Re: [ActiveDir] DMZ DOMAIN?
If you take a look at the Windows 2000 clustering training material (I don't have it handy so my vocabulary will be scetchy) there is a setup where you make the nodes the DCs for the domain that the cluster resides in. I've never implemented such a setup though, so can't vouch for it in anyway, other than saying that it is supported to have a DC or DCs as nodes in a cluster. What isn't supported is the clustering of AD (we all know why that is a stupid idea anyway). Personally, I would add two additional servers to the DMZ as domain controllers for their own forest, also running as GC and DNS servers. The clusters, and the notes servers, and any other servers that have service accounts running on them, can then be members of this domain. You need to think long and hard before creating any trusts from the DMZ to the internal (or vice-versa). Again, this is supported and is often used (DMZ trusts internal) in a number of setups, but the true purpose of a DMZ doesn't allow such things (from a conceptual perspective --see DMZology presentation by Fred at TechEd for some good info. on this). --Paul - Original Message - From: Brian Desmond To: ActiveDir@mail.activedir.org Sent: Tuesday, October 24, 2006 4:33 AM Subject: RE: [ActiveDir] DMZ DOMAIN? You need a domain to have a cluster. You can make yourself a forest for this purpose out in the DMZ. Just dont make the cluster nodes domain controllers. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, October 23, 2006 6:04 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DMZ DOMAIN? I need a little question. I have a dmz zone, where we have our firewall, and some lotus notes email servers. I want to create a Microssoft cluster with our two internet pages servers. I read in documentations that I only can have a cluster if I have a MS AD domain, Is that true? Is there any restriction in creating a Domain in Internet DMZ zone? Is that Unsafe? Thanks Adrião Ferreira Ramos CII14 (11) 33888193 [EMAIL PROTECTED]Esta mensagem pode conter informação confidencial e/ou privilegiada. Se você não for o destinatário ou a pessoa autorizada a receber esta mensagem, não pode usar, copiar ou divulgar as informações nela contidas ou tomar qualquer ação baseada nessas informações. Se você recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua cooperação.This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
RE: [ActiveDir] DMZ DOMAIN?
Please dont make the cluster nodes DCs. Its a really bad setup and doesnt always fully work. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Tuesday, October 24, 2006 4:38 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DMZ DOMAIN? If you take a look at the Windows 2000 clustering training material (I don't have it handy so my vocabulary will be scetchy) there is a setup where you make the nodes the DCs for the domain that the cluster resides in. I've never implemented such a setup though, so can't vouch for it in anyway, other than saying that it is supported to have a DC or DCs as nodes in a cluster. What isn't supported is the clustering of AD (we all know why that is a stupid idea anyway). Personally, I would add two additional servers to the DMZ as domain controllers for their own forest, also running as GC and DNS servers. The clusters, and the notes servers, and any other servers that have service accounts running on them, can then be members of this domain. You need to think long and hard before creating any trusts from the DMZ to the internal (or vice-versa). Again, this is supported and is often used (DMZ trusts internal) in a number of setups, but the true purpose of a DMZ doesn't allow such things (from a conceptual perspective --see DMZology presentation by Fred at TechEd for some good info. on this). --Paul - Original Message - From: Brian Desmond To: ActiveDir@mail.activedir.org Sent: Tuesday, October 24, 2006 4:33 AM Subject: RE: [ActiveDir] DMZ DOMAIN? You need a domain to have a cluster. You can make yourself a forest for this purpose out in the DMZ. Just dont make the cluster nodes domain controllers. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, October 23, 2006 6:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DMZ DOMAIN? I need a little question. I have a dmz zone, where we have our firewall, and some lotus notes email servers. I want to create a Microssoft cluster with our two internet pages servers. I read in documentations that I only can have a cluster if I have a MS AD domain, Is that true? Is there any restriction in creating a Domain in Internet DMZ zone? Is that Unsafe? Thanks Adrião Ferreira Ramos CII14 (11) 33888193 [EMAIL PROTECTED] Esta mensagem pode conter informação confidencial e/ou privilegiada. Se você não for o destinatário ou a pessoa autorizada a receber esta mensagem, não pode usar, copiar ou divulgar as informações nela contidas ou tomar qualquer ação baseada nessas informações. Se você recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua cooperação. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
RE: [ActiveDir] DMZ DOMAIN?
Hey folks Just a little confused here ... nodes notes[domino] Going back to the original post there is no mention of nodes only Lotus Notes and clustering. I am sort of wondering what people mean here? What is meant when each says nodes and what does the poster mean when they say notes? Seems to me [and am more than happy to be put back on my box :-) ] seems that the original poster wants to have mail servers in a DMZ and utilise MS clustering services to achieve this with the servers? The advice gets a bit confusing but my interpretation and I am agreeing with this interpretation (can one do that ..??) is that 1 It is OK to create a domain in a DMZ. 2 It is not advisable to make that domain part of a forest that has its source internal to the DMZ and thus best for it to be its own forest. 3 The DC's in that forest are best not to be nodes within the clustered servers. 4 It is fine to create a domino or other email server in a cluster. 5 You need a domain and therefore an AD to institute a Cluster. 6 Normal practice applies when creating a domain/forest with respect to FSMOs, GC, DNS, service accounts, and redundancy. I am not sure if this covers an internet pages server [IIS??] but that too would apply as above and could also reside within a cluster depending on what and how the rest is planned to be put together. If I have part or all of this wrong I apologise in advance Cheers: Max Wohlgehagen From: [EMAIL PROTECTED] on behalf of Brian Desmond Sent: Wed 25/10/2006 1:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DMZ DOMAIN? Please don't make the cluster nodes DCs. It's a really bad setup and doesn't always fully work. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Tuesday, October 24, 2006 4:38 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DMZ DOMAIN? If you take a look at the Windows 2000 clustering training material (I don't have it handy so my vocabulary will be scetchy) there is a setup where you make the nodes the DCs for the domain that the cluster resides in. I've never implemented such a setup though, so can't vouch for it in anyway, other than saying that it is supported to have a DC or DCs as nodes in a cluster. What isn't supported is the clustering of AD (we all know why that is a stupid idea anyway). Personally, I would add two additional servers to the DMZ as domain controllers for their own forest, also running as GC and DNS servers. The clusters, and the notes servers, and any other servers that have service accounts running on them, can then be members of this domain. You need to think long and hard before creating any trusts from the DMZ to the internal (or vice-versa). Again, this is supported and is often used (DMZ trusts internal) in a number of setups, but the true purpose of a DMZ doesn't allow such things (from a conceptual perspective --see DMZology presentation by Fred at TechEd for some good info. on this). --Paul - Original Message - From: Brian Desmond mailto:[EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, October 24, 2006 4:33 AM Subject: RE: [ActiveDir] DMZ DOMAIN? You need a domain to have a cluster. You can make yourself a forest for this purpose out in the DMZ. Just don't make the cluster nodes domain controllers. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, October 23, 2006 6:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DMZ DOMAIN? I need a little question. I have a dmz zone, where we have our firewall, and some lotus notes email servers. I want to create a Microssoft cluster with our two internet pages servers. I read in documentations that I only can have a cluster if I have a MS AD domain, Is that true? Is there any restriction in creating a Domain in Internet DMZ zone? Is that Unsafe? Thanks Adrião Ferreira Ramos CII14 (11) 33888193 [EMAIL PROTECTED] Esta mensagem pode conter informação confidencial e/ou privilegiada. Se você não for o destinatário ou a pessoa autorizada a receber esta mensagem, não pode usar, copiar ou divulgar as informações nela contidas ou tomar qualquer ação baseada nessas informações. Se você recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua cooperação. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take
RE: [ActiveDir] DMZ DOMAIN?
If the OP is doing Domino, Domino has its own clustering contraption that you can use in lieu of MSCS as I understand it. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wohlgehagen, Max W Sent: Tuesday, October 24, 2006 12:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DMZ DOMAIN? Hey folks Just a little confused here ... nodes notes[domino] Going back to the original post there is no mention of nodes only Lotus Notes and clustering. I am sort of wondering what people mean here? What is meant when each says nodes and what does the poster mean when they say notes? Seems to me [and am more than happy to be put back on my box :-) ] seems that the original poster wants to have mail servers in a DMZ and utilise MS clustering services to achieve this with the servers? The advice gets a bit confusing but my interpretation and I am agreeing with this interpretation (can one do that ..??) is that 1 It is OK to create a domain in a DMZ. 2 It is not advisable to make that domain part of a forest that has its source internal to the DMZ and thus best forit to be its own forest. 3 The DC's in that forest are best not to be nodeswithin the clustered servers. 4 It is fine to create a domino or other email server in a cluster. 5 You need a domain and therefore an AD to institute a Cluster. 6 Normal practice applies when creating a domain/forest with respect to FSMOs, GC, DNS, service accounts, and redundancy. I am not sure if this covers an internet pages server [IIS??] but that too would apply as above and could also reside within a cluster depending on what and how the rest is planned to be put together. If I have part or all of this wrong I apologise in advance Cheers: Max Wohlgehagen From: [EMAIL PROTECTED] on behalf of Brian Desmond Sent: Wed 25/10/2006 1:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DMZ DOMAIN? Please dont make the cluster nodes DCs. Its a really bad setup and doesnt always fully work. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Tuesday, October 24, 2006 4:38 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DMZ DOMAIN? If you take a look at the Windows 2000 clustering training material (I don't have it handy so my vocabulary will be scetchy) there is a setup where you make the nodes the DCs for the domain that the cluster resides in. I've never implemented such a setup though, so can't vouch for it in anyway, other than saying that it is supported to have a DC or DCs as nodes in a cluster. What isn't supported is the clustering of AD (we all know why that is a stupid idea anyway). Personally, I would add two additional servers to the DMZ as domain controllers for their own forest, also running as GC and DNS servers. The clusters, and the notes servers, and any other servers that have service accounts running on them, can then be members of this domain. You need to think long and hard before creating any trusts from the DMZ to the internal (or vice-versa). Again, this is supported and is often used (DMZ trusts internal) in a number of setups, but the true purpose of a DMZ doesn't allow such things (from a conceptual perspective --see DMZology presentation by Fred at TechEd for some good info. on this). --Paul - Original Message - From: Brian Desmond To: ActiveDir@mail.activedir.org Sent: Tuesday, October 24, 2006 4:33 AM Subject: RE: [ActiveDir] DMZ DOMAIN? You need a domain to have a cluster. You can make yourself a forest for this purpose out in the DMZ. Just dont make the cluster nodes domain controllers. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, October 23, 2006 6:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DMZ DOMAIN? I need a little question. I have a dmz zone, where we have our firewall, and some lotus notes email servers. I want to create a Microssoft cluster with our two internet pages servers. I read in documentations that I only can have a cluster if I have a MS AD domain, Is that true? Is there any restriction in creating a Domain in Internet DMZ zone? Is that Unsafe? Thanks Adrião Ferreira Ramos CII14 (11) 33888193 [EMAIL PROTECTED] Esta mensagem pode conter informação confidencial e/ou privilegiada. Se você não for o destinatário ou a pessoa autorizada a receber esta mensagem, não pode usar, copiar ou divulgar as informações nela contidas ou tomar qualquer ação baseada nessas informações. Se você recebeu esta mensagem por engano
