|
Thanks all. Guido, It’s a good suggestion.
I already set this up, and I’m using GPOs in the DMZ to add a universal
group (from the internal network) to the administrators on each box including
DCs Whilst this gives most of what I want, I’m
unable to manage GPOs in the DMZ, perform schema admin (rare, I know) or other enterprise
admin tasks. For those asking, I see the benefits of
this approach as centralised management of all servers using the same
credentials. If the DMZ is compromised, it should be impossible for anyone to
manipulate the DMZ forest to grant them access to the core network. (unless we’re
stupid enough to try to use identical passwords for admins in the dmz and core,
and somebody rips & brute-forces the account database) The approach IS documented by Microsoft http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/fedffin2.mspx
Under “Perimeter Network Scenario”. Having just re-read this document, I notice
it does specifically state that universal and global groups cannot contain
members of another forest by design. L Thanks again ______________________________________________________ Join the Collaborative Business
Experience From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Mike, as others have mentioned, users
and groups from externally trusted domains can only be added to domain local
groups (DLG) in another forest. This is by design for any type of trust that
you establish. If all you're trying to do is to manage
the member servers in your DMZ with the same admin accounts that you have in
your production forest, you could still leverage a GPO in your DMZ
forest/domain that either adds a DLG to the adminsitrators group of all your
DMZ servers using the restrictive groups feature. If you combine this approach
with enabling Selective Authentication for the trust between the two forests
and use this feature to restrict authentication to the servers to members of
the same group, you'll have a reasonable integration of the two forests to
allow managment of the DMZ servers using your production admin accounts. /Guido From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hi, New member here, with an issue L We have implemented 2 forests with a cross forest trust such
that forest B trusts forest A one-way. The intention is that all admins in forest A will be able to
manage both forests, and that accounts in forest B cannot be authenticated in
forest A Whilst I can add the admins from forest A into a domain
local group in forest B, allowing me to grant “administrators”
rights, I cannot add any security principal from forest A to a universal (or
global) group in forest B. This precludes me from granting domain, enterprise
or schema admin rights to the forest A administrators – and thus defeats
the objective of having the admins in a single forest. (FYI, creating a DL, adding a remote user, then trying to
change that group to a universal group gives the message “Foreign
security principals cannot be members of universal groups”) Forest B is in a DMZ, and is solely being used to give the
benefits of centralised management to the servers in the DMZ. Consequently, we
want to avoid having many user accounts in that forest. Company policy states
that every admin must log on using their own account Hope you can help. ______________________________________________________ Join the Collaborative Business Experience
|
- [ActiveDir] Cross forest issue Guest, Mike
- Re: [ActiveDir] Cross forest issue Phil Renouf
- RE: [ActiveDir] Cross forest issue Tony Murray
- Re: [ActiveDir] Cross forest issue Phil Renouf
- RE: [ActiveDir] Cross forest issue joe
- RE: [ActiveDir] Cross forest issue Grillenmeier, Guido
- RE: [ActiveDir] Cross forest issue Guest, Mike
