A network take-down can happen (before you know it) if someone got into your Active Directory environment and captured the credential of a Domain Administrator account. Hopefully each person who manages the domain has a separate account for administration, rather than for his or her own daily use. Even if you’re careful, any user account can be compromised – the more confined and separated an elevated account is, the better.
The concept of Enhanced Security Administrative Environment (ESAE) removes the domain admin accounts into another, separate domain dedicated for administration. A completely hardened forest that contains no user regular accounts keeps a barrier between the payload and administration.
