The DMZ AD sounds like a good way to go for me too. Our security guys are pretty terrified of AD in the DMZ (we use IPSEC to deal with this), but it seems like it would save a lot of hassle. I don't personally deal with IPSEC, but it seems to have a "suck factor" reputation with the people here who do.
I don't think I follow the users in the local SAM database thing you are talking about here. Where would that fall in with Rick's scenario? Would those be for the internal users or the external? Joe K. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, March 06, 2005 2:25 PM To: [email protected] Subject: RE: [ActiveDir] ADAM - Clarification Good restate. I think that captures it all. The key being that the ADAM server must be a member of the internal domain. If it isn't, all users need to go into some store (whether local, ADAM, or spinning up AD in DMZ) in the DMZ. Personally, I am not a fan of hooking anything outside the LAN/WAN to an internal AD so for me. I would look at populating the needed info out to the DMZ either in an AD sitting in the DMZ specifically for that purpose or into ADAM itself - don't forget to use SSL so you don't pass clear text passwords. If the number of users was under 50-60k or maybe evey 80k I would consider pushing the user auth into the local SAM of the server. If using a DMZ AD or the local SAM then you can use secure binding without invoking SSL overhead. Considering the fact that you may want to add additional AD/AM servers at a later point for redundancy makes me think a DMZ AD may be the way to go unless you want to use SSL and AD/AM users. joe This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
