First of all, many will disagree with me here, but I don't think you should buy into the idea of your Microsoft firewalls being a part of your domain structure, even if you have only a one way trust. There shouldn't be ANY trusting or association between the machines in your DMZ (especially your firewall) other than the absolutely necessary communication needed for business or administration. i.e., a webserver talking to ODBC or something of that nature.
In general, you should have completely isolated security devices unless you are doing some sort of load balancing with your firewalls a la Checkpoint or something. Joining your firewalls into domains and having trust relationships is cute, but it really isn't necessary and is sure to be a security problem either now or in the future. Don't buy into it. As for your DNS problem, I suggest you go with a full-fledged DMZ - a third intermediate network, and put your external DMZ machine in it. Bind is the choice I would go with if I were you, but MS DNS is ok if you can secure it properly. So, you would have something like this: Internet I I External ISA Firewall I I DMZ: This is where you put all your public servers, to include your DNS, Web, and Mail servers. Note: Your private internal DNS information is NOT on this machine. I I Internal ISA Firewall I I Internal LAN I also recommend looking into another solution for your internal firewall (and perhaps your external as well down the line), and cost is only one reason. I think that some of the Linux solutions are as good if not better than ISA's offerings in the areas of security and (definitely) reliability/stability. So, in closing, keep your firewalls as separate as possible from your networks. Having them able to be administered via AD just isn't worth the potential threats associated with joining them in any way with your network. It's just bad mojo. I know that sounds unprofessional, but really - keep your firewalls separate from things; it just makes sense. In an ideal world we would not be able to remotely administer our firewalls at all and we would have to walk up to it to do anything. Your DNS problem is solved by separating your external and internal DNS with two machines and using a true DMZ for all your public servers. There is an option in Bind 9 to use one box for both your internal and external DNS zones, but with the cost of the Bind software (free) and the machine needed to run it (a few hundred, if that) you can most likely easily afford to have two separate machines. Sorry to ramble. --danielrm26
