Internal and DMZ domain

H

Hau Nguyen

Hello all,
I'm recently debating whether creating a subdomain or a
new domain for our DMZ segment, which is seperated from
our internal network by a firewall. A new domain will not
involve additional setting on the firewall but double work
managing user account/password. In the other hand, a
subdomain may pose security risk to the internal network.
Does anyone has experience on this issue? And what is the
minimum requirements for DCs to communicate over a
firewall. Thanks for your help!

Hau
 
M

Matjaz Ladava [MVP]

http://www.microsoft.com/serviceproviders/columns/config_ipsec_P63623.asp
explains needed ports. They are quite few. Personally I don't like my domain
(even subdomain) to extend into DMZ zone. If I need one, I rather create a
separate forest in DMZ.
Just out of the curiosity. Why do you need a domain in DMZ ?
--

Regards

Matjaz Ladava, MCSA, MCSE, MCT, MVP
Microsoft MVP Windows Server - Active Directory
(e-mail address removed), (e-mail address removed)
 
H

Hau Nguyen

I agree with you. I have several servers in the DMZ
segment that service www, ftp, email content filtering,
and other front-end interface for web applications. So a
domain or a solution to allow me centrally manage users
(instead of duplicating local users/passwords to multiple
servers) becomes quite useful. BTW, I'm a newbie with MS
AD. Thanks again for your advice!

Hau
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

New DMZ design suggestions... 4
AD in the DMZ - Any thoughts on this scenario? 9
AD domain on DMZ 3
One-way trust between Internal network and DMZ 1
Active Directory Controllers? 7
Questions on a perimeter network. 2
Active Directory and DMZ 3
Help with initial small org AD setup convention when using DMZ network 1

Top