1
00:00:00,940 --> 00:00:03,930
In summary, what are you walking away from this lesson with?

2
00:00:03,930 --> 00:00:04,100
Well,

3
00:00:04,100 --> 00:00:07,440
I just want to, again, repeat that Microsoft's current guidance

4
00:00:07,440 --> 00:00:11,100
is for you to standardize on one forest, one domain unless you

5
00:00:11,100 --> 00:00:13,970
have specific reasons to do otherwise.

6
00:00:13,970 --> 00:00:18,480
If you find that intra‑domain traffic is just too intense given your

7
00:00:18,480 --> 00:00:22,820
distributed infrastructure, okay, I guess the real lesson is to not

8
00:00:22,820 --> 00:00:26,330
overcomplicate your Active Directory forest environment.

9
00:00:26,330 --> 00:00:32,100
The v1 approach to forest and domain security and site topology used to

10
00:00:32,100 --> 00:00:36,670
be Enhanced Security Admin Environment, or ESAE, where you would have a

11
00:00:36,670 --> 00:00:39,200
management forest and a resource forest,

12
00:00:39,200 --> 00:00:42,110
but that really suffers from the over engineering,

13
00:00:42,110 --> 00:00:45,000
over‑complication problem that I mentioned earlier.

14
00:00:45,000 --> 00:00:48,280
Nowadays, the v2 current guidance for Microsoft is a

15
00:00:48,280 --> 00:00:50,980
privileged access strategy for your workstations,

16
00:00:50,980 --> 00:00:54,940
servers, and users where you're looking at configuring your servers to run

17
00:00:54,940 --> 00:00:59,480
only trusted code and then for your users to run with standard permissions

18
00:00:59,480 --> 00:01:03,360
and only elevate their permissions when they need to and to be operating

19
00:01:03,360 --> 00:01:08,730
on a non‑elevated system and do their administrative work on a privileged

20
00:01:08,730 --> 00:01:09,950
access workstation.

21
00:01:09,950 --> 00:01:14,590
You can check the exercise files. I give you some more references in

22
00:01:14,590 --> 00:01:18,060
the Microsoft docs about this shift in guidance. Regarding

23
00:01:18,060 --> 00:01:20,780
replication, you're not smarter than the KCC.

24
00:01:20,780 --> 00:01:24,470
It's kind of a clever comment, but it's not mine. It's from Microsoft. Here's a

25
00:01:24,470 --> 00:01:28,820
link to a really old TechNet article where a Microsoft engineer makes the

26
00:01:28,820 --> 00:01:32,540
argument that by trying to horse around with your site links by creating them

27
00:01:32,540 --> 00:01:36,030
manually, thinking that you're smarter than the Knowledge Consistency Checker,

28
00:01:36,030 --> 00:01:40,700
you could wind up introducing problems into your environment and wind up with a

29
00:01:40,700 --> 00:01:45,160
less efficient Active Directory replication strategy than if you just let the

30
00:01:45,160 --> 00:01:50,180
KCC do what it does best. Up next, we're going to learn about AD DS security

31
00:01:50,180 --> 00:01:50,790
principals.

32
00:01:50,790 --> 00:01:53,740
This is users, groups, computer accounts, and the like.

33
00:01:53,740 --> 00:01:57,000
I look forward to seeing you then. Thanks very much.