RE: [ActiveDir] DMZ to Internal LAN one-way trust via firewall

[Roger Seielstad]

Why bother with a trust at all?   Unless there is constant access by a large number of your internal users (and there shouldn't be), then the only people inconvienenced by the multiple accounts are administrators, and hell, we've all got 15 accounts anyway, what's one more?   Roger -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc.   From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Friday, May 07, 2004 2:43 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] DMZ to Internal LAN one-way trust via firewall L & G, I’m sending this on behalf of one of our project engineers. Thanks for any assistance or advice.   1.  We have a 12-server (mostly 2000 web servers) NT 4.0 domain in our Checkpoint firewall-protected DMZ subnet.  All support is currently a mess of local and domain users, no security policy, etc. Making it a Workgroup isn't a popular choice given the number of servers and differences between. 2.  Therefore, we are looking to setup a one-way trust to our internal 2000 AD to support user authentication only.  I've read that the ports necessary for an NT 4.0 -> 2000 trust are the same as an NT -> NT (no LDAP, LDAPS, GC ports necessary), as long as you are pointing to NT4 PDC -> 2000 PDCEmulater.  Question - is this correct?? The list of ports I have is: From-To                                    Client Port(s)                             Server Port Service DMZPDC-IntPDC                         1024-65535/TCP                        135/TCP     RPC  DMZPDC-IntPDC                         137/UDP                                   137/UDP     NetBIOS Name *AllDMZServers-IntPDC               138/UDP                                   138/UDP     Netlogon/Browsing DMZPDC-IntPDC                         1024-65535/TCP                        139/TCP     NetBIOS  **DMZPDC-IntWINS Rep              1024-65535/TCP                        42/TCP      WINS *per article 179442 **optional - read below 3.  I've read both sides of the option regarding name resolution. In our environment, I'm leaning NOT to run WINS Replication across the firewall (use lmhosts instead), since the outside boxes only have to know the name of the internal domain and the PDC emulator, but I'd appreciate anyone's insight on whether or not the risk/benefit is worth the admin overhead of managing 10 different lmhosts files and the potential for single POF?  I've never been a fan of hosts or lmhosts, but it may make the most sense from a security perspective. 4.  I've also read about leveraging PPTP for the trust as well - but have had no luck finding documentation other than the port number. Anyone have any insight? Your assistance in verifying my information is MUCH appreciated.     Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do