Its quite possible to use AD on bastion and DMZ hosts. It
just shouldn't be the same forest as your production internal systems.
It strikes me that using the Federated Forests concepts in ADv2 (ie
Win2k3) you can deploy a bastion AD that trusts your internal forest using a one
way cross forest trust. There still is an inherent security risk there, but its
then hacking two forests instead of one.
I really, REALLY don't think this is worth it unless there
are sufficient numbers of systems for which a unified authentication domain
makes sense. For instance, if you ran a 50 server webfarm, it might make sense,
but for 2-3 boxes, local accounts tend to make more sense.
If what the bastion hosts need to access in AD is a set of
attributes (via LDAP), it makes more sense to turn up an instance of ADAM and
use MIIS to one way replicate data to it, at which point you're only exposing
exactly the data that's required.
Can
you describe the goal/business need that's trying to be addressed
here?
Roger
--------------------------------------------------------------
Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc.
|
- RE: [ActiveDir] Active Directory and Bastion Hosts Roger Seielstad
- RE: [ActiveDir] Active Directory and Bastion Hosts Mulnick, Al
- RE: [ActiveDir] Active Directory and Bastion Hosts Roger Seielstad
- RE: [ActiveDir] Active Directory and Bastion Hosts Mulnick, Al
- RE: [ActiveDir] Active Directory and Bastion Hosts Drew Gainor
- RE: [ActiveDir] Active Directory and Bastion Hosts Rich Milburn
- RE: [ActiveDir] Active Directory and Bastion Hosts Mulnick, Al