No announcement yet.

AD and Trusts over a DMZ

  • Filter
  • Time
  • Show
Clear All
new posts

  • AD and Trusts over a DMZ


    I have posted this query elsewhere (another site) with no response, since I've used Petri a lot over the years I felt this would be a good source of expertese for another posting and a good excuse to sign up.

    Currently I have two seperate 2003 native domains in seperate forests. 1 is deployed on our LAN and another on my DMZ. This is test bed before I do anything to our live systems .

    Due to some new requirements I have had to setup a one-way trust between the two so our LAN user access to the DMZ based servers can be controlled. This has been done and works on my test servers, with one issue explained below.

    What I thought happened in this scenario was that all authentication requests would filter from the servers in the DMZ to the DMZ DC then to the LAN DC so the only cross zone communications would be between the DCs.

    This does not seem to be the case. My test server on the DMZ domain will only login correctly with a LAN user when I open ports to the LAN DC. I may as well join it to the LAN domain in this instance...

    What I want to avoid is swiss cheesing my firewall to allow each DMZ server access to my internal DC as I have approx 50 DMZ servers requiring it when I push it live.

    Does anyone have any suggestions or thoughts on this?

  • #2
    Re: AD and Trusts over a DMZ

    Actually this should probably be in the AD forum area. Sorry . I haven't double posted it there so can it be moved please.


    • #3
      Re: AD and Trusts over a DMZ

      Don't think you can't communicate a firewall without poking holes in it. Can you setup a VPN between the sites? At least there you'll only have to open up one hole...

      IMHO I think you're better off configuring your firewall to allow your users to communicate with your DMZ systems. What I usually setup is a jump server so you only have one hole in the FW, then users can go from there to any other system they need.


      • #4
        Re: AD and Trusts over a DMZ

        The way I see it at the moment, after spending basically the whole of yesterday researching this I've come up with 3 potential options.

        1. IPSec where possible and poke loads of holes.
        2. Put an internal DC into the DMZ, maybe a Win 2008 Read Only DC if that's even possible with a 2003 native domain.
        3. Create a couple of end points either side and setup a VPN between them.

        Gonna do a bit more research this morning but I'm preferring option 3 at the moment as it seems to be the most secure.