Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Ex-Bay Networks CEO: Nortel's enterprise group could do well on its own
Net neutrality advocates score big win with broadband stimulus rules
Security guard charged with hacking hospital systems
Cisco looks to accelerate virtualization deployments
Apple patching serious SMS vulnerability on iPhone
Could Cisco take on Microsoft with office app service?
Nortel enterprise data chief wants to bring back Bay Networks
Government releases $4 billion in broadband stimulus funds
Why the iPhone can't be 'killed'
IBM bundles x86 servers with VMware, offers special financing
Users note virtualization foot-dragging among app vendors
Five slick search engines you should know about
FTC opens all out assault on economic cyber-scammers
Happy birthday! The Walkman turns 30
Cisco won't take on Amazon in cloud
NOSes /

Is your forest burning?

Related linksToday's breaking news
Send to a friendFeedback

By Daniel Blum
Network World, 05/06/02

Microsoft has come full circle on how much consolidation is possible when moving from Windows NT 4 to Active Directory.

In the early days of Windows 2000, Microsoft generally recommended consolidating multiple NT 4 domains into one Active Directory domain - or if that was not possible, into a single forest or collection of domains. Consolidation brings many benefits, including reducing the number of sign-ons for users and simplifying administration of users, computers and applications.

Advertisement:

Microsoft initially advertised that the domain is the "security boundary." Each business unit in a company could appoint its own domain administrators who would control user administration and security administration. By implication, you could have very large forests while preserving the security and autonomy of each domain.

I was a single-forest skeptic from the start, insisting that customers always work through a careful analysis of the benefits of single-forest consolidation vs. the costs and risks created by the requirement for much closer cross-business unit coordination between domain and site administrators in one forest. I believed that mixing intranet domains with extranet domains, or other highly sensitive domains, could compromise security. Even so, I was not skeptical enough.

Over time, Microsoft has backed away from the single-forest concept, finally publishing this past winter a white paper disclosing that service administrators in one domain can't be isolated from other domains in the forest. Since then, Microsoft has done a security-threat analysis. It determined that a serious hacker's goal is to gain physical access to a domain controller, or network access to a service administrator account.

Microsoft also has been doing disaster planning. Recently, it wiped out the domain controllers on its entire development group forest, which serves thousands of users, and tested the procedures necessary to bring it back online. And at Microsoft's recent TechEd conference, a speaker went so far as to advise large companies that "if you don't have a single CIO, you shouldn't have a single forest."

The trouble is, a number of large companies are at risk because they have deployed or plan to deploy one forest. Not all of these companies have a single CIO, and departments that bought into this design may not have been aware that by joining a domain or a computer to a forest, a department or user must trust the hundreds or thousands of service administrators in that forest.

Stay tuned to www.microsoft.com/activedirectory. Microsoft plans to release new security best-practices recommendations soon, documenting the procedures for recovering from a catastrophic forest fire. In the meantime, if you're a distributed company with islands of administration and planned a single forest, it's back to the drawing board.

RELATED LINKS

Blum is a senior vice president and principal consultant with The Burton Group, an IT advisory service providing in-depth analysis for network planners. He can be reached at

dblum@tbg.com.

More Intranet Advisor columns


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
* HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.