The Flip Side: Can I Trust an Internet-Facing Domain?

We are also often asked the opposite question: Is it better to create a separate forest in
order to add semitrusted domains to the organization? This question is especially
pertinent to creating a domain that will be accessible from the Internet, say for a web
server farm. This situation can be handled in one of two ways.
One, you could create a separate Internet-facing forest, and establish old-style,
explicit one-way trust to a domain within the corporate forest to protect it from potential
compromise. Again, you would lose the benefit of a shared directory across all domains
in this scenario while gaining the burden of multiforest management.
The second option is to collapse the Internet-facing domain into an OU within the
corporate forest. The administrator of the OU can then be delegated control over only
those objects that are resident in the OU. Even if that account becomes compromised, the
damage to the rest of the forest is limited.
As with many decisions of this nature, the choice comes down to higher security
versus easier management. Before you decide, read the next section.