System requirements
PAM requires a management forest of Windows 2012 R2 or above, called a bastion forest, which is trusted (one-way trust) by the existing corporate forest(s). The bastion forest must be highly secured and well managed, which is why a new forest is recommended.
Note
Microsoft's Best Practices for Securing Active Directory is a must read. Find it at http://bit.ly/SecuringAD.
If you already have a secured management forest, then it can be utilized for PAM, and a new management forest is not needed. More information on PAM with an existing Active Directory forest can be found at http://bit.ly/MIMPAMWithExistingDomains.
If you do not already have a management forest, you may be wondering why Microsoft requires another forest for PAM. ...
Get Microsoft Identity Manager 2016 Handbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
