Re: AD forest layout recommendations
- From: "Al Mulnick" <amulnick_No_SPAM@xxxxxxxxxxx>
- Date: Mon, 2 Jan 2006 13:38:54 -0500
Now, my questions:
A) GCs will authenticate for any domain in the forest, right?
B) Any problems with above?
A = Here's a much more in-depth discussion of authentication and security
services.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/e36ceae6-ff36-4a1b-9895-75f0eacfe94c.mspx
B = Problems? Aside from your expectations of authentication (see A above
to clarify them and note that it's my impression of your expectation that
I'm basing that on) I think you should carefully consider the security
implications. You can have forest trusts if that's needed, but knowing that
you're a school tells me that you have students. Students are curious
critters by nature. As such, they *could* decide to load a program that
tries to gain access to your forest. I suppose they could even try to gain
access to your forest. Since the domain is not a security boundary, the
risk is higher and you should carefully consider the tradeoffs you expect.
If you've already done that, then the placement of your solution would be
more dependent on your available network bandwidth.
Al
"R. E. Wendel" <REWendel@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:0380E022-493C-411D-AA32-74378EA10C87@xxxxxxxxxxxxxxxx
>I am looking to do a few things in the very near future concerning our AD
> layout and would like to ask a few questions, give my design, and see if
> it
> floats.
>
> We are a school. Currently we have 2 separate domains: one administrative,
> one student.
>
> They do not have trusts because the former network operators did not see
> the
> need. I do.
>
> So we have 5 sites, currently we only have domain controllers on 3 of them
> (our full sized campuses, the other two are small single building remote
> sites). The Main campus is A, the two large campuses are B & C, and the
> two
> small sites are D & E.
>
> In order to support the current design, obviously we have 2 domain
> controllers on each campus A, B, & C. Currently we cannot setup trusts
> between the existing b/c as a school, security is an issue, so we restrict
> ALL traffic between the sides, save for VNC one way from admin to student
> for
> remote management. We will be opening up this, as we are implementing more
> standard security practices.
>
> I would like to move to the following topology:
>
> Site A := 2 primary DCs (one admin, one student)
> Site B & C := 1 DC each site, both being GCs, providing DNS, DHCP, and AD
> services for both domains
> Site D & E := same as B & C, with spare servers from B & C redes.
>
> Now, my questions:
> A) GCs will authenticate for any domain in the forest, right?
> B) Any problems with above?
.
- Follow-Ups:
- Re: AD forest layout recommendations
- From: R. E. Wendel
- Re: AD forest layout recommendations
- Prev by Date: Re: compacting servers
- Next by Date: Re: Created users can't immediately login
- Previous by thread: Re: compacting servers
- Next by thread: Re: AD forest layout recommendations
- Index(es):
Relevant Pages
|
