Recommendations: Establishing Secure Active Directory Boundaries

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2

To help maintain secure Active Directory boundaries, consider implementing the security recommendations that are described earlier in this section. The following lists summarize the security recommendations for establishing and maintaining secure Active Directory boundaries in Windows Server 2003.

Recommendations for Specifying Security and Administrative Boundaries

Recommendations for security and administrative boundaries are:

  • Determine whether delegation is driven by organizational, operational, or legal requirements.

  • Determine whether the requirements indicate the need for autonomy, isolation, or both.

  • Assess the level of trust that you have in service administrators (forest owners and domain owners).

Recommendations for Selecting an Active Directory Structure Based on Delegation Requirements

Recommendations for selecting an Active Directory Structure are:

  • Use the scenarios in “Designing the Active Directory Logical Structure” in Designing and Deploying Directory and Security Services of the Windows Server 2003 Deployment Kit (or see “Designing the Active Directory Logical Structure” on the Web at https://go.microsoft.com/fwlink/?LinkId=4723) to identify the Active Directory structure that matches your delegation requirements.

  • Place outward-facing domain controllers that are deployed in an extranet in a separate forest.

Recommendations for Establishing Secure Collaboration with Other Forests

Recommendations for creating secure trusts with domains in other forests and between different Windows Server 2003 forests are:

  • Create forest trust relationships between Windows Server 2003 forests only when all forest administrators and all domain administrators are trusted individuals. (A forest functional level of Windows Server 2003 is required in both forests.)

  • Before creating an external trust between two domains in isolated forests, be sure that the two domains have a domain functional level of at least Windows 2000 native and that all domain controllers are running at least Windows 2000 Server SP 4, so that SID filtering is enforced by default.