We define a security boundary as a container that cannot be controlled by any higher-level or outside accounts. The administrators for the container do not have to worry that another account can compromise the security of the container and the objects contained within it. Because an outside account can affect the objects and configuration of a domain, the forest becomes the security boundary within the Active Directory structure. The forest root contains accounts that can affect any domain within the forest. Members of the Domain Admins group from the forest root domain have the ability to add accounts into the Enterprise Admins and Schema Admins groups, giving those accounts the ability to make changes that could affect other domains and the configuration of the entire forest.
Active Directory forests and domains are built based on the administrative needs of the organization. For some organizations, all of the resources are controlled by a central group of administrators. Some organizations have identified services and objects that need to be controlled by groups within the organization and have other groups who need rights delegated to them. Still other organizations may require complete isolation of services and resources between divisions. These administrative needs are defined as collaborative , autonomous , and isolated models.
Was this article helpful?