Best Practices
If your security policy calls for discrete isolation of control between domains, use separate forests.
If an attacker or rogue administrator can physically compromise domain controllers, he not only can gain access to the information stored on the domain controller, but he can potentially compromise information on the domain controller to jeopardize the entire forest.
Once you have delegated authority to a user over a set of objects, you have created an administrator of some degree. You should, at a minimum, provide training to make the administrator aware of the capabilities and limits of her account, the ways she can protect her account, and the techniques she can use to complete the tasks for which you have given her responsibility.
You should always audit delegated objects to ensure that the administrator is completing the tasks he has been assigned and to provide an audit trail to detect misuse of administrative authority.
Work with your organization s HR department to complete background checks on all enterprise and domain administrators. Also carefully consider the employees to whom you delegate authority and the level of responsibility and accountability you require of them.
The fewer accounts with Active Directory service administration rights and permissions especially membership in the Enterprise or Domain Admins security groups the more secure they generally will be.
Use Restricted Groups in Group Policy to control membership in security groups such as Active Directory service administrators and other custom security groups that have high security requirements. Allow only other service administrator groups to modify the membership of service administrator groups. Do not include users or groups from external trusted forests in Active Directory service administrator groups in your forest, unless the Active Directory service administrators from the external forest are as trusted as your forest s Active Directory service administrators.
Allow only Active Directory service administrator groups to manage workstations used by Active Directory service administrators. For example, a rogue administrator or attacker could install Trojan horse software such as keystroke logging applications to retrieve passwords. After an administrator logs on to the computer using an enterprise administrator account or a domain administrator account, the rogue administrator could retrieve her password.
Require the use of smart cards for accounts with high security requirements preferably all administrative accounts in the forest.
Use OUs as your primary unit of management. Delegate authority over OU containers or objects within an OU to administrators.
Use Active Directory integrated zones to take advantage of security enhancements offered by Active Directory over standard zone files.
When delegating authority, be sure to document the permissions you grant to users. Active Directory does not differentiate between permissions that have been delegated and those that are default permissions.