- Ad in DMZ
- Posted by Lee on February 23rd, 2004
Hi,
I would like some advice on the best and most secure way of setting up the
following:
Corporate LAN is Win2003 forest
DMZ hosts e-commerce web-servers currently in workgroup and SQL servers
containing user accounts to login to the e-commerce sites.
Would like to have AD in the DMZ so users on the LAN can administer the
customer user accounts
Should I,
a. Have a separate forest in the DMZ
b. Separate domain in the same forest
c. DMZ servers members of corporate forest and just lockdown the
communication from the dmz servers to the DC's with firewall settings, then
create an OU for external customer user accounts
Any other ideas, comments appreciated.
TIA
LM
- Posted by Chriss3 on February 23rd, 2004
Hi Lee.
My Advice here is to use the B alternative or make a child domain like
DMZ.company.local. Separate domain in the same forest is not a good option
if you running exchange or planning to do so. About the security you can
make a server VLAN, LAN VLAN and DMZ VLAN, and use IPSec.
Active Directory Collection (provide a bit information not much)
http://www.microsoft.com/technet/tre...tr_ad_over.asp
--
Regards,
Christoffer Andersson
No email replies please - reply in the newsgroup
If the information was help full, you can let me know at:
http://www.itsystem.se/employers.asp?ID=1
"Lee" <lmessenger@nospam.com> skrev i meddelandet
news:%23FYC0Dl%23DHA.4084@tk2msftngp13.phx.gbl...
- Posted by Hunter Coleman on February 23rd, 2004
Lee-
Most secure will be to have separate LAN (internal) and DMZ (external)
forests. If you want to allow LAN accounts to manage resources in the DMZ,
you can still set up separate forests but put in a one-way, non-transitive
trust so that the DMZ domain trusts the LAN domain(s) that house the
internal accounts.
--
Hunter
"Lee" <lmessenger@nospam.com> wrote in message
news:%23FYC0Dl%23DHA.4084@tk2msftngp13.phx.gbl...
