@Ken; how machines are monitored is down to the Data Centre teams, they are happy to work with what I get them, as for shared components, it's a good, but hard question to answer.
The way I see it: your security policy would tell you what’s acceptable/not acceptable. Operational concerns would then give you what’s
feasible to implement, and Active Directory is just one thing that supports operational model…
For example, if your security policy says strict separation of resources from DMZ and Internal domains, then:
Physically everything needs to be separate (storage, network, hosting)
Logically everything needs to be separate (tools etc. see below)
Ergo, that would drive the decision to have a separate Active Directory. Creating a single operational view of the organisation (e.g.
monitoring and event management, SIEM) has to work with these policies and constraints – e.g. through connected/federated tools.
If your security policy says that this separation is not enforced, then at some level, the risk of contamination is acceptable/within
appetite. You mitigate risk by patching, locking down ingress points via your firewalls, monitoring for malicious traffic, separate service accounts, separation of duties etc., that make it hard for someone on a compromised host to get to another one and compromise
it (at least, without being detected).
The reason I asked about “monitoring/management” was around what are your current toolsets for monitoring/patching/backup/endpoint
protection/batch scheduling/log management/service bus/etc/etc/etc. Will they work in an isolated Forest scenario? Or will you be needing to stand-up new instances? I guess financial reality/pragmatism + managing operational complexity also tends to play a
big part in what option gets chosen. AD provides just one way for someone to get from one host to another – as soon as you start sharing infrastructure or tooling instances you provide other ways of getting from one host to another.