My planned test environment #2 domain Structure

My test Environment grows. Today I finished the domain structure.

Domain Structure

Domain Structure

I created a one forest, a root domain and two child domains.

The root domain only consist of two domaincontrollers and has no other servers or services at the moment.

The first child domain is my resource domain for physical systems that I need for the lab. It holds my hyper-v hosts, storage systems, switches, firewalls and router. So now you will ask yourself “why so complex and two domains?”. I like to follow some security best practices. One is, that you should split administrativ rights for your Hyper-V hosts and storage systems. That means no administrator who is not part of the environment and allowed to make changes on that systems, should be able to connect to them. The easiest way is to creat a resource and work domain. Both have different administator accounts and because of the root domain and the restricted access to it, you cannot deligate administrators on other domains.

That also prevents your application servers and active directory from corruption, from someone who maybe have occupied your Hyper-V and physical systems.


Tagged , . Bookmark the permalink.

3 Responses to My planned test environment #2 domain Structure

  1. Hi Flo,

    interesting to read. But: A domain inside an AD forest cannot be regarded as a security boundary. Effectively, the boundary in your example is the forest itself.

    All domains in the same AD forest have trust relationships to each other. Furthermore, there are groups in AD that are forest-based, some of which even have default permissions in each domain.

    While you could remove those permissions, it is still not safe. Firstly, some things in AD may break. Secondly, it is actually possible for an administrator in a child domain to gain administrative privileges in other domains of the forest. That’s not trivial but it is possible and there is no secure way to really prevent this.

    So if you need to separate administrative privileges in an AD environment you need to create separate forests and you must not create trusts between those.

    This is especially true in the Hyper-V scenario. If you need to split security the only way to go is a separate host forest. But keep in mind that controlling the host effectively means controlling the VMs …

    Best wishes, Nils

    • Flo says:

      Hello Nils,

      thank you for the detailed explanation. Looks like I understood something wrong in the past. 🙂
      Again something learned and I think the readers will appriciate the information too.

      Thank you very much and kind regards

  2. The Org Admin Group is evil.
    There’s min. one question during Exam 70-413 with this Kind of Scenario so i guess i took the right answer.
    It was something like “how to protect a subdomain ( against and admins. Answer would be, creating an own forest and move everthing to this forest.
    It’s been a while since i kept my myself busy with security stuff within Domains so I’m not an expert but I suggest an old article (2005) at TechNet which is a good starting point:

    in german:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.