Have you seen Microsoft's white paper, "Design Considerations for Delegation of Administration in Active Directory"? Microsoft published the paper in November 2001, and you can download it at the company's Web site. The paper discusses design concerns regarding the trust of service owners. Gartner's John Enck—former Lab Manager for Windows NT Magazine—brought the paper to my attention recently because of its recommendations.
In the paper's conclusion, Microsoft says companies "can deploy a single forest design with a single IT organization owning all forest and domain service management, and delegate data autonomy or isolation to other organizations by using \[organizational units\] OUs." The paper goes on to say, "Some organizations have specific autonomy or isolation requirements that make trusting a central service owner impractical or unwise. These organizations can deploy multiple forest designs, and enable inter-forest collaboration through additional management systems such as Microsoft Metadirectory Services (MMS)."
So you need to build your Active Directory (AD) infrastructure carefully because, as the paper also points out, "Domain owners cannot prevent forest owners from controlling their services and accessing their data," and anyone joining a forest must trust service owners. In addition, the paper outlines several potentially exploitable circumstances that exist when you trust service owners in a single-forest model. Therefore, for maximum security with AD, you need to use multiple forests. Be sure to read the white paper for more details about the risks of a single-forest model.
We're conducting a new poll this week to learn about your AD structure. Do you use a single-forest or multiple-forest design with Active Directory, and if you use a single design, will you change to multiple? Visit our home page and give us your answer.