Isolation and Autonomy Requirements

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

The number of forests that you need to deploy is based on the autonomy and isolation requirements of each group within your organization. In order to identify your forest design requirements, you must identify the autonomy and isolation requirements for all groups in your organization. Specifically, you must identify the need for data isolation, data autonomy, service isolation, and service autonomy. You must also identify areas of limited connectivity in your organization.

Data Isolation

Data isolation involves exclusive control over data by the group or organization that owns the data. It is important to note that service administrators have the ability to take control of a resource away from data administrators, and data administrators do not have the ability to prevent service administrators from accessing the resources that they control. Therefore, you cannot achieve data isolation when another group within the organization is responsible for service administration. If a group requires data isolation, that group must also assume responsibility for service administration.

Because data stored in Active Directory and on computers joined to Active Directory cannot be isolated from service administrators, the only way for a group within an organization to achieve complete data isolation is to create a separate forest for that data. Organizations for which the consequences of an attack by a malicious or coerced service administrator are substantial might choose to create a separate forest to achieve data isolation. Legal requirements typically create a need for this type of data isolation. For example:

  • A financial institution is required by law to limit access to data that belongs to clients in a particular jurisdiction to users, computers, and administrators located in that jurisdiction. Although the institution trusts service administrators that work outside the protected area, if the access limitation is violated, the institution will no longer be able to do business in that jurisdiction. Therefore, the financial institution must isolate data from service administrators outside that jurisdiction. Note that encryption is not always an alternative to this solution. Encryption might not protect data from service administrators.

  • A defense contractor is required by law to limit access to project data to a specified set of users. Although the contractor trusts service administrators who control computer systems related to other projects, a violation of this access limitation will cause the contractor to lose business.

    Note

    • If you have a data isolation requirement, then you must decide whether you need to isolate your data from service administrators or from data administrators and ordinary users. If your isolation requirement is based on isolation from data administrators and ordinary users, then you can use ACLs to isolate the data. For the purposes of this design process, isolation from data administrators and ordinary users is not considered a data isolation requirement.

Data Autonomy

Data autonomy involves the ability of a group or organization to manage its own data, including making administrative decisions about the data and performing any required administrative tasks, without the need for approval from another authority.

Data autonomy does not prevent service administrators in the forest from accessing the data. For example, a research group within a large organization might want to be able to manage their project-specific data themselves, but not need to secure the data from other administrators in the forest.

Service Isolation

Service isolation involves exclusive control of the Active Directory infrastructure. Groups that require service isolation require that no administrator outside of the group can interfere with the operation of the directory service.

Operational or legal requirements typically create a need for service isolation. For example:

  • A manufacturing company has a critical application that controls equipment on the factory floor. Interruptions in the service on other parts of the network of the organization cannot be allowed to interfere with the operation of the factory floor.

  • A hosting company provides service to multiple clients. Each client requires service isolation so that any service interruption that affects one client does not affect the other clients.

Service Autonomy

Service autonomy involves the ability to manage the infrastructure without a requirement for exclusive control. This means that a group wants to make changes to the infrastructure, such as adding or removing domains, modifying the DNS namespace, or modifying the schema, without the approval of the forest owner.

Service autonomy might be required for a group within an organization that wants to be able to control the service level of Active Directory by adding and removing domain controllers as needed, or that needs to be able to install directory enabled applications that require schema extensions.

Limited Connectivity

If a group within your organization owns networks that are separated by devices that restrict or limit connectivity between networks, such as firewalls and Network Address Translation (NAT) devices, this can impact your forest design. When you identify your forest design requirements, be sure to note the locations where you have limited network connectivity. This information is required to enable you to make decisions regarding the forest design.