Re: DNS in DMZ

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

DJ <DJ@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
> I have an internal AD domain and I intend to set up a separt AD
> forest in the DMZ. There will be no trust relationships whatsoever
> between the two forests. However, admin on the internal domain will
> need to access servers in the DMZ and DMZ servers will have to access
> resources in the internal domain. My idea is to setup conditional
> forwarding so that internal AD/DNS server forward requests for
> servers in the DMZ to DMZ AD/DNS servers. I also want to do the same
> thing in the opposite direction.
>
> Is this a good solution? Any thoughts or feedback on this
> configuration? Thanks.

I don't believe the scenario will work, if you don't create trust, users and
computers from either domain will not be able to access resources in the
other domain. This will require a two way trust and a VPN link from the
external domain through the firewall to the internal domain. If you don't
use a VPN link through the firewall you'll need to make your firewall into
Swiss cheese to allow the needed ports for trust.
The DNS part is easy, since you don't need to authenticate with the DNS
server for simple DNS resolution. It is when you have to start
authenticating where the problems begin. Without a trust, you'll need
anonymous access which defeats the purpose of restricting access.

Q179442 - How to Configure a Firewall for Domains and Trusts:
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q179442&ID=KB;EN-US;Q179442


--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================


.

Relevant Pages

  • Re: Domain in ISA2004 dmz
    ... two-way trust, and as far as I know I thought it is not recommended change ... DMZ trusts Seattle.Demo but seattle.demo ... >> Would it just be better if we left nothing but the web servers in the dmz ...
    (microsoft.public.isa)
  • Re: Win3k Forest Trusts
    ... Can you list users from internal domain on DC in DMZ for test? ... > We are trying to setup a trust between our DMZ and Internal network. ... > (firewall disabled). ...
    (microsoft.public.windows.server.setup)
  • Re: IIS6 in a DMZ with Win2K AD and Non MS Firewalls
    ... >the DMZ, then use the domain to apply group policies, run an SUS ... >could also set up a one way trust to the secure domain. ... have two servers in a DMZ then a domain to manage them doesn't offer ...
    (microsoft.public.inetserver.iis.security)
  • Re: Internal AD - External DMZ
    ... that contains "internal" accounts. ... Having a way to share IAA information to extend access to the DMZ seamlessly ... then I would suggest having a look at the W2K3 forest to forest trust ... > any AD servers in a DMZ, you just have to use a separate forest for them ...
    (microsoft.public.windows.server.active_directory)
  • Trust question
    ... Having a problem with an external trust. ... that the dmz domain trusts the internal domain. ... through terminal services to the dmz servers. ...
    (microsoft.public.windows.server.active_directory)