I was discussing recently with my customer where security boundaries within the Active directory start and stop. This discussion came about as they were under the impression that the Domain was a security boundary. This can be a quite a confusing area because people assume that because each seperate domain has its own Domain Administrator that this somehow prevents other Domain Administrators from potentially doing some malicious damage from another domain within the forest or from accessing data in their domain. Check out the following article, this clarifies the fact that it is in fact the Forest that is the security boundary not the Domain. As it states;
"In general, a security boundary is defined by the top-level container for which no administrator external to the container can take control away from administrators within the container. As shown in the following figure, no administrators from outside a forest can control access to information inside the forest unless first given permission to do so by the administrators within the forest"