I'll interject but one point here - there is belief in some camps that the knowledge, technology, and perhaps the code already exists to implement such an attack.
As it was put to me, "How else could a given vendor offer a migration tool that allows migrations without Native Mode requirement?" Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Tony Murray > Sent: Wednesday, February 19, 2003 8:58 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Empty root domain benefits? > > > The point about the domain security issue is that, while it > would be very difficult to exploit the first time, it would > be much easier for others to do subsequently were the details > to be made public. > > Tony > ---------- Original Message ---------------------------------- > From: Roger Seielstad <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > Date: Wed, 19 Feb 2003 09:34:37 -0500 > > I'd have to disagree on two of your four points. > > -Enhanced Security: it is indeed more secure to keep the > schema and enterprise admins group in a different domain. The > cross-domain security hole is relatively difficult to > exploit, and does require physical (or at least interactive) > access to a global catalog server. > > -Longer names: There is no requirement for multiple domain > forests to exist in contiguous namespace. In fact, there is > no need for them to be related namespaces at all. In fact, it > is possible to set the root domain to be root.domain.com and > have the production domain named domain.com. The only > requisite here is that you have a sufficient knowledge of DNS > such that you can manage the DNS namespace. > > > ------------------------------------------------------ > Roger D. Seielstad - MCSE > Sr. Systems Administrator > Inovis - Formerly Harbinger and Extricity > Atlanta, GA > > > > -----Original Message----- > > From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, February 18, 2003 9:15 PM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] Empty root domain benefits? > > > > > > Hi Cliff, > > > > There are two pros that I am aware of... > > > > 1. In the case of radical naming hierarchy surgery, e.g., > > acquisition of > > another company, it provides a convenient place to merge in > > the new domains. > > > > 2. "Enhanced security" for the Enterprise Admins and Schema > > Admins groups is > > often claimed, but in practice an empty root buys you little > > with respect to > > security. > > > > Cons: > > > > 1. Its not a single domain forest, which is the best of all > > possible worlds > > when you can do it. > > > > 2. It makes names longer than the need to; a minor annoyance. > > > > Unless you have some overriding reason for multiple domains > > (multiple sites > > and slow WAN links can be an issue), I would stick with a > > single domain > > forest. It makes life much simpler. > > > > -gil > > > > > > -----Original Message----- > > From: Clifford Airhart [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, February 18, 2003 6:01 PM > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] Empty root domain benefits? > > > > > > Hello Everyone, > > > > The simplest domain model is the Single Forest / Single > > Domain. I > > was thinking of using this model with an "empty" root domain? > > Does anyone > > have any experience with "empty" root domain? Is it really > > beneficial? We > > are only a small company with a few hundred users and have 4 > > domains in a > > multimaster NT domain model. > > > > What are the pros and cons? > > > > Thanks, > > > > Cliff Airhart > > Answer Financial Inc. > > Senior Systems Administrator - Server Support / eBusiness > > [EMAIL PROTECTED] 818.644.4225 We answer to you. > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > > http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/