Selecting an Active Directory Structure Based on Delegation Requirements

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2

In Active Directory, administrators can delegate both service administration and data administration to achieve either autonomy or isolation between organizations. The combination of service management, data management, autonomy, and isolation requirements of an organization affect the Active Directory containers that are used to delegate administration.

The following steps can assist you in determining if your organization’s specific delegation requirements justify delegating control of a separate forest, domain, or OU:

1. Begin by placing all organizations in a single-domain forest.

2. For each business unit with unique administrative requirements, determine the appropriate level of autonomy and isolation, based on the respective characteristics in Table 3 earlier in this guide (see Specifying Security and Administrative Boundaries).

3. When recording the justification for each decision, note whether:

   • Delegation is driven by an organizational, operational, legal, or other requirement (see Specifying Security and Administrative Boundaries, Table 2).

   • The requirement pertains to delegation of service management, data management, or both.

   • The requirement indicates the need for autonomy, isolation, or both.

4. Identify the appropriate Active Directory structure:

   • Single-domain forest with OUs for data autonomy

   • Single forest with multiple domains for domain-level service autonomy

   • Separate forests for service isolation

   • Separate forests for forest-level service autonomy

   • Separate forests for data isolation from service owners

For detailed explanations of these and other scenarios and for processes that help you determine the delegation requirements for your organization and the corresponding Active Directory structure, see “Designing the Active Directory Logical Structure” in Designing and Deploying Directory and Security Services of the Windows Server 2003 Deployment Kit (or see “Designing the Active Directory Logical Structure” on the Web at https://go.microsoft.com/fwlink/?LinkId=4723).

Implications for Active Directory in Extranet Deployment

Outward-facing domain controllers in an extranet are in a portion of the network where customers and partners can access network resources through the Internet. As a result of the Internet exposure, any information about the intranet forest that is placed in the extranet is subject to the risks of information disclosure or data tampering by external users. Further, a breach of service administration security in the extranet can be used to breach the intranet, if there is no service isolation boundary.

To mitigate the risks previously discussed, Active Directory implementations in an extranet should maintain complete service isolation from the rest of the organization. Therefore, a separate Active Directory forest should be implemented for the extranet. Any service administrator with responsibilities that span the intranet forest and the extranet forest should have a separate administrative account in each forest.

For more information about designing and managing a secure extranet, see “Secure Extranet for Business Partners” on the Microsoft TechNet Web site at https://go.microsoft.com/fwlink/?LinkId=18590.