This is also a good application for federation (ADFS). It gives you the flexibility of provisioning your dealer accounts in ADAM instead of AD (which can give you a lot more flexibility in terms of how to allocate hardware) and can give you the ability to allow the dealers to log on with their own accounts if they can create a federation server on their end to provide access to their own domain resources. This may or may not be possible/desireable, but in many cases it is because you don't have to provision and manage their identities.
Unfortunately, this is much more complex to implement though.
From a security perspective, though, Brian is right. If you just want
to do this with AD and trusts, you should do a separate forest and do a forest trust. Otherwise, you aren't buying much in terms of real security. You might as well just put the accounts in a separate OU. Joe K. On 11/30/06, Group, Russ <[EMAIL PROTECTED]> wrote:
Hi all We are in the process of creating a SharePoint site that external users (dealers) can access to obtain shipping information. I have the SharePoint server in my LAN with a reverse proxy appliance in the DMZ that the dealers will use to access the SharePoint server. The discussion came up about using a child domain for these dealers to authenticate to the SharePoint server. Is this an accepted practice (create a child domain for the external users)? How safe is this compared to creating a separate OU for the dealer in the parent domain? Thank you Russ
List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
