Joe, I've done this on a number of occasions and while a pain in the buttocks up front, its not the worst thing. Just isolate it, i.e. no 2 way trust with internal AD, and let it sit. I don't know how big of an implementation your talking about but you could start with one server for AD, DNS, WINS, DHCP, file serving and one for the web apps. My only question is what type of access with internal staffers need to this domain?
Shook ________________________________ From: Joe Heaton [mailto:[EMAIL PROTECTED] Sent: Thursday, May 15, 2008 10:59 AM To: NT System Admin Issues Subject: AD in the DMZ, good idea? I'm thinking not, but one of our developers is wanting to setup a separate domain in the DMZ, so that we can create AD accounts for contractors that need to login to web apps. My brain, gut and every fiber of my being is saying that this is definitely NOT the way to do this. I am right here, aren't I? Joe Heaton AISA Employment Training Panel 1100 J Street, 4th Floor Sacramento, CA 95814 (916) 327-5276 [EMAIL PROTECTED] ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
