Once you've decided to create either a single forest or multiple forests for an organization, the next step is to determine how many domains the organization needs. As with forests, the goal is to start with a simple model, such as a single domain, and then determine if you need multiple domains.
After this lesson, you will be able to
Estimated lesson time: 45 minutes
A single-domain forest is commonly implemented in organizations that maintain centralized control of user and computer accounts. By maintaining only a single domain, membership in the Administrators group is easily monitored to ensure that no users are granted excess privileges on the network.
When simplicity within the forest is the goal, a single domain is the best decision for an Active Directory design. Choosing to implement a single domain will have the following effects on your Active Directory:
The authenticating DC knows that only a single domain exists in the forest by querying the CN=configuration, DC=forestrootdomain naming context (where forestrootdomain is a variable representing the name of the domain in question) to determine which domains exist in the forest.
Wide World Importers can start initially with a single domain for its organization, but as we will see, its business objectives require the implementation of multiple domains. Because it's easy to migrate from a single domain to multiple domains, there aren't additional costs involved with initially deploying a single domain for the Wide World Importers network.
In Windows 2000, there are several technical reasons that will influence your Active Directory design to implement multiple domains. One of the key reasons to implement multiple domains is a requirement for differing account policies. Account policies can only be applied at a domain level. There's no way to implement varying account policies within a single domain. If varying account policies are defined, this requires that multiple domains exist within the forest.
Account policies include the following three categories of configuration:
When implementing account policy, be sure to set it at the domain level so that the domain settings are configured. Account policy configured at the OU level only affects the local account databases of any computers in that OU. It won't affect any users authenticating with the domain when using that computer.
The account policies you set must be carefully balanced. You don't want to make the settings too restrictive because this can lead to increased help desk calls from users whose accounts have been locked out. Likewise, you don't want to have too few restrictions that result in users implementing blank passwords.
In addition, specifying restrictive password policy can actually reduce the security of the network. For example, if you require passwords to be longer than seven characters, most users have difficulty remembering them. They might write their passwords down and leave them where an intruder can easily find them.
Password policy defines the characteristics of allowed passwords for user accounts in a domain. As with all account policies, if different areas within an organization can't agree on a common password policy, multiple domains must be defined or consensus must be reached on a standard set of password policies. The following settings can be defined for password policy:
In addition, passwords can't contain the user's account name.
The requirement of complex passwords helps protect against dictionary attacks against the passwords stored in Active Directory. A dictionary attack encrypts all the words found in a dictionary file provided by an attacker. The encryption is performed using the same algorithm used to encrypt passwords within Active Directory. A hacker may determine the password by comparing the data found in Active Directory with the encrypted results from the dictionary file.
Account Lockout Policy
Account lockout policy defines how Active Directory deals with an account when a preconfigured threshold for incorrect logon attempts is surpassed. The following list outlines the policies that can be defined:
You must define the account lockout policy to fit the help desk service implemented at your organization. If you have a help desk that's always available (24 hours a day, seven days a week), then specify to lock out an account until an administrator manually resets it. You must also be careful to reset the account lockout counter after a short period of time to ensure that unsuccessful logon attempts over a long period of time don't result in an account being locked out.
The Kerberos policy defines settings for the Kerberos v5 authentication protocol. These settings apply to all computers and users in the domain where the policy is defined. The Kerberos policy settings available in account policy include
Kerberos settings must be the same for an entire domain. If you require different Kerberos settings, you have identified the need for multiple domains. When you configure Kerberos settings, the main settings you should consider modifying (in regards to security) are the enforce user logon restrictions and maximum tolerance for computer clock synchronization settings. These settings will ensure that a disabled account will be immediately prevented from accessing further resources on the network. The clock synchronization setting will ensure that replay attacks are prevented on the network.
You must decide to implement multiple domains if any of the following scenarios exist in your organization:
You can define account policy at the OU level in Group Policy. This won't affect domain account policies, but it will affect local account database policies. This means that you can specify different account policy settings for users who authenticate using the local security account management database of their computer instead of those that are set for domain authentication.
The separate domain can be implemented as a child domain of the current domain or as a domain in a separate tree within the forest.
All members of the Domain Admins group in the forest root have the ability to change membership in the Enterprise Admins and Schema Admins groups. Membership in all three groups should be carefully monitored to ensure that group memberships aren't changed without authorization.
In its initial requirements, Wide World Importers said it needed separate account policies to be defined for the Engineering department. Because account policies are defined at the domain level, you need multiple domains for the Wide World Importers network architecture.
Based on account policies, the Wide World Importers network requires at least two domains: one to contain all members of the Engineering department and the other to contain the remaining users.
Having offices in both the United States and Canada doesn't necessarily require a company to have separate domains for each one. Likewise, the WAN links between the offices are sufficient for replication of a single domain, subject to the current utilization of the WAN links.
Wide World Importers could deploy either a two-domain forest or a three-domain forest, depending on its security needs for restricting membership in the Enterprise Admins, Schema Admins, and forest root Domain Admins groups. Figure 2.4 shows the proposed domain tree layouts depending on whether or not Wide World Importers implements an empty forest root.
Figure 2.4 The potential domain models for Wide World Importers
Design the number of domains needed within an Active Directory forest by analyzing the organization's business requirements. Base your determination of whether you need multiple domains on the circumstances that make multiple domains necessary.
Be aware that differing account policies—password policy, account lockout policy, or Kerberos policy—will require the deployment of multiple domains in your organization's forest.