Tom, My opinion only, but I think having the same domain space internally and externally is a bad idea. If the pass through authentication is a must have, what about some flavor of a trust relationship?
Shook http://www.linkedin.com/in/andyshook ________________________________ From: Tom Miller [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 16, 2008 6:35 AM To: NT System Admin Issues Subject: AD DS domain naming question Hi Folks: My shop is currently non-Active Directory for file and print. I plan to migrate us to AD DS over the next year. I've done it before so I can't wait for all the "fun" to begin. At my past shop we were a large federal agency so we had several domains in the forest, and a placeholder domain for the schema master. The only reason for multiple domains other than the placeholder was political. Our internal name didn't house servers in the DMZ. In my current shop I plan for one domain. My questions is really about the name. We have web applications that can use passthrough authentication which we cannot use now. I'd have to use the same AD DS name internally and externally for that these to work. I know best practices dictate keeping the internal AD separate from external, but what does one do when there are externally exposed application servers that need to be part of the internal domain? Most of our external access is via Citrix Access Gateway which I have secure, but I'm thinking about our web site which allows staff to authenticate to see additional pages. New to this so comments, suggestions, questions welcome. We have about 500 users and I don't want to overly complicate a design if I can prevent it. Tom Miller Engineer, Information Technology Hampton-Newport News Community Services Board 757-788-0528 Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
