Using the Organizational Domain Forest Model

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

In the organizational domain forest model, several autonomous groups each own a domain within a forest. Each group controls domain-level service administration, which enables them to manage certain aspects of service management autonomously while the forest owner controls forest-level service management.

Because a domain is not a security boundary, it cannot be used for service or data isolation. For this reason, it is important to ensure that service or data isolation are not requirements for the groups in the organization. In an organizational domain forest model, a malicious service administrator in one domain can access any other domain within the forest.

If you have an existing Windows NT 4.0 environment that is based on organizational domains, it is not recommended that you reproduce this configuration in an Active Directory forest. The Active Directory forest does not have the same administrative and security boundaries that exist in a Windows NT 4.0 environment.

Figure 2.11 shows an organizational domain forest model.

Figure 2.11   Organizational Domain Forest Model

Organizational Domain Forest Model

Note

  • Because the organizational domain forest model is not recommended, additional design information is not provided.

Domain-Level Service Autonomy

The organizational domain forest model enables the delegation of authority for domain-level service management. Table 2.2 lists the types of service management that can be controlled at the domain level.

Table 2.2   Types of Service Management That are Controlled at the Domain Level

Type of Service Management Associated tasks

Management of domain controller operations
  • Creating and removing domain controllers.

  • Monitoring the functioning of domain controllers.

  • Managing services that are running on domain controllers.

  • Backing up and restoring the directory.

Configuration of domain-wide settings
  • Creating domain and domain user account policies, such as password, Kerberos, and account lockout policies.

  • Creating and applying domain-wide Group Policies.

Delegation of data-level administration
  • Creating OUs and delegating administration.

  • Repairing problems in the OU structure that OU owners do not have sufficient access rights to fix.

Management of external trusts
  • Establishing trust relationships with domains outside the forest.

Other types of service management, such as schema or replication topology management, are the responsibility of the forest owner.

Domain Owner

In an organizational domain forest model, domain owners are responsible for domain-level service management tasks. Domain owners have authority over the entire domain, as well as access to all other domains in the forest. For this reason, domain owners must be trusted individuals selected by the forest owner.

Delegate domain-level service management to a domain owner if the following conditions are met:

  • All groups participating in the forest trust the new domain owner and the service management practices of the new domain.

  • The new domain owner trusts the forest owner and all the other domain owners.

  • All domain owners in the forest agree that the new domain owner has service administrator management and selection policies and practices that are equal to or more strict than their own.

  • All domain owners in the forest agree that domain controllers managed by the new domain owner in the new domain are physically secure.

Keep in mind that if a forest owner delegates domain-level service management to a domain owner, then other groups might choose not to join that forest if they do not trust that domain owner.

All domain owners must be aware that if any of these conditions change in the future, it might become necessary to migrate the organizational domains into a multiple forest deployment.