Re: DNS in DMZ

I've been studying the MSA: Enterprise Data Center at:
http://www.microsoft.com/resources/documentation/msa/edc/all/solution/en-us/rak/rag/edcrag14.mspx

Chapter 8 states the following regarding separate internal and perimeter
forests:

"Based on the defense-in-depth strategy, the design implemented in the MSA
EDC assumes that an attacker is able to obtain access (in some user context)
to a server in the perimeter network, although many other mechanisms exist in
the architecture to prevent it. Built on that assumption, the design
implemented minimizes the damage that an attacker could inflict on internal
resources...Therefore, the design chosen for this release is multiple forests
with no trusts."

In my configuration admin on the internal network will use remote desktop to
connect to servers in the DMZ. This is where the conditional forwarding comes
into play. The admin launches a remote desktop connection to
server.company.dmz and is forwarded to a AD/DNS server in the DMZ. Once a
connection is established to the DMZ server an admin account from the DMZ
forest/domain will be used to login to the DMZ server and perform admin
tasks. With this scenario there is no need for cross forest authentication.
>From what I understand thus far a two-way trust is a really bad idea but a
one way trust (from DNZ to internal) would work well if needed. But the paper
mentioned above places security first and chooses to avoid the trust
scenario. So, why wouldn't this work this way?


"Kevin D. Goodknecht Sr. [MVP]" wrote:

> DJ <DJ@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
> > I have an internal AD domain and I intend to set up a separt AD
> > forest in the DMZ. There will be no trust relationships whatsoever
> > between the two forests. However, admin on the internal domain will
> > need to access servers in the DMZ and DMZ servers will have to access
> > resources in the internal domain. My idea is to setup conditional
> > forwarding so that internal AD/DNS server forward requests for
> > servers in the DMZ to DMZ AD/DNS servers. I also want to do the same
> > thing in the opposite direction.
> >
> > Is this a good solution? Any thoughts or feedback on this
> > configuration? Thanks.
>
> I don't believe the scenario will work, if you don't create trust, users and
> computers from either domain will not be able to access resources in the
> other domain. This will require a two way trust and a VPN link from the
> external domain through the firewall to the internal domain. If you don't
> use a VPN link through the firewall you'll need to make your firewall into
> Swiss cheese to allow the needed ports for trust.
> The DNS part is easy, since you don't need to authenticate with the DNS
> server for simple DNS resolution. It is when you have to start
> authenticating where the problems begin. Without a trust, you'll need
> anonymous access which defeats the purpose of restricting access.
>
> Q179442 - How to Configure a Firewall for Domains and Trusts:
> http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q179442&ID=KB;EN-US;Q179442
>
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This Helps
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> https://secure.lsaol.com/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ===================================
>
>
>
.

Relevant Pages

  • Re: Access denied on network share in an other domain
    ... Leaving aside the idea of the Trust for a moment, the idea is that hosts in the DMZ should have no or limited access to the LAN. ... It sounds as though what you would do is to copy out your data from the internal network to the DMZ. ... The copy needs to use credentials that the DMZ recognises, e.g a local account on the DMZ server, or else you can use a one way trust where DMZ servers trust internal server. ...
    (microsoft.public.windows.server.security)
  • Re: IAS and trusted domains
    ... Cross domain (full trust, or NT4 style trust) works with IAS and I have to ... Add a second IAS server in the second domain and have your Win2k3 ... (not two forests with many domains in each) ...
    (microsoft.public.internet.radius)
  • RE: One-Way nontransitive Trust from one forest to another
    ... In order to create forest-level trusts, both forests must be in Windows 2003 ... > I am wanting to install a active-directory server on my DMZ so that users ... > can verify against it via LDAP so that they can use a proxy server. ... > my DMZ to trust my internal AD DC but I do not want the internal to trust ...
    (microsoft.public.windows.server.active_directory)
  • Re: Only able to access through one trust
    ... configure DNS name resolution between forests? ... Kerberos-based forest trust between them. ... and Terminal Server. ...
    (microsoft.public.windows.server.active_directory)
  • Need help on WIN 2000 server domain trust
    ... I am trying to get tech support to setup a one-way trust ... between 2 WIN 2000 server domain controllers in different ... trust between domains in seperate forests, ...
    (microsoft.public.win2000.advanced_server)