The multiple-forests - Super Admin forest model, as shown in the following figure, allows you to implement security policies in the Admin forest, separate from those implemented in the hosted companies and the rest of your organization. In addition, this model ensures data isolation by deploying a different and isolated global catalog in the Admin forest.
In practice, the multiple-forests - Super Admin forest model is popular among large hosting companies. In fact, the separation of forests at the service provider occurs along organizational lines. There is one forest that is maintained by internal IT organization for the hosting company's internal IT requirements. The second forest, at the hosting company, is maintained by the business unit that is responsible for supporting hosted companies.
The multiple-forests - Super Admin forest model provides:
- Security - The administrators are in a totally separate
forest that is tightly controlled and managed. In the preceding
example, the service provider's users and administrators shared the
same forest. If a user compromises that forest, then the entire
network is compromised. In this model, users do not exist in the
same forest as the administrator. Therefore, if the security of the
shared domain is compromised, the damage is contained.
- Data isolation - The administrators do not share a
common global catalog and therefore information disclosure is
reduced in the shared domain.