Domain Controller That Service a DMZ

• Previous message: Lawrence Garvin [MVP]: "Re: "The process is unable to access the file, because the file is used by another process.""
• Next in thread: Roger Abell [MVP]: "Re: Domain Controller That Service a DMZ"
• Reply: Roger Abell [MVP]: "Re: Domain Controller That Service a DMZ"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 29 Oct 2005 21:58:21 -0700

Assume that a network has several segments that together comprise a DMZ for
the network. One of the DMZ network segments holds an Active Directory
domain controller that is tightly controlled behind a firewall to provide
for authentication, group policy, etc for the DMZ. The DMZ AD domain is a
leaf domain in a forest. The other nodes of the forest are on a different
segment behind the firewall. How should I configure the DMZ AD domain
controller if I want to have users in the DMZ login with the same domain
accounts that they use on the internal network, BUT I do NOT want anyone in
the DMZ to be able to use the DMZ domain controller to lookup the DNS
information for machines on the internal domain?

Up to now, I have configured leaf domain domain controllers in DNS to
forward any unresolved request to the root domain. In this case I don't
want to do that since the root is all knowing and would reveal back the
locations of any internal machine. At the same time the DMZ domain cannot
authenticate against the internal user database without going through the
root domain. Does that create a Catch22 where I need to forward user login
and authentication information to the root, but I don't want to forward DNS
queries? Or is the behavior of forwarding user credentials and machine
authentication from the leaf domain to the root domain just intrinsic to
Active Directory, and totally independent of the DNS forwarding
configuration on the leaf domain's domain controllers' DNS server settings?
It's not clear to me what - if any - impact DNS server forwarder settings
have on user and machine authentication in AD.

-- 
Will

• Previous message: Lawrence Garvin [MVP]: "Re: "The process is unable to access the file, because the file is used by another process.""
• Next in thread: Roger Abell [MVP]: "Re: Domain Controller That Service a DMZ"
• Reply: Roger Abell [MVP]: "Re: Domain Controller That Service a DMZ"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Domain Controller That Service a DMZ ... Where DNS resolution is done, and what resolution path is used, is ... you evidently have machines in that DMZ on which people can ... > for authentication, group policy, etc for the DMZ. ... > the DMZ to be able to use the DMZ domain controller to lookup the DNS ... (microsoft.public.windows.server.security) RE: DMZ ... your Internal DNS Server that should forward external requests to your ISP ... 3- THE DMZ NIC should have neither a Gateway nor a DNS setting on it! ... This implementing in LAN simulated INTERNET. ... The network IP 10.0.4.0 - 10.0.7.255 ... (microsoft.public.isa.configuration) W2K in DMZ ... Our network consist of one domain, company.com, running ... W2K SP4 with two domain controller. ... DMZ on the firewall upon which I will put three of my ... configured to be standalone servers but part of the ... (microsoft.public.win2000.networking) Re: How to decide on which network interface domain controller is available ... with clients) and an external network. ... each server under one name. ... I was hoping that when I deactivate the domain controller functionality ... The way that you are doing it is essentially nullifying the security of having a DMZ, since if the DC on the DMZ is compromised, the attacker has a machine on your LAN! ... (microsoft.public.win2000.active_directory) PIX ,and Domain Controller errors to the DMZ ... I have a PIX 515e running 7.02, and for the most part, it works great. ... We're putting a file server into the DMZ so that outside users will ... a domain controller on the INSIDE of the PIX. ... (comp.dcom.sys.cisco)