RE: [ActiveDir] DMZ DOMAIN?

[Brian Desmond]

Please don’t make the cluster nodes DCs. It’s a really bad setup and doesn’t always fully work.   Thanks, Brian Desmond [EMAIL PROTECTED]   c - 312.731.3132   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Tuesday, October 24, 2006 4:38 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DMZ DOMAIN?   If you take a look at the Windows 2000 clustering training material (I don't have it handy so my vocabulary will be scetchy) there is a setup where you make the nodes the DCs for the domain that the cluster resides in.  I've never implemented such a setup though, so can't vouch for it in anyway, other than saying that it is supported to have a DC or DCs as nodes in a cluster.  What isn't supported is the clustering of AD (we all know why that is a stupid idea anyway).   Personally, I would add two additional servers to the DMZ as domain controllers for their own forest, also running as GC and DNS servers.  The clusters, and the notes servers, and any other servers that have service accounts running on them, can then be members of this domain.   You need to think long and hard before creating any trusts from the DMZ to the internal (or vice-versa).  Again, this is supported and is often used (DMZ trusts internal) in a number of setups, but the true purpose of a DMZ doesn't allow such things (from a conceptual perspective --see DMZology presentation by Fred at TechEd for some good info. on this).     --Paul ----- Original Message ----- From: Brian Desmond To: ActiveDir@mail.activedir.org Sent: Tuesday, October 24, 2006 4:33 AM Subject: RE: [ActiveDir] DMZ DOMAIN?   You need a domain to have a cluster. You can make yourself a forest for this purpose out in the DMZ. Just don’t make the cluster nodes domain controllers.   Thanks, Brian Desmond [EMAIL PROTECTED]   c - 312.731.3132   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, October 23, 2006 6:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DMZ DOMAIN?   I need a little question.         I have a dmz zone, where we have our firewall, and some lotus notes email servers.         I want to create a Microssoft cluster with our two internet pages servers. I read in documentations that I only can have a cluster if I have a MS AD domain, Is that true? Is there any restriction in creating a Domain in Internet DMZ zone? Is that Unsafe? Thanks Adrião Ferreira Ramos CII14 (11) 33888193 [EMAIL PROTECTED] Esta mensagem pode conter informação confidencial e/ou privilegiada. Se você não for o destinatário ou a pessoa autorizada a receber esta mensagem, não pode usar, copiar ou divulgar as informações nela contidas ou tomar qualquer ação baseada nessas informações. Se você recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua cooperação. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.