You can apply one of the following three forest design models in your Active Directory environment: Organizational forest model, Resource forest model, and Restricted access forest model. It is likely that you will need to use a combination of these models to meet the needs of all the different groups in your organization.
Organizational forest model
This is the most common type of forest. User accounts and resources are contained in the forest and managed independently. If users need to access resources in other forests (or the reverse), trust relationships can be established.
Resource forest model
In this model, a separate forest is used to manage resources. Resource forests do not contain user accounts. Forest trusts are established so that users from other forests can access the resources contained in the resource forest.
Restricted access forest model
In the restricted access forest model, a separate forest is created to contain user accounts and data that must be isolated from the rest of the organization. Restricted access forests provide data isolation in situations where the consequences of compromising project data are severe. Users from other forests cannot be granted access to the restricted data because no trust exists.
Enhanced Security Administrative Environment (ESAE) forests are an example of a restricted access forest model. These forests have hosts privileged accounts, privileged groups, and privileged access workstations. The ESAE forest is configured with a one-way trust relationship with a production forest. A production forest is a forest in which administrators perform an organization’s day-to-day activities. The production forest configured so that administrative tasks can only be performed by using accounts that the ESAE forest hosts.
ESAE forest have the following benefits:
- Locked-down accounts. Standard non-privileged user accounts in the ESAE forest can be configured as highly privileged in the production forest. For example, a standard user account in the ESAE forest is made a member of the Domain Admins group in a domain in the production forest.
- Selective authentication. ESAE forest design allows organizations to leverage the trust relationship’s selective authentication feature. For example, sign-ins from the ESAE forest will be restricted to specific hosts in the production forest.
- Simple way to improve security. ESAE forest design provides substantive improvement in security of existing production forests without requiring complete rebuilding of the production environment. The ESAE forest approach has a small hardware/software footprint and only affects IT Operations team users.
