Antwort: Antwort: BIND and AD integration

Antwort: Antwort: BIND and AD integration

Post by holger.hon » Sat, 12 Mar 2005 16:31:18


Hi John ,
you are welcome!

I have some white papers and and student guides from non MS Consultants
and Education Centers which point out the necessity of empty root domains,
but
they are written in german.

you are not the only one who has great demand on knowing why to have so.
I'll try to translate the most important sections!


Kind Regards/Freundlichen Gru
Holger Honert

KOMN-97851

SIGNAL IDUNA Gruppe
Joseph-Scherer-Str. 3

44139 Dortmund

Phone: +49 231/135-4043
FAX: +49 231/135-2959

mailto: XXXX@XXXXX.COM

"It has to start somewhere, it has to start sometime, what better place
than here, what better time than now.
All hell can't stop us now!" taken from RATM "Guerilla Radio"







John Welch<< XXXX@XXXXX.COM >>
Gesendet von: XXXX@XXXXX.COM
09.03.2005 18:59

An: XXXX@XXXXX.COM
Kopie:
Thema: Re: Antwort: BIND and AD integration


Thank you, this does help.

Since I will have influence on the AD design can tell me why it is
important to use an empty root-domain, or point me to where I can find
more information on this issue.
 
 
 

Antwort: Antwort: BIND and AD integration

Post by holger.hon » Sat, 12 Mar 2005 17:28:38

Hi all,
well as I promised earlier, here are the sections:
...

there are two special groups in an ad-domain the enterpris-admins and the
schema-admins. these two groups are very important regarding security
issues. enterprise-admins do have the most power
on ad-design and they are only able to add or delete domains to the entire
structure. members of the schema-admins can expand the ad-schema. the
ad-schema exist only once in a domain and is
the base for all defined objects and their classes and attributes. today
is it not possible to delete defintions but to disable them. due to this
facts it is recommended to secure the schema and the above mentioned
admins.
another signficant feature is that the doamin-admins of the ad-root-domain
can make themselves member of both groups, so that this security relevant
issue spans the whole ad-domain.
to save and secure this ad-root-domain, it is important to isolate it to a
so called dedicated ad-root-domain. the dedicated ad-root-domain features
only standard-users and computer-accounts and no
further accounts. in principal she can be implemented in a tree- or
forest-structure whereas it is preferred to implement here in a
forest-structure where you have no limitations regarding e.g. name
assignment.

...

another advantage beneath the security ist the flexibility which you will
get when integrating new companies to the entire structure. you could do
this without changing the entire structure as well as the name
of company which is important regarding corporate identity and of course
political issues ;-)

...

please forgive me, if there are too many mistakes or grammatically errors

Kind Regards/Freundlichen Gru
Holger Honert

KOMN-97851

SIGNAL IDUNA Gruppe
Joseph-Scherer-Str. 3

44139 Dortmund

Phone: +49 231/135-4043
FAX: +49 231/135-2959

mailto: XXXX@XXXXX.COM