Understanding the Empty-Root Domain Model
The schema is the most critical component of AD DS and should, therefore, be protected and guarded closely. Unauthorized access to the schema master domain controller for a forest can cause some serious problems and is probably the best way to corrupt the entire directory. Needless to say, segregation of the keys to the schema from the user base is a wise option to consider. From this concept was born the empty-root domain model, shown in Figure 5.11.
Figure 5.11. Empty-root domain model with an unpopulated forest root.
In short, the peer-root domain model makes use of an unpopulated forest root domain ...
Get Windows Server® 2012 Unleashed now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
