How exactly does multi-forest design benefit an organization?
Timashev: By default, a user or administrator in one forest cannot access another forest, which means that the forest is a security boundary. A multi-forest design allows for security boundaries within corporate networks, thus improving the overall network security. The most sensitive parts of the network (corporate, accounting, finance, R&D, etc.) should be in a separate forest to guarantee the highest level of security and access control. In addition, different divisions within a large corporation should consider a separate forest for added security isolation. Of course, some users might need to access data in another forest. For this need, administrators can create trust relationships between domains in the forests and use SID filtering, which is a mechanism that prevents the “Domain Trust” vulnerability from occurring between forests. SWM: Can SID filtering be used between domains within the same forest to prevent the Domain Trust vulnerability? Timashev: Unfortunately no. SID filt
