RE: [ActiveDir] what to do with DMZ servers

[Rick Kingslan]

Honestly, no.  The risk, IMHO, is just too great.  Extranets with a separate forest with some (read: controlled) synched or replicated data between the forests (internal, DMZ) - or as someone mentioned already, ADAM strikes me as a much better and safer option.   Rick Kingslan  MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rogers, Brian Sent: Thursday, July 10, 2003 11:57 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] what to do with DMZ servers On this note...can anyone think of any possible reason to have public internet servers on a DMZ in the same forest as your internal AD environment?   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, July 10, 2003 11:14 AM To: ActiveDir Subject: Re: [ActiveDir] what to do with DMZ servers   Not having them in the domain is the most secure option.  If you cannot do that, then recognize that you are increasing potential surface area for hacks. With a separate forest in option 2 you will still need to open several ports to allow the trust.  Search technet for firewall and trust.  With option 1 look at microsoft's example in the Internet Data Center Reference, a document on MSDN, I believe.  Personallu I feel their recommendations are insecure.  You can open the ports, but you need to handle RPC traffic which is problematic.  You can limit the rpc srvices for AD and FRS to use a single port each via registry entries.  Or you can set up IPSEC tunnels between dc's via gpo's, but if the machine is compromised that opens a highway to a machine on your internal network. RPC proxy is a technology that could possibly help but I haven't seen an implementation yet. -------------------------- Sent from my BlackBerry Wireless Handheld   ----- Original Message -----   From: ActiveDir-owner   Sent: 07/10/2003 08:58 AM   To: "ActiveDir ([EMAIL PROTECTED])" <[EMAIL PROTECTED]>   Subject: [ActiveDir] what to do with DMZ servers   Please help:   My company is currently migrating from an NT domain structure to AD...  I have some questions regarding how some of you went about hooking in your DMZ web servers to AD securely...  What DID YOU DO?!!!!!!  What are the recommended best practices?   The options we have discussed so far are: Option1:  Join DMZ servers to AD domain, open a half dozen ports on each server (Kerberos, LDAP, NetBios, etc) and lose the purpose of having a DMZ altogether. Option2:  Create a separate forest for the DMZ servers and create a one-way trust between our two forests.  Option3:  Stand alone DMZ servers not joined to any domain. All other options: ??????????????????????????????   Your suggestions are greatly appreciated!   Is there even a need to hook DMZ into AD?  I've heard MS talk about needing AD for apps like Sharepoint Portal...     Joe Pelle Systems Analyst Information Technology Valassis / Targeted Print & Media Solutions 35955 Schoolcraft Rd.   Livonia, MI  48150 Tel 734.632.3753      Fax 734.632.6240 [EMAIL PROTECTED] http://www.valassis.com/   This message may have included proprietary or protected information.  This message and the information contained herein are not to be further communicated without my express written consent.