• Nexus System Documentation

 

Why are the no other domains in the apex/nexus forest?

 

Contrary to popular belief, the security boundary is the forest, not the domain.  Quotes from the experts at Microsoft support this stance.

 

Domains were security boundaries in NT4, but the model changed to forests with the introduction of Active Directory for Windows Server 2000 and remains so today with Server 2003.

 

Back to the question of peer domains in Nexus/Apex, the reasoning is simple:  If administrative groups do not trust each other enough to live in the same domain, they would be foolhardy to share a forest - because that is where the security boundary really exists.

 

Words of advice: 

• if you do not give someone full administrative privileges in your domain, do not give them administrative privileges in any domain in your forest.  
• the total count of administrators (for purposes of a security audit), is the sum of administrators in all domains of the forest.  

 

---

Updated: November 17, 2005

 

 

 

 

University of Waterloo
200 University Avenue West, Waterloo, Ontario N2L 3G1
(519) 888-4567
Copyright © 2004 University of Waterloo