4 Replies Latest reply on May 2, 2014 9:52 AM by curtisi

    LEM in multiple Microsoft AD Forests (as opposed to multiple domains)


      Due to several statutory requirements, we are finding ourselves in need to dividing our existing Microsoft AD forest into multiple separate and distinct forests (as a domain is not a security boundary). Can a single LEM server monitor and manage clients from other Forests or would I have to deploy individual LEM servers within each Forest?

        • Re: LEM in multiple Microsoft AD Forests (as opposed to multiple domains)
          Lawrence Garvin

          LEM generally communicates using either an Agent (e.g. on Windows systems), or via syslog or SNMP.

          All of these technologies are Active Directory agnostic.


          The User tool allows for the retrieval of user accounts from Active Directory using a specified domain credential, but this retrieval is functionally at the domain level, and generally not relevant to the forest. As best I can see, there are no restrictions against having multiple AD Query Tools implemented (e.g. one for each domain/forest). Potentially worthy of note is the level of query access to AD Users and Groups that this tool allows, and whether administrator(s) from other forests need to be restricted from knowledge of users/groups in not-their-forest.


          In short, I'm not aware of any specific issues that would arise by managing multiple forests, any more than would arise from managing multiple domains. It may be, though, that the more relevant question here is related to the statutory requirements driving you to deploy multiple forests as security boundaries. Those regulations may also relate to whether your monitoring tools also need to implement similar security boundaries. If so, those regulations may implicate the requirement of separate LEM servers beyond the question of its technical capabilities.

            • Re: LEM in multiple Microsoft AD Forests (as opposed to multiple domains)

              Just seconding LGarvin: The LEM can have multiple Directory Query tools and import users/groups from multiple domains.  However, there's no way to prevent a user from Domain/Forest A from searching events from Domain/Forest B if they all log to the same place.  Maybe the type of events you log don't include enough sensitive data for that to matter, but if you really want to make sure that Forest A and Forest B don't contaminate each other, you probably want separate LEMs so that people searching on one LEM don't accidentally (or intentionally) see information that might compromise your InfoSec policies.  The last thing you want is someone seeing that ObjectAudit for a file called "ImpendingBillionDollarIPOThatWeHaveToKeepSecretForCompanyX.docx" when they're in the wrong group or domain.

              1 of 1 people found this helpful
              • Re: LEM in multiple Microsoft AD Forests (as opposed to multiple domains)

                Thanks all. I understand the issue(s) you are describing, but in our case, the same system personnel will be administering both Forests, so its really not an issue for us. What would be problematic is if a Forest B LEM client could negatively impact the operation of the Forest A LEM server. I don't believe that a Forest A LEM client could negatively impact the Forest A LEM server, so I don't see how a Forest B LEM client could.