- 2003 Domain / Child Domain
- Posted by Steve Holland on March 15th, 2006
Hi all,
We have a Windows 2000 domain for our internal servers (6 servers / 30
workstations) which is hosted on an IP subnet A. On a DMZ (subnet B) we have
approx. 30 servers (web / database) which are cobbled together in various
windows workgroups. This setup has evolved rather than been planned this
way! In an effort to bring some order to this chaos, I'm hoping to moved to
a Windows 2003 setup. I propose to upgrade (well start again actually) the
internal domain to new Windows 2003 domain, and then add a second Child
domain which will look after the hosting environment. Trust would be one
way, internal can use/administer hosting, but not the other way around. The
IP subnets already work this way (done on firewall). Does this sound like a
good idea? Any help, suggestions would be gratefully received. I'm quite
prepared to take it on the chin if this is a stupid idea!! As you've
probably guessed I've not done this before!!
The primary reasons for doing this are to greatly improve on security and to
make administration easier (more centralised).
Cheers Steve
- Posted by Doug Sherman [MVP] on March 15th, 2006
Normally, you would not want DMZ computers joined to your internal domain or
configured as a child domain precisely because of the trust and security
issues. If a domain is created for DMZ computers, it is typically a
separate forest; there is no automatic trust. If you wanted to, you could
create a one way trust. However, if you can achieve essentially the same
result with a firewall device, then I guess it doesn't matter. Remember
that with a child domain there will necessarily be and you will have to
allow for a flow of replication traffic.
Doug Sherman
MCSE, MCSA, MCP+I, MVP
"Steve Holland" <holland_s@hotmail.com> wrote in message
news:#yh4x5CSGHA.1844@TK2MSFTNGP12.phx.gbl...
- Posted by Steve Holland on March 15th, 2006
Hi Doug,
Thanks for the quick reply. Could you expand a little on the seperate
forest? How would this benefit (security/admin) over having a child domain?
I really would like to get this right, so if this is a better way to go then
I'm all ears!!
I'll expand a little on what I'd like to improve. Currently when files on a
webserver need updating a developer will simply log on to the admin share
using the local administrator username and password. Which is very bad I
know. Likewise with admin of IIS they would logon using local Admin
password. This is what I want to get rid of, but what I don't want to do is
make their lives any more difficult, as I won't get the backing of my
bosses. I thought using the child domain scenario, I would be able to allow
each developers account to belong to various groups allowing them access to
only what they need. Having said that I suppose having shares on a public
facing website is also very bad practice, should we be using FTP or
something else like that?? Are there any decent guides for how a hosting
environment should be set up on Windows 2003?
Thanks again
Steve
"Doug Sherman [MVP]" <dsherman@notampabayspamforme.rr.com> wrote in message
news:u652DTDSGHA.5156@TK2MSFTNGP10.phx.gbl...
- Posted by Tariq Azad on March 15th, 2006
Steve-
Here are few pointers to note:
Child and parent domains in one forest always have two way trust relationship and you cannot break and disable this default two way trust relationship between parent and child domains. Doug has suggested you a right approach. You should have a different forest, and this will allow you more security control as compare to having a seperate child domain.
Having a seperate forest seems like lot of administration and efforts, but in your case, it won't be that difficult, becasue your environment is not that complicated. It may requires end user one or two days of training, but in the end, it is worth while.
Tariq Azad
"Steve Holland" <holland_s@hotmail.com> wrote in message news:O5SX3vDSGHA.1160@TK2MSFTNGP09.phx.gbl...
Hi Doug,
Thanks for the quick reply. Could you expand a little on the seperate
forest? How would this benefit (security/admin) over having a child domain?
I really would like to get this right, so if this is a better way to go then
I'm all ears!!
I'll expand a little on what I'd like to improve. Currently when files on a
webserver need updating a developer will simply log on to the admin share
using the local administrator username and password. Which is very bad I
know. Likewise with admin of IIS they would logon using local Admin
password. This is what I want to get rid of, but what I don't want to do is
make their lives any more difficult, as I won't get the backing of my
bosses. I thought using the child domain scenario, I would be able to allow
each developers account to belong to various groups allowing them access to
only what they need. Having said that I suppose having shares on a public
facing website is also very bad practice, should we be using FTP or
something else like that?? Are there any decent guides for how a hosting
environment should be set up on Windows 2003?
Thanks again
Steve
"Doug Sherman [MVP]" <dsherman@notampabayspamforme.rr.com> wrote in message
news:u652DTDSGHA.5156@TK2MSFTNGP10.phx.gbl...
- Posted by Steve Holland on March 16th, 2006
Thanks Tariq,
Looks like both you and Doug agree, so I guess I need to go away and do some more research on the subject. I really appreciate your time (and Doug), as you've both probably save me a lot of time in the long run!! Is it a sensible thing to do to allow one-way trust from internal to hosting? Or should I forget about this all together?
Cheers
Steve
"Tariq Azad" <tariq_bin_azad@hotmail.com> wrote in message news:-uedneuWGqomo4XZRVn-pQ@giganews.com...
Steve-
Here are few pointers to note:
Child and parent domains in one forest always have two way trust relationship and you cannot break and disable this default two way trust relationship between parent and child domains. Doug has suggested you a right approach. You should have a different forest, and this will allow you more security control as compare to having a seperate child domain.
Having a seperate forest seems like lot of administration and efforts, but in your case, it won't be that difficult, becasue your environment is not that complicated. It may requires end user one or two days of training, but in the end, it is worth while.
Tariq Azad
"Steve Holland" <holland_s@hotmail.com> wrote in message news:O5SX3vDSGHA.1160@TK2MSFTNGP09.phx.gbl...
Hi Doug,
Thanks for the quick reply. Could you expand a little on the seperate
forest? How would this benefit (security/admin) over having a child domain?
I really would like to get this right, so if this is a better way to go then
I'm all ears!!
I'll expand a little on what I'd like to improve. Currently when files on a
webserver need updating a developer will simply log on to the admin share
using the local administrator username and password. Which is very bad I
know. Likewise with admin of IIS they would logon using local Admin
password. This is what I want to get rid of, but what I don't want to do is
make their lives any more difficult, as I won't get the backing of my
bosses. I thought using the child domain scenario, I would be able to allow
each developers account to belong to various groups allowing them access to
only what they need. Having said that I suppose having shares on a public
facing website is also very bad practice, should we be using FTP or
something else like that?? Are there any decent guides for how a hosting
environment should be set up on Windows 2003?
Thanks again
Steve
"Doug Sherman [MVP]" <dsherman@notampabayspamforme.rr.com> wrote in message
news:u652DTDSGHA.5156@TK2MSFTNGP10.phx.gbl...
