Active Directory Policy Statement General Active Directory Forest

Active Directory Policy Statement General Active Directory Forest


  • $16.99

Active Directory Policy Statement


Active Directory Forest :

Deployment of one Active Directory Forest will suffice for WWTC’s requirments. There are not requirements for data isolation within WWTC’s Active Directory configuration and any data separation can be performed using data isolation. A single-forest was chosen because it is very cost-effective and requires the least amount of administrative support. For example, with only one forest, the global catalog does not require synchronization across forests and management of a duplicate infrastructure is not required. An organizational forest model will be used with user accounts and resources contained in the forest and managed independently. The forest will be used to provide service and data isolation. This has been chosen insteady of other models where resources and users are isolated in separate forests.  


Active Directory Domain :

WTC will use an Organizational Domain Forest to provide autonomous groups within the forest as required. The New York office will have a separate domain from the Hong Kong office since it will be largely autonomous. In addition, a separate domain can be created to restrict access to confidential data. Since WWTC will have few IT personnel to care for day-to-day IT support activities in New York, the following functions will be maintained by forest-level administration:


Creating and removing domain controllers

Monitoring the functioning of domain controllers

Managing services that are running on domain controllers

Backing up and restoring the directory


Two domains will require that Group Policy settings as well as access control /auditing settings( required forest-wide) are implemented separately to each domain in the forest. This setup is considered a regional domain configuration and will reduce traffic over wide area network (WAN) links. While service administration will be carefully controlled at the Hong Kong office, the following functions will be maintained within the New York office:


Creating organizational units (OUs) and delegating administration

Repairing problems in the OU structure that OU owners do not have sufficient access rights to fix


Instead of creating a separate forest root domain, the New York office function as the forest root domain. It will be a parent domain to the other offices. Service administrator accounts will reside on the New York root domain while user accounts for each region will reside on the appropriate domain. For administration purposes, the branch offices will functions as child domains under the New York root domain. This configuration was chosen because it is much easier to manage than a configuration with a separate domain for administrative accounts.


Active Directory Naming Convention: is the Active Directory namespace used by WWTC. It is a registered fully qualified domain name for WWTC. WWTC will use the same internal and external namespace. will be used from inside and outside the organization without a separate namespace for internal access to resources. This means that the tree name ( is consistent for the private and public (Internet) allowing users to logon with the same credentials internally and externally. This requires a separate zone outside the firewall to provide name resolution for public resources and does create security concerns to ensure that clients accessing resources from outside the organization do not have access to internal company resources. This also creates the requirement for maintaining the records on both the internal and external DNS servers simultaneously. The attached illustration shows this configuration.

We Also Recommend



Sold Out