Caching Only DC?

[Diane McCorkle]

I know this is coming up in Longhorn Server,

But has anyone ever attempted or looked into this?

I ask since we have a need to insert a DC connected to our internal
corporate domain in our public DMZ to use the internal accounts in our AD.
We're properly concerned about safety and would prefer it function more like
the BDC's of old with a "read only" copy of the AD DB

Radius etc are out since the rewrite of the web sites is too intensive,

I'm more than happy to elaborate what we're trying to do if folks need to
ask more questions.

Diane

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Diane McCorkle
Systems Administrator
ATC Associates MIS Department
diane.mccorkle at atcassociates.com
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

 

[Paul Bergson {MCT, MCSE}]

2003 has caching only dns servers.

 

[Paul Bergson {MCT, MCSE}]

disregard sorry. Read it wrong.

 

[Joe Richards [MVP]]

No this functionality does not exist yet and still isn't hammered out for
Longhorn or Blackcomb, it is concept level only now.

I would not recommend you span your DMZ and internal network with a DC like
that. If you need a DC specifically out there, set it up in its own forest with
no trusts. If you just need some AD LDAP info, consider AD/AM with MIIS.

joe

 

[Diane McCorkle]

Thanks Joe,

Unfortunately all of us in the dept know this is a "worst practices" item

We're currently running a full DMZ with 2000 user accounts and as we expand
our internal corproate WAN with the branches being moved over to the CORP AD
it's become more and more difficult to keep internal and external accounts
in sync.

It's a case of all internal users have an external account, but not all
external users have an internal account. Only 50% of our branches are on the
WAN at this point, the other 50 access this data over the internet.

They're looking for full internal AD info in the DMZ to authenticate web
pages and folders on the secure site. This includes updating accounts from
the internal AD as they change.

I hope this helps explain why we're approachinig this in this odd and unsafe
manner.

Diane



No this functionality does not exist yet and still isn't hammered out for
Longhorn or Blackcomb, it is concept level only now.

I would not recommend you span your DMZ and internal network with a DC like
that. If you need a DC specifically out there, set it up in its own forest
with
no trusts. If you just need some AD LDAP info, consider AD/AM with MIIS.

joe

 

[Joe Richards [MVP]]

Yuck. )

If this is a problem that is going away in the next 6-9 months, I guess work to
correct it doesn't make a lot of sense. If it is going to go on long term
though, you may want to revisit the whole thing.

I think instead of sticking my DC in the DMZ even if the first case, I would
punch holes from the web servers back to a DC (or a couple) back in the
intranet. Compromise of a web server in the DMZ would give people access to all
info in AD but compromise of a DC in DMZ would give people access to destroy
your AD or modify the data.