Choose whether to install HGS in its own dedicated forest or in an existing bastion forest
The Active Directory forest for HGS is sensitive because its administrators have access to the keys that control shielded VMs. The default installation will set up a new forest dedicated for HGS and configure other dependencies. This option is recommended because the environment is self-contained and known to be secure when it is created.
The only technical requirement for installing HGS in an existing forest is that it be added to the root domain; non-root domains are not supported. But there are also operational requirements and security-related best practices for using an existing forest. Suitable forests are purposely built to serve one sensitive function, such as the forest used by Privileged Access Management for AD DS or an Enhanced Security Administrative Environment (ESAE) forest. Such forests usually exhibit the following characteristics:
- They have few admins (separate from fabric admins)
- They have a low number of logons
- They are not general-purpose in nature
General purpose forests such as production forests are not suitable for use by HGS. Fabric forests are also unsuitable because HGS needs to be isolated from fabric administrators.
Next step
Choose the installation option that best suits your environment: