Re: Member Server Login Slow DMZ-Internal Subnet

From: Ace Fekay [MVP] (PleaseSubstituteMyFirstName&LastNameHere_at_hotmail.com)
Date: 05/02/03 

Date: Thu, 1 May 2003 21:31:50 -0400

In news:eI1TalCEDHA.588@TK2MSFTNGP10.phx.gbl,
Dmitry Korolyov <d__k@mail.ru> posted his concerns then I replied way down
below:
>
> "Steve K." <skonde@hotmail.,com> wrote in message
> news:ONN6bhCEDHA.2500@TK2MSFTNGP11.phx.gbl...
>> But did I mention that the firewall log showed a successful port 53
>> connection to each DC from the DMZ machine? Though I do see what
>> you are saying about AD subnet-sites and services. The only DNS
>> server specified in the DMZ machine is the closest AD DC DNS.
>> Should I put a reference to the other two DNS servers in?
>
> This is not required, but you can do it to provide fault tolerance.
>
>> BTW, Member Server which was originally installed in the internal
>> subnet (10.) now has a 192. address.
>>
>> Do you think I need to put a DC on my DMZ subnet in order to speed
>> up login time?
>
> No, since your DNS configuration seems to be ok, you better check the
> subnet to site mapping issue. Though usually it is not recommended
> placing domain members in DMZ. In this case if "bad guys" get access
> to that server, they will automatically get some access across your
> domain. If you do not need to host any services which require AD
> connectivity, you better use stand-alone servers in DMZ.
>
>>
>> Steve
>>
>>
>>

Dmitry, I totally agree here about the subnet objects association and the
lack of the DMZ associated to any existing sites, hence the randomness of
the authentication attempt and the fact of trying not to use any member
servers. But what I think Steve is trying to do is put an Exchange 2k FE in
the DMZ, correct Steve? I realized this from our previous conversations.

Just a suggestion for Steve, to add to what you already mentioned:
If you want it to authenticate to say, DC1 that is in Site-Philly and you
already associated a subnet object to Site-Philly as 192.168.10.0, then I
would also create a subnet object for the DMZ subnet (whatever it is) and
associate that subnet object with Site-Philly so it will always try the DC
in that site first to authenticate to. 

--
Regards,
Ace
Please direct all replies to the newsgroup so all can benefit.
Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================

Relevant Pages

  • Re: Member Server Login Slow DMZ-Internal Subnet
    ... Im going to create a DMZ site and associate it with my default-first-site. ... But what I think Steve is trying to do is put an Exchange 2k FE ... > If you want it to authenticate to say, DC1 that is in Site-Philly and you ... > already associated a subnet object to Site-Philly as 192.168.10.0, ...
    (microsoft.public.win2000.security)
  • RE: fedora-list Digest, Vol 6, Issue 266
    ... Re: OT: Setting up a forwarding mail domain in DMZ without ... Re: Sound Problem ... downloaded the yum.conf for fedora from Redhat's website. ... Server: Fedora.us Extras ...
    (Fedora)
  • RE: Webserver on a DMZ still needed?
    ... Certainly your suggestion to have a email server in a DMZ but still have ... having the exchange server on the internal LAN with only the smtp ports ... Talking of the financial cost of setup by the book vs the security cost ...
    (Security-Basics)
  • Re: Man gets nine years for spamming
    ... > I don't think we've ever had web access. ... > connect to an inner server where you logged in and actually did stuff. ... We have 12 DMZ interfaces. ... the DMZs and in between the Internet routers and the first ...
    (alt.computer.security)
  • RE: [fw-wiz] Backup exec agent in dmz
    ... named.conf file and the zonefiles off the the NT box in the DMZ. ... on the Apache server, ... backup tape library in this DMZ and backup all your servers to the new DMZ. ... what do you really need to back up on the DNS and web servers? ...
    (Firewall-Wizards)