Resource forests, if you want actual security boundaries. Domains aren't security boundaries.
Having said that, some good old fashioned network segmentation would be a "win", too. Default deny ACLs should be the norm, and hosts sshould only be able to communicate with hosts they actually need to, full stop. (The reactions I get from developers, however, are typically less than pleasant when they learn that environments I administer have such policies, however.)
True dat. I've gotten where I use forest and domain interchangeably even thought what you say is true. I only advise people build single forest single domains these days. Complex forest topologies are also a bad thing.
Having said that, some good old fashioned network segmentation would be a "win", too. Default deny ACLs should be the norm, and hosts sshould only be able to communicate with hosts they actually need to, full stop. (The reactions I get from developers, however, are typically less than pleasant when they learn that environments I administer have such policies, however.)