Re: Caching Only DC?

From: Diane McCorkle (diane.mccorkle)
Date: 05/14/04 

Date: Fri, 14 May 2004 10:01:50 -0400

Thanks Joe,

Unfortunately all of us in the dept know this is a "worst practices" item

We're currently running a full DMZ with 2000 user accounts and as we expand
our internal corproate WAN with the branches being moved over to the CORP AD
it's become more and more difficult to keep internal and external accounts
in sync.

It's a case of all internal users have an external account, but not all
external users have an internal account. Only 50% of our branches are on the
WAN at this point, the other 50 access this data over the internet.

They're looking for full internal AD info in the DMZ to authenticate web
pages and folders on the secure site. This includes updating accounts from
the internal AD as they change.

I hope this helps explain why we're approachinig this in this odd and unsafe
manner.

Diane

"Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
news:uEW973TOEHA.628@TK2MSFTNGP11.phx.gbl...
No this functionality does not exist yet and still isn't hammered out for
Longhorn or Blackcomb, it is concept level only now.

I would not recommend you span your DMZ and internal network with a DC like
that. If you need a DC specifically out there, set it up in its own forest
with
no trusts. If you just need some AD LDAP info, consider AD/AM with MIIS.

   joe 

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Diane McCorkle wrote:
> I know this is coming up in Longhorn Server,
>
> But has anyone ever attempted or looked into this?
>
> I ask since we have a need to insert a DC connected to our internal
> corporate domain in our public DMZ to use the internal accounts in our AD.
> We're properly concerned about safety and would prefer it function more
like
> the BDC's of old with a "read only" copy of the AD DB
>
> Radius etc are out since the rewrite of the web sites is too intensive,
>
> I'm more than happy to elaborate what we're trying to do if folks need to
> ask more questions.
>
> Diane
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Diane McCorkle
> Systems Administrator
> ATC Associates MIS Department
> diane.mccorkle at atcassociates.com
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
>
>

Relevant Pages

  • Re: Caching Only DC?
    ... I think instead of sticking my DC in the DMZ even if the first case, ... > We're currently running a full DMZ with 2000 user accounts and as we expand ... the other 50 access this data over the internet. ... > Diane McCorkle wrote: ...
    (microsoft.public.win2000.active_directory)
  • RE: New users cannot access some parts of internal website
    ... I understand that the new accounts cannot ... Uninstall Internet Explorer Enhanced Security by unchecking the same. ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • Re: Lets talk about firewalls - what do we as a group think a firewall should be/have?
    ... NAT, and the DMZ, since it's already secured, is a good place to tack ... If the "company" is not offering services to the Internet, ... and connections to the internal LAN should ... be by means of a second interface on the server. ...
    (comp.security.firewalls)
  • Re: Where to place the DMZ zone?
    ... hypothetically lets say you have no DMZ hosting an email bridgehead ... If a hacker were to compromise one of your email or web servers (they are ... That is, the Internet accessible servers ... that can be compromised are on your internal network, ...
    (microsoft.public.isa)
  • Re: Prividing Intranet Website Access To External Users
    ... I really wouldnt like to be having my company intranet on the ... I would probably integrate the ldap/dc as a security server on the ... >> The web server will be in the DMZ, and only port 443 will be ... >> intranets to the internet in a secure manner. ...
    (Security-Basics)