regards

Mark
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[EMAIL PROTECTED]       šŠV«r¯yÊ&ý§-Š÷Š¾4™¨¥iËb½çb®Šà

Reply via email to