Domain recommendation for DMZ servers

[Mike]

I currently manage and existing Windows 2000 domain for my
company. We recently implemented a web server in which we
left as a standalone system that is insanely locked down.
My company has decided to implement more web servers. I
am trying to re-evaluate the domain strategy here and I'm
leaning towards either an additional domain or a child
domain. All our web servers are on a secure DMZ. We also
ay have swome dialin servers on a different DMZ which I
would like managed as well. Please let me know what you
recommend. Also, If I do create either of these, can I
user my existing DNS servers? I want a manageable secure
environment without putting my existing envirnment at risk.

Thanks in advance!

 

[Simon Geary]

Don't put domain controllers in a DMZ. Also don't put DNS servers with
internal addresses in the DMZ. You should use a DNS server with a dedicated
zone that only has public addresses.
It sounds like you already have things tightly locked down by using stand
alone servers with no DC's, why would you want to put a domain in the DMZ,
what are you trying to achieve?

 

[Guest]

I'm looking for a more manageable environment. Instead of
locking down each server that we implement I would like
control it with group policy. The first 2 I did was a
pain with very little hope of being set back. Now I have
4 more servers to implement. So with 6 plus servers I was
hoping that an additional domain would make sense.

 

[Chriss3]

I recommend to setup a child domain for DMZ or another domain and create a
trust between them.

--
Regards,

Christoffer Andersson
No email replies please - reply in the newsgroup
If the information was help full, you can let me know at:
http://www.itsystem.se/employers.asp?ID=1

 

[David Adner]

We created a seperate forest in the DMZ that has absolutely no
connectivity to our internal AD. Made the DMZ DC's the DNS servers,
which are not accessible from the Internet. I know this has negatives,
but trying to maintain around 50 servers in the DMZ with local accounts
was no more secure. Users and support staff couldn't maintain passwords
across all their servers, ending up with poor security practices like
making passwords never expire, generic accounts, etc. Trying to audit
all the local accounts was a pain, too. Having a separate Domain
account may not be ideal, but it's considerably better than the many
local accounts route. As far as making a Child Domain, we didn't do
that since we wanted the internal and DMZ environments to be completely
separate.

 

[Simon Geary]

I think this would have a few security disadvantages in the number of holes
that would have to be put in the firewall. A child domain in the DMZ would
require an unacceptable number of ports to be opened between the DMZ and the
internal network to allow for replication etc. Even if a VPN was put in
place to reduce the number of open ports required you would then have to
manage the VPN and the things that can go wrong with it with no perceptible
benefit.

A dedicated domain in the DMZ is better than a child domain but still not a
good idea from a security point of view. I guess it comes down to the old
battle between security and manageability. Our DMZ has a handful of web
servers so local accounts are fine. If you have hundreds of servers I
suppose you would have to consider more carefully.