- Since the forest root domain hosts forest wide privileges such as enterprise admins etc. DCs hosting the Forest Root domain should be kept secure.
- Primary function of the forest root domain:
- Establish trust paths between domains
- Let’s assume a site has 2 domains, A and B. User logs into a computer joined to domain A using domain B’s credentials – the user must connect with the forest root DC before connecting with a DC in domain B.
- Two options to help with this issue:
1.Distribute forest root DCs accordingly (Depending on how often this happens) [Don’t forget, these need to be in secure places]
2.Create shortcut trusts between domains (Recommended)
- Full Server runs features to support the GUI etc.
- Core Server is limited in additional features it runs.
- Running a DC using Core Server reduces the attack footprint on your server since other non critical services/features are running or being executed.