Educause Security Discussion mailing list archives
Re: MSFT Domain Controller: One Forest for servers and user/computer m
From: Dexter Caldwell <Dexter.Caldwell () FURMAN EDU>
Date: Wed, 4 Nov 2009 09:22:12 -0500
Sounds like overkill to me. There is certainly no need for two forests in my opinion. Two domains even will cause you some amount issues in that you won't gain much security if the resources in your Server domain/forest are AD-authenticated for those in your users/computer domain or forest. That is because you'd have to setup trusts bestween the domains anyway. In AD, trusts are two-way transitive by default. Also, if your users ever needed to log into the server domain, then I'm pretty sure if the trust is not two-way transitive, then it does not show in the drop-down box which could create training issues. In the end, it depends how you lay out your resources, in terms of what resources are actually in the server domain, but keep in mind, if you have things you don't want to be accessible to users through the domain and you just want it for management, that's fine. But management is different then security in A/D. Security in AD is a way of giving someone access to a domain resource. (Not keeping them from compromising the computer. Infrastructure and external security is best for that, IMHO. Hope this helps, Dexter Caldwell Information Security Administrator Computing & Information Services Furman University 3300 Poinsett Hwy Greenville, SC 29613 email: dexter.caldwell () furman edu office: 864-294-3566 facsimile: 864-294.3001 The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> writes:
Dear Colleagues, � � � � � � We are currently studying the restructring of university domain controller and I need your advice: - We have around 250 servers (80% windows servers) hosting applications (web servers, CMS, ERP, LMS, etc...) - We have around 8000 computer on campus (85% windows, 15% MAC/others) The case: we need to centralize the management of the around 200 servers by joining a domain controller for pushing patches, inventory, etc). As for end PC, we need to join them to a domain to push softwares, updates, � policies, remote support, centralized authentication, group policies, roaming profiles, etc.. The question: Should we build 2 forests (isolated from each other): one for servers and and one for user/computer management? Or should we have one forest with 2 sub doamin? Concerns: I'm afraid that if the user/computer domain was compromised, an intruder might be able to propagate to the servers domain and compromise the whole infrastructure. Please advise.... Best Regards, Marmina Abdel-Malek IT Security Officer The American University in Cairo Tel : +202-2615-3561 Fax: +202-2797-4909 Email: [ mailto:marmina () aucegypt edu ]marmina () aucegypt edu web: [ http://www.aucegypt.edu ]www.aucegypt.edu
Current thread:
- Re: MSFT Domain Controller: One Forest for servers and user/computer m Dexter Caldwell (Nov 04)