The GENESIS domain

The root Active Directory (AD) domain and the forest for Millennium City will be called GENESIS. The forest is also called GENESIS because Active Directory forces the forest to take its name from the root domain. After several months of extensive research and testing of Microsoft's Active Directory services on Windows Server 2003, the Millennium City Windows Server 2003 testing team has decided how to best deploy Active Directory services.

It has been decided that for an organization the size of Millennium City, the root domain of the organization's Active Directory namespace needs to be a secure domain accessible only by a small group of senior administrators. These administrators will have the organization's highest security clearance. There will be no user accounts in the domain outside of the core administrators, and no active workplace management — other than what is needed for security, domain controller (DC) lockdown, and to protect and administer in this domain — will be put into place. There are several reasons to establish such a domain.

First, the root domain in any large organization is a target for e-terrorists. If the root domain contains many user and computer accounts and a lot of information, the organization could suffer extensive damage if this domain is destroyed either physically (removal or destruction of the DC servers) or by a concerted network attack, or if its data is accessed by unauthorized personnel. Naturally, a small concern might not need such a "bastion" root domain, but any large enterprise should seriously consider it.

Second, all MCITY first-, second-, and third-level domains are extensively populated by user and computer accounts (security principals) and many groups. There are also numerous organizational units (OUs) in these domains and thus many administrators at various levels of the domain's OU hierarchy. We thus deemed it necessary to establish a root domain with no more than a handful (preferably no more than five) of administrators who by virtue of having accounts in the root domain would have the widest authority over the city's namespace, starting from GENESIS down.

Third, the root domain is critical to the city. It might be feasible — if Microsoft makes it possible— in the future to disconnect the root domain from the rest of the domain tree, and graft the tree to another root. However, at present it is not, and losing the domain root would result in the loss of the entire domain tree, taking with it all levels subordinate to the root — in fact, everything on the tree. To thus protect the root domain, we will establish partner DCs of the root domain at several remote locations, primarily for redundancy and to locate the root domain over a wide area. These locations will initially be as follows:

♦ Location 1: DITT's Network Operations Center (NOC)

♦ Location 2: City Hall's Network Operations Center

♦ Location 3: MCPD (Police Department) Network Operations Center

The lightweight (user accounts) nature of the root domain, which in addition to the built-in accounts only contains a handful of users, makes it easy to replicate its databases around the enterprise.

Finally, the root domain controller is also our Schema Operations Master and Domain Naming Operations Master for the forest, and holds the master schema and other naming contexts that affect the enterprise as a whole, such as the global catalog (GC), that can only be changed on the operations master.

The Schema Operations Master is where all schema updates will be performed, and the Domain Naming Operations Master is where we can make changes to the domain namespace on an enterprisewide basis.

Was this article helpful?

0 0

Post a comment