Active Directory design recommendation

Active Directory design recommendation: Posted by Chriss3 on March 3rd, 2004; Hi, I'm about to deploy a child domain for my extranet as well external IIS
Serves and ISA Server in firewall mode to keep these resources separate from
the corporate domain.

Is this a good practices for security, as well delegation of administration?

Any comments are welcome, also post a recommendation of what I should name
the child domain to?

--
Regards
Christoffer Andersson

No email replies please - reply in the newsgroup; Posted by Dave Shaw [MVP] on March 3rd, 2004; No.

Keep external or DMZ assets in a separate forest. Don't even be tempted to
configure an inter-forest trust between them. Think isolation.

-ds

"Chriss3" <noSpamHere@chrisse.se> wrote in message
news:%23Pkd%23BMAEHA.2600@TK2MSFTNGP09.phx.gbl...; Posted by Richard Mueller [MVP] on March 3rd, 2004; Chriss3 wrote:

Hi,

This best practices document has good information for designing AD:

http://www.microsoft.com/technet/pro.../bpaddsgn.mspx

I gather the reasons to have more than one domain are:

1. Security requirements are different (password, lockout, and Kerberos
policies must be applied at the domain level).
2. To control/limit replication (but note the recommendations for number of
objects in a domain with slow links - if the slowest link is 56 kbps, the
domain should have no more than 100,000 users).
3. Because you inherit a multiple domain setup.

You can delegate administration to OU's. Domains are security boundaries in
AD, but I don't believe they provide any firewall functionality.

In my opinion, more than one domain is to be avoided. It makes logging in or
accessing resources in the other domain difficult. OU's and sites can be
used for administration, applying policy, and controlling replication.

However, another document I have not studied yet may apply:

http://www.microsoft.com/technet/pro...1/adsecp1.mspx

and

http://www.microsoft.com/technet/pro...2/adsecp2.mspx

--
Richard
Microsoft MVP Scripting and ADSI
HilltopLab web site - http://www.rlmueller.net
--; Posted by Chriss3 on March 3rd, 2004; Thanks Richard the links are much appreciate.
--
Regards
Christoffer Andersson

No email replies please - reply in the newsgroup

"Richard Mueller [MVP]" <rlmueller-NOSPAM@ameritech.NOSPAM.net> skrev i
meddelandet news:%23BBnS4MAEHA.2804@tk2msftngp13.phx.gbl...

Similar Posts

Any Recommendation on the tool to design the User Interface ?? (Programming) by ªZ¤¯³Ó
Active Directory Shema and design template (Windows 2003) by Anubis
Netscape Directory Server meets Active Directory? (Windows 2003) by Aravind
Active Directory/DNS (Windows 2003) by Larry
Active Directory and DNS (Windows 2003) by Rustom