We created a separate forest in the DMZ, with no tie to our internal
AD. The DMZ forest was originally deployed because we needed a MS
cluster. While it does have it's negative points, one nice thing is easier
account management. I know, separately named local accounts with different
passwords on each server would be ideal, but it's something we could never
realistically enforce between everyone who needs an account (which is a
separate issue, but one no one cares to hear about atm.) The local account
route would end up with people carrying passwords in their wallets, hidden
under keyboards, etc.
But, as I mentioned, our DMZ forest is completely isolated from our
internal forest and has greater security restrictions and such, so we tried
to address as many concerns as we could.
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
