Re: Configure an Empty Root in Active Directory

From: Steven L Umbach (
Date: 04/23/05

Date: Sat, 23 Apr 2005 01:28:18 -0500

The link below explains why some consider the empty root domain. It
basically is used to control the enterprise admins group so that the
administrators in the root domain can not abuse their powers for child
domains. If all "active" domains are child domains then they are considered
equal as far as the power of a domain admin in each domain. The domain
administrator and all other admin groups in the root domain would then be
closely controlled and limited. Unfortunately for what your propose to do,
an empty root domain would not offer any security benefit because if the
root domain in the forest has been compromised, then the while forest has
been compromised since the attacker now has enterprise admin powers in the
forest. Also there are ways that a skilled malicious domain admin in any
domain in a forest could possibly gain domain admin powers in any domain in
the forest and because of such separate forests should be used if that is a
concern. For forest or external trusts you would want to make sure that sid
filtering is enabled [which it is by default] to remove that vulnerability
as shown in the second link below.

To protect your domain it would be good to read the Windows 2003 Server
Security Guide for how to improve such with strong password policy,
auditing, patch management, antivirus protection strategy, operating system
hardening and using baseline security templates, prudent usage of domain
admin credentials, only giving trusted and competent people domain admin
powers, and physical security for sensitive computers - particularly domain
controllers. --- Steve
-- Windows 2003 Server Security guide

"TrueTec" <> wrote in message
> I'm in the process of configuring an active directory domain in windows
> 2003
> server and I want to setup an empty root to protect my domain objects such
> as
> user accounts and domain objects from attempted breaches of security so if
> someone breaches the domain to won't see any object to tamper with. If
> anyone
> could help me I would appreciate it greatly.
> --
> James