Well right now, if a student domain admin account was compromised, no changes could be make to the staff domain. If we had a single domain and a domain admin was compromised then they have access to EVERYTHING.
Originally Posted by seawolf
The networks aren't completely isolated, just different VLANs.
Edit: Just to clarify, this is a set up the current team has inherited. We're giving everything a big review, and thought we'd put the question out to compare organisations. We expected single forest with multiple domains to be the most popular answer so we've been pleasantly surprised.
If a student domain admin were compromised, they may be able to do things like reverse trusts with the staff domain, which is a change.
You're enduring a lot of administrative pain and overhead to gain what is not a substantial security advantage. If your organisation is like most places admin usernames and passwords likely follow a pattern (usernames more than passwords). So, if someone has gotten an admin login for one domain they can probably use the same techniques for getting the others. Once you know the username you're halfway there. Passwords can be broken without a great deal of trouble with the right software, time, and access. Compromises are more frequently from social engineering or carelessness though, and if an organisation loses one login that way, the others are likely to fall in the same way shortly afterward.
Originally Posted by aceonbass
If you have extremely robust and obscure usernames and passwords, change passwords frequently, and limit access to them to a very small number of people, the logins for both domains are not known by any single person, personnel are highly trained in security procedures and follow them, etc. - then it would heighten your security posture. That's not the case for most organisations though. A more simple, easily managed environment with time spent on security training and ensuring that reasonable and not overly complex security procedures are followed is the way to go for most organisations. I would definitely recommend a single domain for most environments.
NOTE: I worked for the NSA for eight years (in the 90s) in the business of obtaining and analysing information that the other side was trying to keep secret and secure. Good security is hard and the human element is the weakest link. Having overly complex systems exacerbates any security weaknesses, we took advantage of this all the time.
We have separate domains, no trust between them.
See, for a student to compromise a admin account they would need access to a PC on the Admin domain. Which are all in offices that are locked. If we had everything on one domain, PC in lab could be used with a compromised account. And there is more, we didn't set it up that way, but this is a result. And yes, we could GPO prevent admin OU from logging into certain PCs if we wanted.
Thanks all for your responses. It's looking more and more like a huge summer project next year.
Personally, the temptation to start again with minimal migration is overwhelming - in reality, however....
Seems I'm the only one that put multi forest multi domain. Granted I don't work for a school, so my requirements are probably a lot different.
We have a full trust between our forests, which works great, I think you're issues with LDAP can be over come with a few permission changes. As well as having the trust in place, we allow our DC's the credentials to authenticate with each other..e.g under the security menu for a DC, add the dc from the other forest and select the option "allow to authenticate"
The forests are split with firewalls, and the relevant holes punched through to allow the DC's to communicate. With this in place we find that our LDAP works perfectly
The problem is information demarcation what happens when admin staff need to access the same information as teaching staff or vice versa?
Hving multiple domains, and even multiple forests, shouldn't prevent the sharing of data. This is what the trusts should help resolve.
Granted in a school setup, a single domain approach might be preferred.
Extremely delayed reply, but thanks again for all the responses. As per a previous post, I've been very surprised by the amount of votes for single domain (expecting multi domains in a single forest). It's now clear which way I'd like to take the network forward, but as I'm neither the overall manager or network admin this decision does not rest with me...