Also, if IT administration is worried about compromised domain admin accounts, require two-factor authentication for elevated users and/or dedicated management workstations, which are less likely to be compromised by malware.
Ultimately, the level of appropriate security risk is a question for senior management with the proper guidance from IT, which tries its best to meet that decision.
In closing, don't believe any security mantra you hear. Do your own investigating and make sure all assumptions are valid. Over the years, I've often counseled clients to reconsider adding more Active Directory forests unless the security requirements dictated the need and doing so actually reduced risks.
This story, "Separate Active Directory forests don't translate into better security," was originally published at InfoWorld.com. Follow the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com.