Re: emtpy root domain
From: John M (JohnM_at_discussions.microsoft.com)
Date: 11/18/04
- Next message: Dmitri Gavrilov [MSFT]: "Re: Problem with ADAM Service"
- Previous message: Dave: "Re: Custom Search"
- In reply to: Al Mulnick: "Re: emtpy root domain"
- Next in thread: Al Mulnick: "Re: emtpy root domain"
- Reply: Al Mulnick: "Re: emtpy root domain"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 17 Nov 2004 23:27:01 -0800
well I dont really have any requirements, other than this,
1. need split dns.
2. would like a dmz area dont care what its called. this would have limited
file access to the main (internal) domain. will also be the mail / smtp
gateway for the (internal) domain as well.
3. be nice to be able to have a test domain or area which has semi
connectivity to prod domain or area.
4. have a test AD area to test migrations / scripting into AD.
the suggestion of empty root keeps popping up everywhere i look. so I did a
couple of vmware / testing type builds and noticed the security enterprise
groups were in the external domain.
my thoughts were this wasnt that secure particularly if the external domain
was in the DMZ. my reasoning was that if the DMZ was compromised for some
reason being that the enterprise groups were in the DMZ you may as well say
the (internal) domain was also compromised.
this leads me to believe that most dmz's would actually house a separate
forest. or not even a domain.
then my next issue is how does one span this across multiple geographic
sites. do the vpns go from (internal - internal) or external-external domain
note: this is all hypothetical general best practice sort of stuff.
"Al Mulnick" wrote:
> The only true security delineation is the forest. That said, you may have
> better luck if you look at this in a different way. Look at it as DNS only
> and as Active Directory only. Two separate problems to be solved vs. just
> one big jumble. It may make more sense to you that way.
>
> Empty root is good for some restrictions and especially policy differences,
> but since the domain is not a true security boundary (but more like a DNS
> boundary although not quite that simple) it really only makes sense if you
> want to use different policy for enterprise admins than you do for the rest
> of the population. Otherwise, I don't see a huge advantage. It's about
> control not namespace. You can have disjointed namespaces in the same
> forest, and you can have split-brain dns in the same network if that's what
> you need.
>
> Can you expand a little on what the end solution needs to be?
>
>
> "John M" <John M@discussions.microsoft.com> wrote in message
> news:558AD8A2-00F1-40CC-B0BF-102B90646532@microsoft.com...
> >I have been messing around with AD structures mainly for the sake of
> >finding
> > a good model.
> >
> > I have been looking it the empty root model which has some appeal. However
> > I
> > did notice that the following happened.
> >
> > domainName.com = empty root
> > internal.domainName.com = child of empty root.
> >
> > now my theory was that the domainName.com would be in the DMZ, which would
> > mean that if that domain was compromised then so would the internal
> > domain.
> >
> > being that the enterprise accounts are in the empty root ?
> >
> > am i correct in saying that the empty root model really needs another
> > domain
> > in a dmz ?
> >
> > i have also read that trends are moving away from this model, however i
> > dont
> > know to what they are going too ? the reason the empty root appeals is it
> > would make it simple to create this type of scenario.
> >
> > domainName.com
> > internal.domainName.com
> > test.domainName.com
> >
> > etc etc
> >
> > how can this be done and have a good security model as well ?
> >
> > am i missing something here ?
>
>
>
- Next message: Dmitri Gavrilov [MSFT]: "Re: Problem with ADAM Service"
- Previous message: Dave: "Re: Custom Search"
- In reply to: Al Mulnick: "Re: emtpy root domain"
- Next in thread: Al Mulnick: "Re: emtpy root domain"
- Reply: Al Mulnick: "Re: emtpy root domain"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
