Re: [ActiveDir] Separate AD forest in a DMZ
For simplicity sake, let's just say that I need to use my production AD account to access a Windows file share in the DMZ. Thanks. -FDiskThePC --- Al Mulnick [EMAIL PROTECTED] wrote: What kind of resources specifically? Web based only? Or other? If other, what kinds? Trusts might be the least of your concerns depending on traffic types. Also, what are the security requirements? Is this something that has to be monitored via IDS systems? What other security requirements? I understand if you can't answer some of this in a public forum. You're welcome to drop a note directly or not answer at all. But these types of answers are critical to making any suggestions as they frame up the boundaries. Al On 2/13/06, FDiskThePC [EMAIL PROTECTED] wrote: Good point. The requirements are that the DMZ forest needs to have a one way trust to the production forest so that user accounts in the production forest can access DMZ resources. --- Al Mulnick [EMAIL PROTECTED] wrote: It's not clear what the requirements are nor what you expect to break. You aren't thinking of putting a MSCS across a firewall anyway, now are you? Better yet, if so, which type of cluster? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Separate AD forest in a DMZ
I agree with Guido, then. Several protocols tend to not like NAT, but 2003 has some new possibilities that you can work with. Name resolution is also tricky but can be done. Time sync is another one that can sometimes be a pain. Al On 2/15/06, FDiskThePC [EMAIL PROTECTED] wrote: For simplicity sake, let's just say that I need to usemy production AD account to access a Windows file share in the DMZ.Thanks.-FDiskThePC--- Al Mulnick [EMAIL PROTECTED] wrote: What kind of resources specifically?Web based only?Or other? If other, what kinds? Trusts might be the least of your concerns depending on traffic types. Also, what are the security requirements? Is this something that has to be monitored via IDS systems?What other security requirements? I understand if you can't answer some of this in a public forum.You're welcome to drop a note directly or not answer at all. But these types of answers are critical to making any suggestions as they frame up the boundaries. Al On 2/13/06, FDiskThePC [EMAIL PROTECTED] wrote: Good point.The requirements are that the DMZ forest needs to have a one way trust to the production forest so that user accounts in the production forest can access DMZ resources. --- Al Mulnick [EMAIL PROTECTED] wrote:It's not clear what the requirements are nor what you expect to break.You aren't thinking of putting a MSCS across a firewall anyway, now areyou? Better yet, if so, which type of cluster? __ Do You Yahoo!? Tired of spam?Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:http://www.mail-archive.com/activedir%40mail.activedir.org/ __ Do You Yahoo!?Tired of spam?Yahoo! Mail has the best spam protection aroundhttp://mail.yahoo.comList info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Separate AD forest in a DMZ
Hey Guys, I need to setup a separate AD forest in our DMZ to accommodate the need for a domain (SQL log shipping, Windows clustering, etc). The issue is that we're using NAT and a Cisco PIX between our production network and the DMZ network. So even though our production network is 172.16.x.x, for example, the DMZ sees these resources as 10.10.x.x. From everything I've read, NAT breaks a lot of things, but unfortunately we must use NAT. Anyone have any real world experience with this? Any suggestions would be appreciated. -FDiskThePC __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Separate AD forest in a DMZ
It's not clear what the requirements are nor what you expect to break. You aren't thinking of putting a MSCS across a firewall anyway, now are you? Better yet, if so, which type of cluster? On 2/13/06, FDiskThePC [EMAIL PROTECTED] wrote: Hey Guys,I need to setup a separate AD forest in our DMZ toaccommodate the need for a domain (SQL log shipping, Windows clustering, etc).The issue is that we'reusing NAT and a Cisco PIX between our productionnetwork and the DMZ network.So even though ourproduction network is 172.16.x.x, for example, the DMZsees these resources as 10.10.x.x.From everything I've read, NAT breaks a lot of things,but unfortunately we must use NAT.Anyone have anyreal world experience with this?Any suggestionswould be appreciated.-FDiskThePC __Do You Yahoo!?Tired of spam?Yahoo! Mail has the best spam protection aroundhttp://mail.yahoo.comList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Separate AD forest in a DMZ
Good point. The requirements are that the DMZ forest needs to have a one way trust to the production forest so that user accounts in the production forest can access DMZ resources. --- Al Mulnick [EMAIL PROTECTED] wrote: It's not clear what the requirements are nor what you expect to break. You aren't thinking of putting a MSCS across a firewall anyway, now are you? Better yet, if so, which type of cluster? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Separate AD forest in a DMZ
replication between DCs won't work accross a NAT, but authentication does. You might have to add some static entries to your DNS on either side of the FW, but should get it to work. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of FDiskThePC Sent: Montag, 13. Februar 2006 21:13 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Separate AD forest in a DMZ Good point. The requirements are that the DMZ forest needs to have a one way trust to the production forest so that user accounts in the production forest can access DMZ resources. --- Al Mulnick [EMAIL PROTECTED] wrote: It's not clear what the requirements are nor what you expect to break. You aren't thinking of putting a MSCS across a firewall anyway, now are you? Better yet, if so, which type of cluster? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Separate AD forest in a DMZ
What kind of resources specifically? Web based only? Or other? If other, what kinds? Trusts might be the least of your concerns depending on traffic types. Also, what are the security requirements? Is this something that has to be monitored via IDS systems? What other security requirements? I understand if you can't answer some of this in a public forum. You're welcome to drop a note directly or not answer at all. But these types of answers are critical to making any suggestions as they frame up the boundaries. Al On 2/13/06, FDiskThePC [EMAIL PROTECTED] wrote: Good point.The requirements are that the DMZ forestneeds to have a one way trust to the production forest so that user accounts in the production forest canaccess DMZ resources.--- Al Mulnick [EMAIL PROTECTED] wrote: It's not clear what the requirements are nor what you expect to break.You aren't thinking of putting a MSCS across a firewall anyway, now areyou? Better yet, if so, which type of cluster?__ Do You Yahoo!?Tired of spam?Yahoo! Mail has the best spam protection aroundhttp://mail.yahoo.comList info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
