A special-purpose domain or forest is one that is set up to serve a specific need. For example, your organization may set up a special-purpose domain to house outside contractors or temporary workers to limit their exposure to the main Active Directory forest. In addition, trust relationships could be established between this domain or domains to allow for resource access. Generally, there has to be a good reason before additional domains are deployed in Active Directory. Overhead is increased with each domain that is added to an environment, and your logical network structure begins to look convoluted. However, in some unique cases, a special-purpose domain may become necessary. Another possible use for a separate special-purpose domain structure is to house a directory servicecapable application that requires itself, for security or other reasons, to have exclusive access to the schema. In other words, if your HR department runs an application that stores confidential employee information in an application that utilizes an LDAP-compliant directory, such as Active Directory, a domain could be set up for that application alone. A cross-forest trust relationship can be established to allow for the sharing of information between the two environments. This type of situation is rarer because most of these applications make use of their own directory, but it is possible. Because the Active Directory schema must be unique across the forest, this would preclude the use of a single forest if these applications require exclusive access or utilize common schema attributes. This type of functionality can be realized with the use of Active Directory in Application Mode (ADAM), which is further elaborated in Chapter 4, "Active Directory Primer." A Special-Purpose Domain Real-World Design ExampleCompany E is a computer consulting firm headquartered in Morioka, Japan. Most consulting work is performed by full-time Company E employees; however, some outside contractors are brought in from time to time to help on projects. The company had already deployed Active Directory for the internal organization, but was concerned about opening access to the forest for any non-employees of the company. Consequently, a single domain Active Directory implementation was created for the non-employees to use. A cross-forest transitive trust was established between this domain and the internal forest, and access to resources such as file and print were delegated and controlled by the central IT organization. Users in the contractor domain can access resources in the main companye.com domain, but only those that they are specifically granted access to. In addition, the exposure that the main companye.com domain receives from non-employees is greatly reduced. |