I've been reading these paper, but most of them assume resource sharing &/or cross-domain authentications happening; the scenario I'm looking at (security boundaries/requirements being looked at separately) is simply having replication between the domains (and mail flow, but that's a separate discusion), with no requirements for authentication, FRS (hopefully), etc. What I'm looking at is to use SMTP site links, with the only communication between the sites being AD bridgehead-bridgehead (and E2K3 bridgehead-bridgehead).
Whether or not we'll have to go with separate forests will depend on how comfortable they are once they're clear on the security boundaries & the implications. It won't matter if a single forest is acceptable, though, if this sort of setup is not feasible in the real world. Andy > Hi Andy, > > Check out the following: > * Active Directory in Networks Segmented by Firewalls - > http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf- > 9767-a9166368434e&DisplayLang=en > * Restricting Active Directory Replication Traffic to a Specific Port > (MS-KBQ224196) - > http://support.microsoft.com/default.aspx?scid=kb;en-us;224196 > * How to Restrict FRS Replication Traffic to a Specific Static Port > (MS-KBQ319553) - > http://support.microsoft.com/default.aspx?scid=kb;en-us;319553 > * Port Requirements for the Microsoft Windows Server System (MS-KBQ832017) - > http://support.microsoft.com/default.aspx?scid=kb;en-us;832017 > > The only experience I have with AD an firewalls is that a firewall is a real > pain when performing AD Forest Disaster Recovery procedures (I have been > setting up these procedures with a collegue for one of our customers and > that was presented recently at the DEC). With AD I sometimes think that a > firewall in time turns into swiss cheese. > > You can also use a IP site link and restrict directory replication to a > specific port in the firewall as mentioned in the articles above. According > to your description below that division does not trust you guys. If they > don't trust you, it would be better if you use a separate forest because a > forest in AD is the ultimate security boundary. Within one forest each > domain admin must trust each other! If not.. -> separate forests! > If each domain has its own service admins to administer the DCs in the > particular domain than those service admins have the possibility to control > each domain in the forest. That's why each admin MUST trust each other in > one forest. Check the security requirements of that division (and yours of > course) to see if a separate forest is needed for service and/or data > isolation. > > Regards, > Jorge > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Wednesday, March 31, 2004 20:36 > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Domains Separated by Firewall > > Hi: > > We are doing an AD/E2K3 migration, and we have a scenario that I haven't > found covered in the archives: > > Our AD forest presently consists of an empty forest root, with a single > child domain. We have a division, however, with significantly higher > security requirements than the rest of the organization. Presently, they are > running Exchange 55 as a site within our organization but with a separate NT > domain with NO trust between our domains. They are separated from us by a > firewall, with the only connectivity between us being port 102 (x400), and > all communication must be initiated from their side. No resource sharing > other than email is required, and no cross-domain authentication is needed. > > I'm looking at setting them up as a separate domain in our forest, with an > SMTP site link for directory replication. We will be kicking the tires in > the lab, but does anyone have any real-life experiences (traumas, acquired > phobias, > etc.) with similar scenarios? > > Thanks, > > Andy > Schan > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > This e-mail and any attachment is for authorised use by the intended recipient (s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
