Re: 2 DC's in single domain with 2 Vlans
- From: "Phillip Windell" <philwindell@xxxxxxxxxxx>
- Date: Tue, 9 Jun 2009 15:19:30 -0500
Domains have absolutley nothing to do with IP Segments.
IP Segments have absolutely nothing to do Domains.
Define "see each other"?
If you want to block something,..then block it,...but just it,...you can not
simply "cut off" the two IP Segments from each other and expect the Domain
to survive.
Routers are Layer3 with a relationship to Layer4,...security does not begin
and end with Layers3 & 4. Blocking something with a Router ACL is not the
only way to deal with security.
Security is about controlling access to Resources. Controlling access to
Resources depends on what the Resources are and what function, application,
or service that "provides" the Resources to the users. Ask yourself how you
would handle this if they were all on the same IP Segment,...the correct
answer to that question is your answer.
Router ACLs are only for "broad & crude" access controls.
--
Phillip Windell
The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
"maki" <maki@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1D32FFEC-8246-477B-81E2-18439DEE9130@xxxxxxxxxxxxxxxx
I've got a question about this scenario: same company, two different staff
groups: Staff A and Staff B. Each one is separated by different vlans. So
one is on for instance 172.16.a.b network and the other is on a
192.168.16.a
network. They should not see each other at all. Now, if the domain is
called
company.com, can I assume that:
1. I can create 2 DC's with Active Directory - one for each group of staff
and call them staffA.company.com and staffB.company.com? Remember staffA
is
on 172 network and staffB on 192...Oh, also - each server is also a
DHCP/DNS/Printer/Antivirus server as the company doesn't have enough money
to
follow Microsoft recommendations. I am trying to picture if I go to a
membr
of Staff A and want to join his computer to the domain - what do I type in
the domain bit when joining the computer? company.com or
staffA.company.com?
Do I just let te ip address help direct the computer to the particular DC?
How would I connect them to particular DC they should belong to? Or do I
need
to create parent site company.com and then child sites staffA.company.com
and
staffB.company.com?
2. If the 2 DC's can be within same domain as above initially thought -
what
if I add a mail exchange server called mail and only want it to be for
StaffA
(staffB have no need to use email server) - can I just connect
staffA.company.com to mail.company.com? I assume staff B will not be able
to
see the mail server then?
Am new at all this so was just wondering.
Thanks.
.
- References:
- 2 DC's in single domain with 2 Vlans
- From: maki
- 2 DC's in single domain with 2 Vlans
- Prev by Date: Re: 2 DC's in single domain with 2 Vlans
- Next by Date: Re: Help moving a single user from a child to a parent domain
- Previous by thread: Re: 2 DC's in single domain with 2 Vlans
- Next by thread: Re: 2 DC's in single domain with 2 Vlans
- Index(es):
Relevant Pages
|
