There are some in my IT department who insist on doing the following:

1. Having separate domains (or Forests) for our University in Active Directory in order to "separate" Staff, Faculty, Students, and Alumni.
- the reasoning here is because we want to "secure" them "from each other". As if this would create some virtual barrier that'd give us better protection.

2. Utilize base attributes and custom attributes within the Active Directory schema, more and more with storing information like last 4 social, Date of Birth, and other PII such as personal e-mails, addresses, and identification numbers used in other applications integrated into the environment.
- this is related to what they'd want to hide/protect everyone in the domain from viewing, involving separate domains, forests, and advanced schema security modifications of property sets and attributes (base attributes and custom extended attributes).


My questions, and what I'm looking to get advice here on, is, are separate domains really necessary? Does it not add cost for more of an administration burden, as well as give a false sense of security?

What about mobile phones in AD, those show up in Outlook and OWA -- the address list. Is that something that should be stored in Active Directory in the first place, in a University? Concerns about mobile numbers for example, being "obtained" through AD/E-mail, is AD really the wrong system for that?

Some quotes the IT member in favor of using AD for storing such information, as well as separating the domains/forests:

Active Directory is a mature hierarchical database designed to hold, secure, and disseminate directory information. Active Directory is safely extensible by design, but not forgiving of Schema errors. Current and proposed Active Directory Schema extensions and security modifications are simplistic, and our Active Directory is nowhere near it’s functional limits. That’s not to say it can’t be hacked, rather that it is a reliable database for Directory Information and Authentication.
Active Directory really is a database intended to be used as directory
These security changes have been supported and published information for 15 years (https://support.microsoft.com/en-us/kb/292304). The changes can be applied globally at the attribute level, and granularly to the individual. While it is true that changes made at the ADSI Schema Configuration level are not inherited by all users like the confidentiality bit is, those changes apply as a template to new users. Existing users can be easily modified individually or larger groups using DSACLS or PowerShell.
Active Directory is an Enterprise Directory intended to contain Business (semi-sensitive) Data, Globally shared among modestly trusted peers is also true. If there is an issue here, I submit it is mixing public, candidates, students, alumni, parents, and business contacts into a single pool without segmented security. But this is not an insurmountable security problem; indeed for the business to be effective in the future and maintain this domain model the application of selective permissions will be necessary.