The multiple-forests - Super Admin forest model, as shown in the following figure, allows you to implement security policies in the Admin forest, separate from those implemented in the hosted companies and the rest of your organization. In addition, this model ensures data isolation by deploying a different and isolated global catalog in the Admin forest.

In practice, the multiple-forests - Super Admin forest model is popular among large hosting companies. In fact, the separation of forests at the service provider occurs along organizational lines. There is one forest that is maintained by internal IT organization for the hosting company's internal IT requirements. The second forest, at the hosting company, is maintained by the business unit that is responsible for supporting hosted companies.

The multiple-forests - Super Admin forest model provides:

  • Security - The administrators are in a totally separate forest that is tightly controlled and managed. In the preceding example, the service provider's users and administrators shared the same forest. If a user compromises that forest, then the entire network is compromised. In this model, users do not exist in the same forest as the administrator. Therefore, if the security of the shared domain is compromised, the damage is contained.
  • Data isolation - The administrators do not share a common global catalog and therefore information disclosure is reduced in the shared domain.