Re: Coming Online. Help?

From: x y (jamescagney90210@yahoo.com)
Date: 05/11/02 

From: "x y" <jamescagney90210@yahoo.com>
Date: Sat, 11 May 2002 08:12:31 -0400

"JBennet" <jsnbnt343@neutralisego.com> wrote in message
news:3cdf72a9.9183129@news.alt.net...
>
>
> Any replies greatly appreciated - and anyone who would like
> to help someone getting started please email me. I know
> Windows 95/98 well, and have run Redhat Linux a bit.
>
> Windows 2000 Server/SP2, MDAC 2.5/SP2, IIS5 - latest
> rollup and hot fixes on a dedicated server.
>
> 3 domains, each on their own IP - 2 business presence on
> the web, 1 POP email site (with the idea of hosting later).
> No outside connections presently except web browsing\POP.
> I will be my own DNS but am allowed zones on the host DNS
> machines. Would this be correct:
>
> Integrate DNS into AD create the primary DC for
> 'domain1.com' able to create child.domain1.com etc.
> in the future.
>
> Create domain2.com and domain3.com each with
> separate DC.
>
> Create 3 zones on the host DNS machines for redundancy.
>
> One forest.
>
> If this is correct or almost correct my main question concerns
> forest\trees. Is it one forest 2 trees or is it 3 forests?

I'm not sure I really understand what you're doing or what the question is.
It sounds like you need at least one domain [e.g. one forest with one tree
with one domain] that hopefully does not include any of your internet
servers. I believe you also want to have at least four DNS servers: two
for your internal windows domain and two for external hosting. You could do
it with two if your internal and external domains are not named the same
thing, e.g. not both named companyname.com, but it's better security to
separate them [you don't really want people on the internet being able to
see your internal ip addresses, server and machine names, windows domain
name, etc].

You can, if you wish, create a second or third forest containing an extra
tree and domain for your internet servers if you wish, it depends on whether
you need to use a windows domain to keep all the users and passwords in one
central database and choose to use windows authentication to do that, though
that means you will need to allow windows networking on your DMZ servers and
possibly through your DMZ firewall, which is to be avoided. Another option
is to use local security and workgroups, though if you have to set up a lot
of login IDs on multiple redundant servers, this may not be the best idea.
Or maybe there's an option to use some sort of third party non-windows
authentication.

If you're not setting up any outside IDs or passwords on the web servers and
those servers don't need to access other servers for content, you may want
those in a separate workgroup. Sounds like the only servers where you need
authentication currently are your POP servers, so maybe those are the only
ones you want to put in a domain model.

I assume you know that just because you have two internet domain names, you
are not forced into using zero, one or two windows domains, you can choose
the number of domains you wish.

I also assume you know that creating three zones on DNS does not necessarily
create redundancy. Having two or more DNS machines creates redundancy. The
number of zones is up to you, one zone per internet domain.

If you use an AD domain, you do need a DNS server for that domain, but you
do not need to choose AD-integrated, unless you think the features of
AD-integrated are good for you. I prefer running standard primary and
secondary zones so the dns tables are in plain text files that are easy to
backup and restore. AD DNS restores involve restoring the entire registry
and system state, which seems like asking for trouble. You may be able to
run one AD-integrated zone and one secondary server and backup the text
files on the secondary server

Relevant Pages

  • RE: IIS6 Security and other web servers
    ... IIS6 Security and other web servers ... I know of no Windows architecture that is exposed directly to ... I know of a number of LAMP-type servers that are ... exposed directly to the Internet with no intervening layers. ...
    (Security-Basics)
  • Re: How Secure is ".Local?"
    ... > dozen servers and ~500 websites/public domains. ... Shadow DNS ... Is your DC on the Internet? ... >>It is not going to provide your zone info to anyone ...
    (microsoft.public.win2000.dns)
  • Re: Restrict Dynamic Updates
    ... in the near future from the Windows platform is Windows ... BIND/DNS servers to resolve all non-AD queries and redirect them to ... the AD/DNS servers only for AD-specific queries, allowing the BIND ... ISP/external DNS servers. ...
    (microsoft.public.windows.server.dns)
  • RE: New Forest - Old Domain - Plus DMZ - Help Please
    ... Make sure Windows XP client should use the AD DNS ... The Cert should match the name in Internet. ... New Forest - Old Domain - Plus DMZ - Help Please ... vast majority of our inside production equipment is 2003 servers and XP ...
    (microsoft.public.windows.server.migration)
  • Re: Active Directory and child DNS Zone
    ... > Our internal and external DNS domains are both the same - mycompany.com. ... > hosts our external domain and it only contains entries for our web servers ... >>> but the test bed isn't a true picture (no internet access to test VPN, ...
    (microsoft.public.windows.server.dns)