Active Directory Design on a Dime

Four forests or one? Four domains or one? The best AD design strives for simple and secure administration.

• By Bill Boswell
• July 29, 2003

Bill: I am the sysadmin of a small school district in Tucson. For approximately one year, I have been in the planning/training stages of creating Active Directory in my school district. I'm about to take the plunge, but I'm hung up on one fundamental design choice: whether to create separate forests for my four sites (three schools and a district office) or combine them into a single forest.

I'm leaning towards creating completely separate forests, only because I don't need the constant replication traffic. The domains don't need to share objects with each other. The only intersite/inter-domain sharing concern I have is a soon-to-be WAN intranet Web site. I'll have two intranet sites that users at all four sites must be able to access using FQDNs using Internet browsers. This is possible, yes?

I am a one-man IT show, so there aren't any political concerns in my organization. My only concerns are the intranet Web site, a possible occasional file needing to be shared across the WAN, and simplified system administration. What do you think is easier to manage, four separate forests, or a single forest containing four domains?
—Andre De Leon

Let’s start with the design assumption about needing separate domains. You are the sole IT admin in your organization, yes? I take this to mean that the local schools don’t have their own admins or faculty who think they "know computers" and want to "help" you run the system.

The primary reason to have separate domains would be to erect management boundaries between admins responsible for different sections of the same organization. Creating separate forests makes this barrier even more secure by preventing an administrator in one domain from gaining system privileges on a domain controller and manipulating the contents of another domain.

Because you represent the entire IT organization, you have no need for separate forests or even separate domains. Create a single domain and put the users and groups and computers in each school in their own OU. This avoids complexities in creating groups and setting up group policies and other features that are more difficult to configure in multiple domains.

Using a single domain also avoids DNS complexities. You could host your external DNS resource records on a public-facing DNS server and make your domain controllers into DNS servers to host the internal DNS domain that corresponds to your Active Directory domain. For example, if you have a current public DNS domain of schooldistrict.edu, you could root your AD domain in an internal DNS domain called schooldistrict.pri (for private). Integrate this zone into Active Directory and you have a secure, flexible structure where you can point all your clients for DNS lookups. Configure the DNS service on each domain controller to forward to your ISP DNS server and that takes care of finding Internet name records.

As for the intranet Web site, I highly recommend putting it on a separate server, one that is not a domain controller. This avoids the possibility a Web attacker can get root access on the Web service and, thereby, gaining access to Active Directory. I also recommend using Windows Server 2003 as the Web server to take advantage of its additional security and separate memory space for different Web sites. If your application won't run in a separate memory space, you can configure the web service to run in IIS 5.0 Isolation Mode.

Hope this helps. Good luck with the rollout. And stay cool in Tucson.