$Id: forest-choices.txt,v 1.1.1.1 2003/02/25 19:35:04 wcw Exp $ --------- ChangeLog --------- 0.1 - 04/02/02 - Initial version 0.2 - 04/12/02 - Added Teched info ------------ 1.0 Overview ------------ This document describes the background and choices an organization has in creating a Windows Active Directory forest. The additional services that Computing Services plans to provide are described in depth in xxxANDREW FEATURESxxx. Machines that do not exist in any Windows forest are not relevant in this dicussion. -------------- 2.0 Background -------------- The initial AD.CMU.EDU forest layout was based on several assumptions that were no longer correct. Specifically, the INCORRECT assumptions were: a) There would be no Computing Services support for dynamic DNS (DDNS) registration. b) Active Directory domains are security boundaries. In the new system, Computing Services will provide a DDNS top level named WIN.CMU.EDU under which Active Directory forests can be created. The primary difference is that WIN.CMU.EDU will *not* be a Windows domain as AD.CMU.EDU currently is. The top level DDNS servers will exist in both Cyert Hall and Wean Hall for added reliability. Computing Services will maintain our own forest using the Andrew service name. Departments will be allowed to create their own standalone forests. 2.1 Active Directory Domains and Security Boundaries ---------------------------------------------------- Unlike AFS cells, different domains in an Active Directory forest do not represent security boundaries. In normal operation, one domain administrator should not be able to affect the operations in another domain. However, if one bypasses the UI and directly manipulates the network protocol used for data replication then one domain administratior can compromise the security in any other domain in the forest. As such, any domain administrator must trust all other domain administrators in the forest. Any security compromise in one domain will result in all domains being compromised. More details about a specific version of this attack is published at ------------------ 3.0 Forest Options ------------------ Two options are available for using WIN.CMU.EDU: a) Have a standalone forest. b) Participate in the ANDREW forest You may wish to chose to have a standalone forest if 1) You do not plan to use Andrew IDs/Andrew authentication. 2) You are not on the main CMU network and want to limit your dependence on Computing Services servers and services. 3) You do not expect to share files or resources with people using the Andrew forest. 4) You require global schema changes in the Active Directory to support your applications. 5) You require complete control over your environment. At this point in time, these restrictions are put in place to standalone forests to draw a clear boundary the additional Andrew services provided by Computing Services and the underlying infrastructure necessaryy to provide Windows Active Directory services in general. Please see xxxANDREW FEATURESxxx for the benefits of using the Andrew system. -------------- 4.0 References -------------- Microsoft has writen a white paper on this topic: http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/addeladmin.asp There are also some slides from TechEd 2002 from the SEC340 talk.