Today, I just found that Microsoft has stopped their ESAE strategic architecture. Microsoft has recommended new strategy to complements any existing ESAE implementation.
The Enhanced Security Admin Environment (ESAE) architecture (often referred to as red forest, admin forest, or hardened forest) is an approach to provide a secure environment for Windows Server Active Directory (AD) administrators.
In early 2018, where I first learned about ESAE. After a deep dive evaluation, my conclusion is, it is too costly to implement such a solution, in term of operating cost, for most of the company (even it is a secure strategy). This is simply because the strategies have never consider the essential security concept. #EssentialSecurity
And after 3 years, Microsoft has admitted that the ESAE architectural pattern is only valid or applicable in a limited set of scenarios. Any organization who implement ESAE architecture, must accept the increased technical complexity and operational costs of the solution.
The ESAE retirement post can be found at https://docs.microsoft.com/en-us/security/compass/esae-retirement