It appears Mr. Fossen misses the biggest reason to have an empty root - its to protect the forest from its owners, not outsiders. As has been covered many times before, the Empty Root primarily protects the forest from unauthorized changes (intended or otherwise) from admins.
I would agree that regardless of which approach is taken, all domains should be subject to appropriate security measures. ROger -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Bud DAWSON [mailto:[EMAIL PROTECTED] > Sent: Thursday, June 26, 2003 6:28 PM > To: NT 2000 Discussions > Subject: RE: Empty root domain in AD > > > Not according to Jason Fossen, who led the "Securing Windows" > track at the > SANS Institute conference in New Orleans this past January. > In his opinion > (also supported by some recent MS articles that he cited), > the "empty root > domain" approach is unnecessary, and a waste of hardware and > resources. He > points out that a lot of time and effort goes into protecting > a few Domain > Controllers, while all the really important stuff is down in > the so-called > "lower level" domains. He says why not put the effort into > protecting the > important stuff ? > > As a result of my attending his session, I changed my AD > design, and have > now gone to a single AD Domain, combining one NT 4 Accounts > Domain and ten > NT 4 "Trusting" Resource Domains, and handled the whole thing with OUs > within a single domain. > > It also makes life a LOT easier if you decide to move objects (users, > computers, etc) around, since it is just drag-and-drop > between OUs in a > domain > > Cheers > > Bud Dawson > > Local 2132 > Windows System Administrator, MCSE 2000 > > [EMAIL PROTECTED] > > > > -----Original Message----- > From: Robert Gonzaga (306) [mailto:[EMAIL PROTECTED] > Sent: June 26, 2003 2:45 PM > To: NT 2000 Discussions > Subject: Empty root domain in AD > > > Is an empty root domain still recommended even for small > (<100 users) single > domain situations? > > Robert G > > ------ > You are subscribed as [EMAIL PROTECTED] > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=nt2000&tex t_mode=&lang=e nglish To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=nt2000&text_mode=&lang=e nglish To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=nt2000&text_mode=&lang=english To unsubscribe send a blank email to [EMAIL PROTECTED]
