PAM requires a management forest of Windows 2012 R2 or above, called a bastion forest, which is trusted (one-way trust) by the existing corporate forest(s). The bastion forest must be highly secured and well managed, which is why a new forest is recommended.

If you already have a secured management forest, then it can be utilized for PAM, and a new management forest is not needed. More information on PAM with an existing Active Directory forest can be found at http://bit.ly/MIMPAMWithExistingDomains.

If you do not already have a management forest, you may be wondering why Microsoft requires another forest for PAM. There are two reasons: firstly, a new forest will be free from malicious activity, and secondly, a new forest will help restrict access in the existing corporate forest(s). Basically, we can get the best out of our existing forest(s) by assuming the worst and creating a new forest to control or regain control.

In our example, the TFC (corporate) domain trusts the PRIV (bastion) single-domain management forest. In your existing corporate forest(s), the domain controllers must run Windows 2003 or higher. The MIM, PAM component, and PAM monitoring services, along with SQL and SharePoint 2013 Foundation with SP1, will be installed on a server of Windows 2012 R2 or higher, joined to the PRIV domain. The MIM synchronization engine and MIM portal are not required: