An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, users, computers, and group policies.
“But wait?” you say. “I thought Active Directory was just one domain?”
Get the Free Pen Testing Active Directory Environments EBook
A single Active Directory configuration can contain more than one domain, and we call the tier above domain the AD forest. Under each domain, you can have several trees, and it can be tough to see the forest for the trees
This additional top-level layer creates security challenges and increased potential for exploitation, but it can also mean greater isolation and autonomy when necessary: the trick is to understand AD forests and different strategies to protect them.
How to Create a Forest Design?
Say you want to create a forest, or (and more likely) you have inherited a forest that you need to clean up. It’s common to see several different domains and GPOs in one or more forests that try to coexist due to earlier attempts at consolidation or acquisition.
First, determine if there are any organizational requirements that require a completely separate set of security policies. Frame the conversation with a focus on data security:
- Are there over-arching policies you can set at the AD forest level?
- Do you need additional domains with different security policies or segregated network connectivity?
- Are there legal or application requirements that require separate domains in the forest?
Once you have the “autonomy and isolation” requirements documented, the design team can build the forest, domains, and GPOs according to each team or organization’s needs.
How Many Forests are Required?
In some cases, it might be necessary to create separate AD forests based on the autonomy or isolation requirements. Adding additional forests multiplies the complexity to manage the AD schema. There are some considerations to make if you decide to add another forest to your AD schema:
- Can you achieve sufficient isolation without creating a second forest?
- Do all of the stakeholders understand the ramifications of separate forests?
- Management of 2 separate forests means you will have double the application servers and IT costs.
- Do you have the resources to manage another forest?
- A single IT team should not manage both AD forests. Security professionals recommend one (1) IT team per forest for segregation of duties.
- Best practice is to migrate new or acquired domains into a single AD forest.
Single Forest vs Multi-Forest Active Directory Design
A single AD forest is a simpler solution long-term and generally considered best practice. It’s possible to create a secure environment without the additional overhead of a 2nd AD forest with multiple domains by leveraging GPOs, established data owners, and a least privilege model.
Multi-forests do provide an extra layer of security across the two domains, but at a significant increase to IT cost. Multi-forests do not make you more secure by default. You still need to configure GPOs and permissions appropriately for each AD forest.
Forest Design Models
There are three primary ways to design an AD forest: you can mix and match those designs to meet your organization’s security needs. Every Active Directory has at least one AD forest, and there are cases where multiple AD forests are required to meet business and security objectives. Here are a few different Forest Models. Each model has different advantages and disadvantage, and unique use cases.
Organizational Forest Model
In an organizational forest, user accounts and resources are stored and managed together. This is the standard configuration.
Characteristics of an organizational forest model:
- Provides autonomy to users and resources in the forest
- Isolates services and data from anyone outside the forest
- Trust relationships between forests can allow access to some resources that live in outside forests
Resource Forest Model
A resource forest separates user accounts and resources into different forests. You would use this configuration to separate a manufacturing system or mission-critical system from the primary forest, so any problems with one forest allow the other to continue operation.
Characteristics of a Resource Forest Model:
- Users live in the organizational forest
- Resources live in one or more additional forests
- Only alternative administrative user accounts live in the resource forests
- Trusts enable resource sharing with the users
- This model provides service isolation, so if one forest goes down the others will continue to operate as normal.
Restricted Access Forest Model
A restricted access forest totally isolates the users and resources in it from other forests. You would use this configuration to completely secure data and limit users to specific datasets.
Characteristics of a Restricted Access Forest Model:
- No trusts exist to other forests
- Users from other forests are not able to access resources in the restricted access forest
- Users need a 2nd computer to access the restricted forest
- Can be housed on a completely separate network if necessary
Active Directory Forests Best Practices
AD forests have been around since 2000, so there are many different theories about the best way to configure Active Directory and forests. Current best practices include:
- When possible, consolidate to a single forest
- Secure resources and data via GPO and apply a least privileged model
- Use GPOs to further limit users ability to create new folders without following a set process. The least privileged permissions model.
- Give your domain admins a 2nd admin account they use only when required per the change management process.
- If you have multiple AD forests with trust relationships, consider consolidation.
- If you need to create a restricted access forest, make sure it is truly restricted. As secure as we want the primary forest to be, a restricted access forest should be Castle Black. Put a 700’ wall around it and keep it there.
If Active Directory holds the keys to the kingdom, the AD forest is the keyring for some of those keys: it’s important not only to secure Active Directory, but to understand how to configure and manage the AD forest in order to prevent data breaches and reduce security vulnerabilities.
Want to learn more about how to protect Active Directory – regardless of how many AD forests you have? Learn about 5 FSMO Roles in Active Directory, and check out the difference between AD for Windows and Azure Active Directory. Prefer an audio/visual experience instead? We’ve got you covered: watch an on-demand webinar on 4 Tips to Secure Active Directory.