RE: New AD forest with 2 domains setup

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: mutegeek (mutegeek_at_discussions.microsoft.com)
Date: 12/01/04 

Date: Tue, 30 Nov 2004 21:49:03 -0800

Fundamentally, if you create two domains within one forest the two have an
inherent trust of one another. Unless there is some reason to have the two
domains you stipulate trust one another, I'd suggest for security purposes to
establish them as two separate forests. Machines tend to be named using
host.domain naming. Since the internet exposed servers is the public view of
your company, I'd suggest making "company.tld" (top level domain: "com",
"org", ...) your public forest and a subdomain a second internal forest
(e.g.: corporate.registered-domain.com). Both forests, each containing in
this case one domain apiece, can be made part of an enterprise Active
Directory structure. Since nothing in the corporate subdomain is to be
exposed to the internet, it being a subdomain to the registered domain name
is not an issue. You can create however many subdomains you like within the
registered domain name space, and make whichever of those you desire visible
to the internet or not.

"Tyler" wrote:

> My current setup has 2 NT 4.0 domains. One domain is our internal LAN and
> the other domain contains public webservers, FTP etc.
>
> I want to upgrade the internal LAN domain to Win2003 AD in the next couple
> weeks and then do the other domain in early 2005.
>
> For example my thoughts on the AD/DNS setup are: company.local for root DNS
> name. Then use LAN.company.local for internal and then public.company.local
> for the other domain.
>
> Is this the best way to do this for trusting the 2 domains?
>
> Thanks.
>
> Tyler

Relevant Pages

  • Re: Answers on practice exams wrong? question inside
    ... For the first question about forest trust, the option in the aswers is ... to "change the DOMAIN functional level". ... I answered to "Configure a root zone on the external DNS server" ... because I thought that as the question says, names of other Internet ...
    (microsoft.public.windows.server.active_directory)
  • Re: FTP for internal users and external customers.
    ... Secure network architecture and authentication, ... the security boundary in AD is the forest ... Yet there's one thing that's not justified: putting the external user in DMZ ... any connections coming from the internet has to ...
    (microsoft.public.security)
  • Re: Forest Trust-NAT Issue
    ... "Open" Network meens open for Partners. ... Of Course not in the Internet:) ... For this Szenario it is required to building a Outgoing Forest Trust ... Partner, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Multi-Forest Login
    ... Internet ... Firewall ... > 1) What is a Forest Domain? ... > 2) You cannot login to several domains. ...
    (microsoft.public.windows.server.active_directory)
  • Re: DMZ Services, Best Balance Between Security and Functionality, Comments?
    ... It depends where your DMZ is --- between what and what? ... If it's between your intranet and the Internet, ... > internal forest. ... All external users accounts in external ...
    (microsoft.public.win2000.security)