Re: Access denied on network share in an other domain



Fred,
If the DMZ domain trusts the internal domain you can Push files out to it.
If the internal domain trusts the DMZ domain (not what you want), the dmz can Pull files out from it.
Ideally you would want the DMZ to have no inbound access to the LAN, so you would want to push files out to the DMZ.
Anthony,
http://www.airdesk.com




"r14edge" <r14edge@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:A7DD8E40-843A-4BFB-8057-58658DC9742F@xxxxxxxxxxxxxxxx
Hello,

I'm setting up a DMZ for my company and I'm facing a big problem. I
planned my DMZ on using a remote file storage located in my internal network
to host my web files. I've build my DMZ in a new domain and I have setup a
trust relationship between my internal domain and my DMZ domain. The trust is
one-way where the incoming trust is my internal domain and my outgoing trust
is my DMZ domain. On my remote file server, I'm able to see the account of my
DMZ domain. I've set up the ACL on my share to be use by a specific account
in the DMZ without any problem.

Now, from any server in my DMZ, I'm able to get on the root (\\10.0.0.0) of
my share but when I click on the share itself, I got a access denied message.
I notice in the security log of the remote server that any DMZ servers that
tries to go on the remote file server, are logged under NT
AUTHORITY\ANONYMOUS LOGON.

What am I missing here? I believe that computers in my DMZ should log under
their name in the logs files, right? When I switch the trust relationship,
it's working like a charm, but I'm exposing my internal Domain to my DMZ and
I don't want that.

What can I do to solve this problem?

Thank you for your replies,

Fred

.



Relevant Pages

  • Re: DNS in DMZ
    ... > forest in the DMZ. ... There will be no trust relationships whatsoever ... admin on the internal domain will ... > need to access servers in the DMZ and DMZ servers will have to access ...
    (microsoft.public.windows.server.dns)
  • Re: Forest Trust between Production & DMZ
    ... >> more vulnerable, external, then we are speaking of the trust ... If your DMZ gets whacked, ... To avoid the Swiss-cheese affect on the firewall, ... > Network segregation was a good thing at times when Internet Protocol was ...
    (microsoft.public.windows.server.security)
  • Re: Access denied on network share in an other domain
    ... Leaving aside the idea of the Trust for a moment, the idea is that hosts in the DMZ should have no or limited access to the LAN. ... It sounds as though what you would do is to copy out your data from the internal network to the DMZ. ... The copy needs to use credentials that the DMZ recognises, e.g a local account on the DMZ server, or else you can use a one way trust where DMZ servers trust internal server. ...
    (microsoft.public.windows.server.security)
  • Re: HIPAA and DMZ
    ... auditors seem to think otherwise and they even stipulate using DMZ ... > Here is the problem I am facing with a trust. ... > Once a file gets populated in that shared folder the DTS package will run ... >>> partners connect to Internet appas, ...
    (microsoft.public.security)
  • RE: Active Directory and IIS on production servers, and clustering
    ... > the Microsoft-supported position (DB in the secured network ... DMZ, it makes sense to have a DMZ domain just in order to be able to easily ... cases, unless there is some pressing business need to make a trust, I would ... WRT putting IIS and a DC together, back in IIS 5.0 days, yes, that was a ...
    (Focus-Microsoft)