RE: [ActiveDir] what to do with DMZ servers

[Rogers, Brian]

Title: Message

That's ok...Its what I thought you said.  I just wanted to make sure I was reading it correctly.   Thanks!   -----Original Message----- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Monday, July 14, 2003 1:17 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] what to do with DMZ servers   No - we have a completely separate forest for the Extranet.  Pardon for any confusion.   Rick Kingslan  MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rogers, Brian Sent: Monday, July 14, 2003 7:45 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] what to do with DMZ servers Sorry for the confusion....but just for clarification...you are saying that you use a single forest (empty root) for all your domains including your DMZ/Internet?   -----Original Message----- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Friday, July 11, 2003 6:33 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] what to do with DMZ servers   Brian,   We implemented an empty root design (we now have 6 other domains) but we planned this from the start knowing that our company will do acquisition and divestiture - leaving us in a position to easily move domains off of the structure.  Our forest is very stable, very healthy, and it works well for us.  Two additional domain controllers for the Root Domain - which left us with a solid base for the other child domains - was the total cost.  Reasonable from a management perspective, knowing that we will add and remove domains.   And, I do have a forest in our extranet.  Plus, we are looking into MIIS (or, MMS 3.0 for us who have been working with the product for more than a month....) to assist with SSO and to manage accounts in a push manner to our extranet forest.  In addition, ADAM is beginning to play a part as some of the Applications that we use can use an LDAP service for Authentication / Authorization.   Bottomline - it's all a matter of choice.  You can make all kinds of decisions, but the best thing to do is not make one.  I've seen more projects die because of analysis paralysis than any other single cause.  Many times implementing a not perfectly 'optimal' implementation (but very workable and viable) is better than waiting until you have the best solution, only to find that the window was missed or confidence is in question. Rick Kingslan  MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rogers, Brian Sent: Friday, July 11, 2003 3:32 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] what to do with DMZ servers I got used to being shocked and surprised at what happens here long ago J   All I can do is try to make it better any way I can.  Sadly without some serious firepower with an MS stamp of approval on it...it's an uphill battle.   I can find a bazillion docs however that suggest people migrate their NT domains using the Empty root strategy...makes one wonder at times.   -----Original Message----- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Friday, July 11, 2003 9:10 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] what to do with DMZ servers   Brian,   A few hours of sleep to think further about this - you ask for case studies.  I would have to believe, and am certain of at least one - that SANS Institute is going to be able to provide this for you off of their site.  We have a subscription and I can't say at the moment if this is pay or free (suspect pay - it usually is when you really need it...) but I just can't imagine what would posses someone to believe that what they are proposing is even remotely acceptable in any environment in today's computing world.   Rick Kingslan  MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rogers, Brian Sent: Thursday, July 10, 2003 11:55 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] what to do with DMZ servers Have the exact same situation here.   We currently have a separate NT domain (for a security boundary) for our INET machines.  These machines exist on a DMZ...and run public internet sites that connect to a SQL backend inside our network.  An ISA server provides the firewall and proxy services.   Im currently having a fight with the operations staff on design.  They want to do the Empty Root/two subdomain model (because they read a lot of useless MOC Courseware books).    I can personally see very little benefit to consolidating these two separate domains into one forest.  They see no logic in having a separate forest/separate domain for the Internet systems.   Nothing short of a case study will sway them I believe....any decent documents comparing the two?  Or frankly..any documents that recommend a separate forest for your internet systems as a security boundary?   -----Original Message----- From: Raymond McClinnis [mailto:[EMAIL PROTECTED] Sent: Thursday, July 10, 2003 11:29 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] what to do with DMZ servers   I have a question... (Assuming that the Servers in the DMZ are already away from the in-house domain)   If before the upgrade none of the servers needed AD or access to your in-house domain, why would you want them to have it after the upgrade?    J Just thinking semi-logically...     Thanks,   Raymond McClinnis Network Administrator Provident Credit Union   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, July 10, 2003 7:19 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] what to do with DMZ servers   It would help if you determined what was going to be public access (via DMZ or otherwise) and determine the needs of the applications there.   The other option we've been talking about is AD Application Mode (ADAM) from Microsoft.     -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -----Original Message----- From: Pelle, Joe [mailto:[EMAIL PROTECTED] Sent: Thursday, July 10, 2003 8:59 AM To: ActiveDir ([EMAIL PROTECTED]) Subject: [ActiveDir] what to do with DMZ servers Please help:   My company is currently migrating from an NT domain structure to AD...  I have some questions regarding how some of you went about hooking in your DMZ web servers to AD securely...  What DID YOU DO?!!!!!!  What are the recommended best practices?   The options we have discussed so far are: Option1:  Join DMZ servers to AD domain, open a half dozen ports on each server (Kerberos, LDAP, NetBios, etc) and lose the purpose of having a DMZ altogether. Option2:  Create a separate forest for the DMZ servers and create a one-way trust between our two forests.  Option3:  Stand alone DMZ servers not joined to any domain. All other options: ??????????????????????????????   Your suggestions are greatly appreciated!   Is there even a need to hook DMZ into AD?  I've heard MS talk about needing AD for apps like Sharepoint Portal...     Joe Pelle Systems Analyst Information Technology Valassis / Targeted Print & Media Solutions 35955 Schoolcraft Rd.   Livonia, MI  48150 Tel 734.632.3753      Fax 734.632.6240 [EMAIL PROTECTED] http://www.valassis.com/   This message may have included proprietary or protected information.  This message and the information contained herein are not to be further communicated without my express written consent.