Re: DNS for trusts between separate private forests accross the In

>> What are your
>> intentions mixing public and private data? Can you elaborate please?

This is a small installation and it just so happens that one of the servers
(one of the DCs) also runs a public facing small, internal use, sharepoint
site so that employees can get to files and calendars from it over the
weekend, without VPN clients. The firewall is set to map a fixed external IP
to the internal address. This is a very small remote office that was recently
integrated into the main company and houses some resources that now need to
be accessed by users in the other offices as well. They do not have a
registered public domain space at all, and the external IPS are only used for
sharepoint and some FTP.

I thought it would be easiest to set up a trust between them so that we
don't have to create multiple userids for all users in different domain
forests, or reinstall all internal applications servers to integrate them
into one of the other remote but private domains.

--
MK


"Ace Fekay [MVP]" wrote:

> In news:5407781A-A577-4249-9EE0-5378067B6EC1@xxxxxxxxxxxxx,
> Michael <Michael@xxxxxxxxxxxxxxxxxxxxxxxxx> stated, and I replied below:
> > Ok - that makes sense. Swiss cheese is good on a sandwich but not a
> > firewall. And yes, NAT is turned on, but the DNS servers also have a
> > public IP address so that should be ok, no? They can actually 'see'
> > both ways, including the private IP space.
>
> Public addresses? For the same zone records?
>
> Actually it isn't really ok mixing private and public data like that. It
> will cause problems with SOA records, and resolution. What are your
> intentions mixing public and private data? Can you elaborate please?
>
> >
> > The VPN alternative appears a lot safer... So I'll create a firewall
> > to firewall VPN tunnel, no problem. Now I have two separate subnets
> > in the private IP space in two different forests that could talk to
> > each other.
> >
> > If I create stub zones of each other, they should should be able to
> > find each other, right? Or would it be better to use secondary zone
> > or conditional forwarding? Both domains are Windows 2003 full
> > functional mode.
>
> It can work using either method. Stubs and forwarders generate WAN
> resolution traffic. Secondaries don't, but they create zone transfer
> traffic, but probably not as much traffic as stubs or forwarding. Your
> call...
>
> >
> > Many Thx!
>
> No prob... :-)
>
> Ace
>
>
>
.

Relevant Pages

  • Re: Windows Updates: Firewall setting for outbound traffic
    ... The trusted zone for Windows Update should be a separate one in your ... Only have one trusted sites zone, and include only the following 3 ... Make sure your firewall allows, at least to the zones above, Win32 ... > outbound traffic from the servers to the internet. ...
    (microsoft.public.windowsupdate)
  • Re: DNS .local vs .com
    ... > I need to add an entry to the DNS so that the PCs will ... > private side of the firewall or in the DMZ. ... needed to access all servers internal and external. ...
    (microsoft.public.windows.server.dns)
  • Re: DNS .local vs .com
    ... > I need to add an entry to the DNS so that the PCs will ... > private side of the firewall or in the DMZ. ... needed to access all servers internal and external. ...
    (microsoft.public.windows.server.dns)
  • Re: Web Hosting Firewall Setup
    ... Here is one network architecture which works for you: ... Firewall has 3 NICs: one with a private IP address for your private ... DB & B/U servers are in DMZ. ...
    (comp.security.firewalls)
  • Re: required Ports to access AD
    ... separating all servers in separate zone and keep them protected by cisco ... our users located in users zone. ... the firewall but we need to open only the required ports to access different ...
    (microsoft.public.windows.server.active_directory)
Quantcast