Is there today any reason to have multiple domains in one forest
I've been reading a lot trying to figure out why I would set-up a "multi-domain - one forest" architecture but I haven't found any good reason to do so. I came to the conclusion that you better use "one domain and delegations" or "multiple domains with trusts".
There is one quote which is central for me:
"Because a domain is not a security boundary, it is possible for a malicious service administrator, such as a member of the Domain Admins group, to use nonstandard tools and procedures to gain full access to any domain in the forest or to any computer in the forest. For example, service administrators in a nonroot domain can make themselves members of the Enterprise Admins or Schema Admins group."(Source)
Is there anyone who could think of a scenario where you would use one forest with multiple domains?
Thank you
Solution 1:
I'm using a dual domain forest at this very moment to migrate an enterprise off of a badly broken and misconfigured domain onto one I set up right.
Avoiding any downtime in a domain migration is certainly a very important use-case for multi-domain forests.
Of course, if you don't have a reason you need one, stay with a single domain forest. If/when you need multiple domains, you'll know, and there's no reason to add complexity to an AD forest, especially when you don't gain anything from doing so.
Solution 2:
The short answer to your question is, no. There are generally no good reasons for multi-domain forests. The old guidance, which is largely unchanged, was to provide autonomy and/or control replication.
That "autonomy" included separate password policies. If an organization needed multiple password policies, the only way to achieve it was with multiple domains. Windows Server 2008 addressed that with Fine-Grained Password Policies.
The other, replication, could still be a mitigating factor, but the improvements in WAN topologies and in AD Replication have really eliminated that argument as well.
As for backup/recovery or DR, the a multi-domain forest or one with an empty forest root domain doesn't make backup and recovery any easier. In fact in a forest recovery scenario it makes it more difficult.