Re: Configure an Empty Root in Active Directory

From: Steven L Umbach (
Date: 04/23/05

Date: Sat, 23 Apr 2005 01:28:18 -0500

The link below explains why some consider the empty root domain. It
basically is used to control the enterprise admins group so that the
administrators in the root domain can not abuse their powers for child
domains. If all "active" domains are child domains then they are considered
equal as far as the power of a domain admin in each domain. The domain
administrator and all other admin groups in the root domain would then be
closely controlled and limited. Unfortunately for what your propose to do,
an empty root domain would not offer any security benefit because if the
root domain in the forest has been compromised, then the while forest has
been compromised since the attacker now has enterprise admin powers in the
forest. Also there are ways that a skilled malicious domain admin in any
domain in a forest could possibly gain domain admin powers in any domain in
the forest and because of such separate forests should be used if that is a
concern. For forest or external trusts you would want to make sure that sid
filtering is enabled [which it is by default] to remove that vulnerability
as shown in the second link below.

To protect your domain it would be good to read the Windows 2003 Server
Security Guide for how to improve such with strong password policy,
auditing, patch management, antivirus protection strategy, operating system
hardening and using baseline security templates, prudent usage of domain
admin credentials, only giving trusted and competent people domain admin
powers, and physical security for sensitive computers - particularly domain
controllers. --- Steve
-- Windows 2003 Server Security guide

"TrueTec" <> wrote in message
> I'm in the process of configuring an active directory domain in windows
> 2003
> server and I want to setup an empty root to protect my domain objects such
> as
> user accounts and domain objects from attempted breaches of security so if
> someone breaches the domain to won't see any object to tamper with. If
> anyone
> could help me I would appreciate it greatly.
> --
> James

Relevant Pages

  • Re: Single Domain Vs. Multiple Domain for a Global Enterprise (70 countries)
    ... for security sake.... ... EACH domain admin within EACH AD domain MUST be fully trusted!!! ... forest can gain ... Most of our sites are in developing countries with limited bandwidth. ...
  • RE: Subdomain security
    ... the place I start is with a new Forest. ... themselves Enterprise Admin privlidges very easily. ... you were correct when saying that the only true security boundary ...
  • Single Domain Vs. Multiple Domain for a Global Enterprise (70 countries)
    ... currently operate as one forest in the US, ... Most of our sites are in developing countries with limited bandwidth. ... support model where a network admin is at each country with full domain ... Maintaining network security standards is ...
  • Re: Are Domains True Security Boundaries?
    ... > Can anyone give me a solid concrete example of what a domain admin could ... The DC in a domain contains certain forest wide configuration information ... security is a major concern to you and you are not up to speed on all of the ... The people in your forest who pose a risk to you are the “service admins” ...
  • Re: Prevent changes to Administrator password
    ... But, what if the DA in question just simply removes his/her account from the Restricted Admin group and clears the flag? ... permission to modify the ACL on AdminSDHolder. ... what is to prevent these admins from undoing all these deny permissions you ... > modify the permissions on the AdminSDHolder object in the root domain. ...