Forest Root Domain Controllers with (Full and Core Server)

  • Since the forest root domain hosts forest wide privileges such as enterprise admins etc. DCs hosting the Forest Root domain should be kept secure.
  • Primary function of the forest root domain:
  • Establish trust paths between domains
  • Let’s assume a site has 2 domains, A and B. User logs into a computer joined to domain A using domain B’s credentials – the user must connect with the forest root DC before connecting with a DC in domain B.
  • Two options to help with this issue:

1.Distribute forest root DCs accordingly (Depending on how often this happens) [Don’t forget, these need to be in secure places]

2.Create shortcut trusts between domains (Recommended)

 

  • Full Server runs features to support the GUI etc.
  • Core Server is limited in additional features it runs.
  • Running a DC using Core Server reduces the attack footprint on your server since other non critical services/features are running or being executed.