No - we have a completely separate forest for the
Extranet. Pardon for any confusion.
Rick Kingslan MCSE, MCSA, MCT From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rogers, Brian Sent: Monday, July 14, 2003 7:45 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] what to do with DMZ servers Sorry for the
confusion....but just for clarification...you are saying that you use a single
forest (empty root) for all your domains including your
DMZ/Internet? -----Original
Message----- Brian, We
implemented an empty root design (we now have 6 other domains) but we planned
this from the start knowing that our company will do acquisition and divestiture
- leaving us in a position to easily move domains off of the structure.
Our forest is very stable, very healthy, and it works well for us. Two
additional domain controllers for the Root Domain - which left us with a solid
base for the other child domains - was the total cost. Reasonable from a
management perspective, knowing that we will add and remove
domains. And, I do
have a forest in our extranet. Plus, we are looking into MIIS (or, MMS 3.0
for us who have been working with the product for more than a month....) to
assist with SSO and to manage accounts in a push manner to our extranet
forest. In addition, ADAM is beginning to play a part as some of the
Applications that we use can use an LDAP service for Authentication /
Authorization. Bottomline
- it's all a matter of choice. You can make all kinds of decisions, but
the best thing to do is not make one. I've seen more projects die because
of analysis paralysis than any other single cause. Many
times implementing a not perfectly 'optimal' implementation (but very
workable and viable) is better than waiting until you have the best
solution, only to find that the window was missed or confidence is in
question. Rick
Kingslan MCSE, MCSA, MCT From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Rogers,
Brian I got used
to being shocked and surprised at what happens here long ago J All I can
do is try to make it better any way I can. Sadly without some serious
firepower with an MS stamp of approval on it...it's an uphill
battle. I can find
a bazillion docs however that suggest people migrate their NT domains using the
Empty root strategy...makes one wonder at times. -----Original
Message----- Brian, A few
hours of sleep to think further about this - you ask for case studies. I
would have to believe, and am certain of at least one - that SANS Institute is
going to be able to provide this for you off of their site. We have a
subscription and I can't say at the moment if this is pay or free (suspect pay -
it usually is when you really need it...) but I just can't imagine what would
posses someone to believe that what they are proposing is even remotely
acceptable in any environment in today's computing
world. Rick
Kingslan MCSE, MCSA, MCT From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Rogers,
Brian Have the
exact same situation here. We
currently have a separate NT domain (for a security boundary) for our INET
machines. These machines exist on a DMZ...and run public internet sites
that connect to a SQL backend inside our network. An ISA server provides
the firewall and proxy services. Im
currently having a fight with the operations staff on design. They want to
do the Empty Root/two subdomain model (because they read a lot of useless MOC
Courseware books). I can
personally see very little benefit to consolidating these two separate domains
into one forest. They see no logic in having a separate forest/separate
domain for the Internet systems. Nothing
short of a case study will sway them I believe....any decent documents comparing
the two? Or frankly..any documents that recommend a separate forest for
your internet systems as a security boundary? -----Original
Message----- I have a
question... (Assuming that the Servers in the DMZ are already away from the
in-house domain) If before
the upgrade none of the servers needed AD or access to your in-house domain, why
would you want them to have it after the upgrade?
J Just thinking
semi-logically... Thanks, Raymond
McClinnis Network
Administrator Provident
Credit Union -----Original
Message----- It would
help if you determined what was going to be public access (via DMZ or otherwise)
and determine the needs of the applications
there. The other
option we've been talking about is AD Application Mode (ADAM) from
Microsoft. --------------------------------------------------------------
|
Title: Message
- RE: [ActiveDir] what to do with DMZ servers Roger Seielstad
- RE: [ActiveDir] what to do with DMZ servers Roger Seielstad
- RE: [ActiveDir] what to do with DMZ servers Rick Kingslan
- RE: [ActiveDir] what to do with DMZ servers Roger Seielstad
- RE: [ActiveDir] what to do with DMZ servers Rick Kingslan
- RE: [ActiveDir] what to do with DMZ servers Rogers, Brian
- RE: [ActiveDir] what to do with DMZ servers Rogers, Brian
- RE: [ActiveDir] what to do with DMZ servers Rick Kingslan
- RE: [ActiveDir] what to do with DMZ servers Roger Seielstad
- RE: [ActiveDir] what to do with DMZ servers Rogers, Brian
- RE: [ActiveDir] what to do with DMZ servers Rick Kingslan
- RE: [ActiveDir] what to do with DMZ servers John McGlinchey
- RE: [ActiveDir] what to do with DMZ servers Rick Kingslan
- RE: [ActiveDir] what to do with DMZ servers Rogers, Brian
- RE: [ActiveDir] what to do with DMZ servers Roger Seielstad