Re: AD DMZ configuration

Tech-Archive recommends: Speed Up your PC by fixing your registry

On Feb 28, 10:10 am, dsturgeon.s...@xxxxxxxxx wrote:
On Feb 27, 8:34 pm, Ryan Hanisco



<RyanHani...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Good evening,

If you create Domain global groups in each of your domains to hold local
accounts, then create a Universal Group in theDMZholding the global groups
from each domain, the authentication should stop at the domain boundary as
the security token will not have to reach into the foreign domain to generate
the appropriate security token.

Good Luck,
--
Ryan Hanisco
MCSE, MCTS: SQL 2005, Project+http://www.techsterity.com
Chicago, IL

Remember: Marking helpful answers helps everyone find the info they need
quickly.

"dsturgeon.s...@xxxxxxxxx" wrote:
The setup - two separate forests, one internal and oneDMZ.
Servers : LAN-DC1, LAN-DC2,DMZ-DC1,DMZ-WEB,DMZ-APP

I have a one-way trust setup to allow internal accounts into theDMZ.
IPSec policy setup to secure traffic between the DCs. One hope was
that the authentication process would happen as follows:

Internal User needs to authenticate to the web server. The web server
would pass that request to theDMZ-DC1 server which would then connect
back to the internal DC to verify. The reverse path would be followed
and the user would be authenticated. This limits the holes that I have
to punch through the firewall.

Instead the web server performs the authentication back to the
internal DC, so I need to have all of theADrelated ports (udp/389
and 88, tcp/139 and 445) open anyway. Is there a way to force the DCs
to do the 'talking' per se?

Thanks

Ryan - these are separate forests, so I do not believe your
recommendation will work. I can only add groups from the LAN forest to
the domain local group in theDMZforest.
Nevermind, I was able to add a universal group from the LAN forest to
a DL group in the DMZ forest. Still testing it.
.