Reasons for Empty (headless root) Root

Discussion in 'Active Directory' started by Chelis Guifoyle, May 16, 2007.

  1. What are the pros and cons or why/why nots for moving off the root domain and
    into a child? We already have 2 childs based off geographical means, our
    first domain, where most users first originated are still on root. Ideally
    we'd like to move these original users to a new domain that is more akin to
    the geographical standard already set.

    Thanks in advance.
    Chelis Guifoyle, May 16, 2007
    1. Advertisements

  2. This can be debated for days, it depends entirely on the company and the
    goals and what kind of administrative overhead a company is willing to
    accept for an empty root. In general smaller companies don't usually do
    it but larger companies are more likely to do it but again, it is all
    based on things specific to those companies. There is no security
    benefit of doing this.

    Joe Richards Microsoft MVP Windows Server Directory Services
    Author of O'Reilly Active Directory Third Edition

    ---O'Reilly Active Directory Third Edition now available---
    Joe Richards [MVP], May 17, 2007
    1. Advertisements

  3. What is your opinion on why its good vs bad? I'm curious to hear more on the

    The only thing I see is moving users off the forest root which would allow
    for somewhat greater security of the forest/enterprise. Am I on the wrong
    track here?

    Chelis Guifoyle, May 17, 2007
  4. You are wrong if you think it gives more security. The forest, not the
    domain is the security boundary, what security benefit do you get moving
    objects around within the boundary?

    My opinion on whether it is good or not depends on the company I am
    talking to and their states goals/desires. Most companies, I think it is
    a bad idea, in fact, I think they should have a single domain forest.
    Other companies, notably some of the Fortune 5 companies I have worked
    on I wouldn't have implemented it any other way. Again, depends on the
    company and whether it makes sense at that company.

    Joe Richards Microsoft MVP Windows Server Directory Services
    Author of O'Reilly Active Directory Third Edition

    ---O'Reilly Active Directory Third Edition now available---
    Joe Richards [MVP], May 18, 2007
  5. When I say more security I mean in that, the forest in itself is protected by
    the fact that certain active security principals would be moved off into a
    separate boundary being that child domain. These principals that would
    normally have had free reign to do things in the root, would now be isolated
    to only do things in their domain vs affecting the entire forest via the

    Do you disagree with me by saying a domain is also a security boundary in
    that the administrative control is cut off from other domains such that it
    cannot directly affect them?

    I guess one could argue about how the root (er initial domain) was
    administered, but that's beside the point....

    What is comes down to is our company started a 2nd domain based on
    geographical boundaries. This child has its own administrative control to a
    degree... their staff administer their own domain for the most part. Now it
    comes down to for our team, since we've been on the root from the beginning,
    maybe we should follow suit and base it geographically, move everyone off
    into a new child, empty out the root, and create only specific accounts in
    the root...

    What do you think?
    Chelis Guifoyle, May 18, 2007
  6. Do you disagree with me by saying a domain is also a security
    Yes I completely disagree with that statement. That is why MSFT says the
    forest is a security boundary, not the domain. It is why a bunch of us
    beat up on MSFT back in 2000 when they tried to say the domain was a
    security boundary. I quickly and easily compromised a root domain from a
    child domain for the first time in about May 2000 showing how simple it
    was and nothing has changed. I won't go into details but it is quite
    trivial for a DA or even Serv Op in Domain 1 to go screw with Domain 2.

    Domains are sort of a replication boundary, the config and schema
    replicate across all DCs in a forest and also obviously GCs replicate
    across domain NC boundaries.

    Domains are sort of a Group Policy boundary, you can have GPOs that are
    set on sites which are forest scope.

    Domains are a password policy boundary, that is definitive. Well that is
    until until Longhorn, and then fine grained password policy blows that
    out the window as well removing one of the only truly technical reasons
    to have multiple domains.

    I think that if you think you put the second domain in place only to
    give another set of folks DA over it and you think they can't hurt
    anything else in the forest, you are under serious misunderstandings of
    how Windows Active Directory security works and likely you never should
    have moved from a single domain forest configuration. Multiple domain
    forests should have all domains managed by the same set of
    domain/enterprise admins and that number of domain admins should not
    number more than 3-5. Everyone else should have minimal delegated rights
    into the directory and no one else should have direct access to the DCs.

    The walls that separate domain admins in different domains in the same
    forest are made out of razor thin tissue paper.

    Joe Richards Microsoft MVP Windows Server Directory Services
    Author of O'Reilly Active Directory Third Edition

    ---O'Reilly Active Directory Third Edition now available---
    Joe Richards [MVP], May 18, 2007
  7. Wow, that is certainly eye opening.. would you care to describe offline on
    how domains can affect other domains (I can email you directly). I dont know
    where I got the idea that they were secure, but I guess it was taught to me
    somewhere.. :(

    That was primarily the reason for going to a new domain, as well as part of
    the reason of the creation of our other domain.. that's some serious bad
    vibe there.

    I am very interested in learning more about how the security is between
    domain and domain vs forest. I feel like all that I know about Windows
    domains is bunk right now.
    Chelis Guifoyle, May 18, 2007
  8. Nope, I won't go into details about it. There is nothing that can be
    done to stop it, just going around describing it to people does nothing
    to help the situation. There is a book by my friend Guido Grillenmeier
    which unfortunately alludes to how it can be done, I can't say I was too
    thrilled to read how much detail he gave about the problem. Truly and
    honestly, it is so trivial, anyone with a relatively decent grasp of AD
    that spends an hour thinking about how they would try to do it will
    likely come up with at least one way to do it. There are both trivial
    ways and not so trivial ways.


    Joe Richards Microsoft MVP Windows Server Directory Services
    Author of O'Reilly Active Directory Third Edition

    ---O'Reilly Active Directory Third Edition now available---
    Joe Richards [MVP], May 19, 2007
  9. Alrighty then.. thanks for making me feel even more like c4@p by degrading
    my knowledge. I think I have an idea by how you mean it's not secure, but I
    guess I'll have to research it myself. I just want to thoroughly understand
    this issue as you have.

    Would you say using child domains in this way is merely an administrative or
    management type control/boundary. Since, as you say, pure security between
    domains in a forest is bunk. I understand your replication/gpo/password
    Chelis Guifoyle, May 19, 2007
  10. Chelis Guifoyle

    Herb Martin Guest

    It's not about "degrading your knowledge" as no one can do that -- only
    time can degrade your knowledge, or a lot of bad information if you ingest
    that poor info.

    The "empty root" was never a particular good idea (this doesn't mean it was
    always "wrong" per se). It never was a goog GENERAL recommendation
    because it didn't do most any of what people thought.

    Yes,. in (unusual) cases, mostly political, the extra domain had a reason to
    there and your description of admin/management boundary is pretty close.

    But of course OUs can almost always do this as well (or better.)

    For the most part the empty root domain is just an extra cost burden where
    you have to maintain (at least 2) extra DCs, and all that entails including
    backups and keeping the extra but largely or frequently worthless DCs
    Herb Martin, May 20, 2007
  11. Thanks Herb,

    I am starting to understand that now.. Sorry Joe if I started anything. I
    am just wanting to learn. It's kinda like finding out Santa Claus isnt
    real.. I swear that used to the be school of thought behind domains and its
    security, but the more I read about it, its not the case.

    With the added complexity of extra DCs, extra of replication, extra
    everything really.. what is the point behind a child domain then really?
    Aside from possible political needs such as a separate admin group/team who
    want their own 'playpen.' Technically with the correct site and physical
    design there should be no need?

    Joe, is the book by Guido, Microsoft Windows Security Fundamentals? I
    really need to learn more about this and would like to confirm this is the
    one. And just so you know, I went out to my local BN today and picked up
    your book... p150, 2nd to last para! Solid book thus far I must say!

    Chelis Guifoyle, May 20, 2007
  12. Chelis Guifoyle

    Herb Martin Guest

    No one is blaming you for asking -- it is a common set of misconceptions
    that were spread even by some books (probably) and other authoritative
    sounding sources.

    Problem was is was believed by the "second or third tier" experts who only
    learned things by rote but who were otherwise pretty smart and competent.

    This gave the myth a lot of legs and when it finally died out as an
    sounding recommendation there wasn't any way to take it back.

    Much like the myth that NetBIOS was no longer needed -- and with it
    that WINS Servers don't matter. (Truth: If you needed WINS Servers
    in NT4 you almost certainly still need them.)
    You understood it. There was a belief that the split in domains offered
    a true security boundary and that somehow 2 domains were more secure
    than one. (Simple thought would have shown that if you cannot keep one
    of them secure you cannot keep TWO secure.)

    The cases were the root domain makes (some) sense are those where
    you are going to have multiple PEER domains and wish to have the common
    parent, not so much for "security" as for management and convenience of
    And test domains and such. But yes, technicall there is seldom a NEED.

    Read Joe's book or the online docs. [Or the (obsolte) book by Olsen which
    hasn't been updated since Win2000.] Joe wrote the latest edition of the
    O'Reilly AD book. Everything else other than these three is overpriced.
    It is a solid book.

    And if you expect to read much about this you are going to be disappointed;
    at best you might run into some of the obsolete info you need to AVOID.

    Instead think your own way through it -- if you cannot work you way through
    Joe's points logically then why would you accept them?

    This is precisely how the myth achieved such a foot hold, someone
    invented it and others repeated it without thinking it through.

    There are a few of us who never bought it, even during the year or two that
    most of the Microsoft Consultants and such were repeating it even.

    Joe's one of the best and I could impress you with my background but I
    would much rather you understood it logically than believe us simple because
    of our "authority to speak".

    [For a long time, I wouldn't even add the MVP or MCSE to my signature
    because I didn't want people to believe due to WHO I am but rather the
    logic of WHAT I recommend.]
    Herb Martin, May 20, 2007
  13. Chelis Guifoyle

    Al Mulnick Guest

    I didn't see the rest of the post but....

    There were a couple of reasons that empty roots were deployed that still
    make sense. Security is not so much the reason as control is/was.
    For the vast majority of implementations I've seen, they'd prefer not to
    have deployed an empty root for the complexity it brought with it and the
    very superficial return they received for their efforts (it was not as well
    understood by the decision makers as it may be after having it for a year).
    But some reasons that are being addressed in upcoming releases were/are
    valid. Password complexity control for privileged accounts was one such
    reason. That doesn't stop somebody from attacking your system from a child
    domain - so it is no excuse to relax. But it is something you could not get
    with a single domain/single forest model that may seem worth it to you in
    some small environments.
    Al Mulnick, May 21, 2007
  14. Chelis Guifoyle

    Herb Martin Guest

    Yes, these things are just reasons for "multiple domains" however, not
    specifically for an "empty root".

    IF there are reasons for multiple domains, then there are reasons and
    the designer must decide if these reasons are more important than the
    extra costs and management issues.
    Herb Martin, May 21, 2007
  15. I really wouldn't call it an admin or management boundary, especially as
    I recommend everyone use the same admins in each of the domains.
    Delegation can be used at the OU level to break things up more
    granularly and doesn't require domains.

    Hands down, sort of so so replication boundary and password policy
    boundary are the big reasons for multiple domains.

    Joe Richards Microsoft MVP Windows Server Directory Services
    Author of O'Reilly Active Directory Third Edition

    ---O'Reilly Active Directory Third Edition now available---
    Joe Richards [MVP], May 22, 2007
  16. rather you understood it logically than believe us simple because
    I can agree with this but it is very tough to explain what the possible
    issues could be without pretty much just pointing them out and quite
    frankly we only have security by obscurity at this point. We have been
    quite lucky in the AD world that none of the worm/virus writers have
    targeted us. There are significant evil things that could be done if
    some of the script kiddies started understanding AD.


    Joe Richards Microsoft MVP Windows Server Directory Services
    Author of O'Reilly Active Directory Third Edition

    ---O'Reilly Active Directory Third Edition now available---

    Joe Richards [MVP], May 22, 2007
  17. Chelis Guifoyle

    Herb Martin Guest

    Yes, and the fact that worm/viruses are actually pretty hard to write IF
    you wish them to do all of a) be stealthy, b) do complex system specific
    work, and c) propagate fully
    Herb Martin, May 22, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.