Is your forest burning?

By Daniel Blum
Network World, 05/06/02

Microsoft has come full circle on how much consolidation is possible when moving from Windows NT 4 to Active Directory.

In the early days of Windows 2000, Microsoft generally recommended consolidating multiple NT 4 domains into one Active Directory domain - or if that was not possible, into a single forest or collection of domains. Consolidation brings many benefits, including reducing the number of sign-ons for users and simplifying administration of users, computers and applications.

Microsoft initially advertised that the domain is the "security boundary." Each business unit in a company could appoint its own domain administrators who would control user administration and security administration. By implication, you could have very large forests while preserving the security and autonomy of each domain.

I was a single-forest skeptic from the start, insisting that customers always work through a careful analysis of the benefits of single-forest consolidation vs. the costs and risks created by the requirement for much closer cross-business unit coordination between domain and site administrators in one forest. I believed that mixing intranet domains with extranet domains, or other highly sensitive domains, could compromise security. Even so, I was not skeptical enough.

Over time, Microsoft has backed away from the single-forest concept, finally publishing this past winter a white paper disclosing that service administrators in one domain can't be isolated from other domains in the forest. Since then, Microsoft has done a security-threat analysis. It determined that a serious hacker's goal is to gain physical access to a domain controller, or network access to a service administrator account.

Microsoft also has been doing disaster planning. Recently, it wiped out the domain controllers on its entire development group forest, which serves thousands of users, and tested the procedures necessary to bring it back online. And at Microsoft's recent TechEd conference, a speaker went so far as to advise large companies that "if you don't have a single CIO, you shouldn't have a single forest."

The trouble is, a number of large companies are at risk because they have deployed or plan to deploy one forest. Not all of these companies have a single CIO, and departments that bought into this design may not have been aware that by joining a domain or a computer to a forest, a department or user must trust the hundreds or thousands of service administrators in that forest.

Stay tuned to www.microsoft.com/activedirectory. Microsoft plans to release new security best-practices recommendations soon, documenting the procedures for recovering from a catastrophic forest fire. In the meantime, if you're a distributed company with islands of administration and planned a single forest, it's back to the drawing board.