RE: [ActiveDir] what to do with DMZ servers

[Joe]

Title: Message

Separate forest, no trust. The forest because you can't have a domain out there without one and you probably want them in one so you can use domain accounts for services etc that need to chat across the servers unless they are smart applications that use some form of connection agreement (a la WINS, etc).   No trust because it is a security risk, you shouldn't expose anything from the internal systems to the external machines in the event that they get compromised. It shouldn't be that difficult to admin that separate forest if your ops guys know what they are doing. Trouble is most ops guys don't seem to know what they are doing. If they say it is impossible I am working daily on two forests with no trusts from a laptop that isn't in any domain. The secret is runas, command line tools, and understanding how security works.   The only piece that sucks complete ass is Exchange (surprise) because the toolset completely blows. I did however find out the DLL to unregister to unscrew ADUC when your machine isn't part of a domain and you go to use it and you have the stupid E2K tools loaded. With Exchange I either do the work from the laptop through a script or unfortunately TS into a machine that is part of the domain in question.     joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe Sent: Thursday, July 10, 2003 8:59 AM To: ActiveDir ([EMAIL PROTECTED]) Subject: [ActiveDir] what to do with DMZ servers Please help:   My company is currently migrating from an NT domain structure to AD...  I have some questions regarding how some of you went about hooking in your DMZ web servers to AD securely...  What DID YOU DO?!!!!!!  What are the recommended best practices?   The options we have discussed so far are: Option1:  Join DMZ servers to AD domain, open a half dozen ports on each server (Kerberos, LDAP, NetBios, etc) and lose the purpose of having a DMZ altogether. Option2:  Create a separate forest for the DMZ servers and create a one-way trust between our two forests.  Option3:  Stand alone DMZ servers not joined to any domain. All other options: ??????????????????????????????   Your suggestions are greatly appreciated!   Is there even a need to hook DMZ into AD?  I've heard MS talk about needing AD for apps like Sharepoint Portal...     Joe Pelle Systems Analyst Information Technology Valassis / Targeted Print & Media Solutions 35955 Schoolcraft Rd.   Livonia, MI  48150 Tel 734.632.3753      Fax 734.632.6240 [EMAIL PROTECTED] http://www.valassis.com/   This message may have included proprietary or protected information.  This message and the information contained herein are not to be further communicated without my express written consent.