Sorry for the confusion....but just
for clarification...you are saying that you use a single forest (empty
root) for all your domains including your DMZ/Internet? -----Original Message----- Brian, We implemented an empty
root design (we now have 6 other domains) but we planned this from the start
knowing that our company will do acquisition and divestiture - leaving us in a
position to easily move domains off of the structure. Our forest is very
stable, very healthy, and it works well for us. Two additional domain
controllers for the Root Domain - which left us with a solid base for the other
child domains - was the total cost. Reasonable from a management perspective,
knowing that we will add and remove domains. And, I do have a forest
in our extranet. Plus, we are looking into MIIS (or, MMS 3.0 for us who
have been working with the product for more than a month....) to assist with
SSO and to manage accounts in a push manner to our extranet forest. In
addition, ADAM is beginning to play a part as some of the Applications that we
use can use an LDAP service for Authentication / Authorization. Bottomline - it's all a
matter of choice. You can make all kinds of decisions, but the best thing
to do is not make one. I've seen more projects die because of analysis
paralysis than any other single cause. Many times implementing
a not perfectly 'optimal' implementation (but very workable and viable) is
better than waiting until you have the best solution, only to find that the
window was missed or confidence is in question. Rick
Kingslan MCSE, MCSA, MCT From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rogers, Brian I got used to being
shocked and surprised at what happens here long ago J All I can do is try to
make it better any way I can. Sadly without some serious firepower with
an MS stamp of approval on it...it's an uphill battle. I can find a bazillion
docs however that suggest people migrate their NT domains using the Empty root
strategy...makes one wonder at times. -----Original Message----- Brian, A few
hours of sleep to think further about this - you ask for case studies. I
would have to believe, and am certain of at least one - that SANS Institute is
going to be able to provide this for you off of their site. We have a
subscription and I can't say at the moment if this is pay or free (suspect pay
- it usually is when you really need it...) but I just can't imagine what would
posses someone to believe that what they are proposing is even remotely
acceptable in any environment in today's computing world. Rick
Kingslan MCSE, MCSA, MCT From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rogers, Brian Have the
exact same situation here. We currently
have a separate NT domain (for a security boundary) for our INET
machines. These machines exist on a DMZ...and run public internet sites
that connect to a SQL backend inside our network. An ISA server provides
the firewall and proxy services. Im
currently having a fight with the operations staff on design. They want
to do the Empty Root/two subdomain model (because they read a lot of useless
MOC Courseware books). I can
personally see very little benefit to consolidating these two separate domains
into one forest. They see no logic in having a separate forest/separate
domain for the Internet systems. Nothing
short of a case study will sway them I believe....any decent documents
comparing the two? Or frankly..any documents that recommend a separate
forest for your internet systems as a security boundary? -----Original Message----- I have a
question... (Assuming that the Servers in the DMZ are already away from the
in-house domain) If
before the upgrade none of the servers needed AD or access to your in-house
domain, why would you want them to have it after the upgrade? J Just thinking semi-logically... Thanks, Raymond McClinnis Network Administrator Provident Credit Union -----Original Message----- It
would help if you determined what was going to be public access (via DMZ or
otherwise) and determine the needs of the applications there. The
other option we've been talking about is AD Application Mode (ADAM) from
Microsoft. --------------------------------------------------------------
|
Title: Message
- RE: [ActiveDir] what to do with DMZ servers Rick Kingslan
- RE: [ActiveDir] what to do with DMZ servers Roger Seielstad
- RE: [ActiveDir] what to do with DMZ servers Roger Seielstad
- RE: [ActiveDir] what to do with DMZ servers Rick Kingslan
- RE: [ActiveDir] what to do with DMZ servers Roger Seielstad
- RE: [ActiveDir] what to do with DMZ servers Rick Kingslan
- RE: [ActiveDir] what to do with DMZ servers Rogers, Brian
- RE: [ActiveDir] what to do with DMZ servers Rogers, Brian
- RE: [ActiveDir] what to do with DMZ servers Rick Kingslan
- RE: [ActiveDir] what to do with DMZ servers Roger Seielstad
- RE: [ActiveDir] what to do with DMZ servers Rogers, Brian
- RE: [ActiveDir] what to do with DMZ servers Rick Kingslan
- RE: [ActiveDir] what to do with DMZ servers John McGlinchey
- RE: [ActiveDir] what to do with DMZ servers Rick Kingslan
- RE: [ActiveDir] what to do with DMZ servers Rogers, Brian
- RE: [ActiveDir] what to do with DMZ servers Roger Seielstad