Active Directory and DMZ

[Stuart Arnold]

We are soon to be implementing a DMZ within our network.
The premise we are trying to follow is to organise the
network via the main areas of access (e.g. the DMZ for
Admin work, internal network for domain users, wireless
network for specified domain users ..etc..)

In this situation is the best way to organise this
(through Active Directory), to configure them as seperate
domains (eg. dmz.my_company.com,
wireless.my_company.com ..etc..)??

The reason why I ask is that certain users will require
access to each of the domains, and this may prove a
nightmare in administering AD - such as setting up the
accounts, and more importantly ensuring users can
remember their log-on and password for each area of
access??

Any help and advice would be much appreciated

Thanks in advance

Stuart

 

[Enkidu]

We are soon to be implementing a DMZ within our network.
The premise we are trying to follow is to organise the
network via the main areas of access (e.g. the DMZ for
Admin work, internal network for domain users, wireless
network for specified domain users ..etc..)

In this situation is the best way to organise this
(through Active Directory), to configure them as seperate
domains (eg. dmz.my_company.com,
wireless.my_company.com ..etc..)??

The reason why I ask is that certain users will require
access to each of the domains, and this may prove a
nightmare in administering AD - such as setting up the
accounts, and more importantly ensuring users can
remember their log-on and password for each area of
access??

Active Directory should make it easier.

Suppose person A requires access to resources in Domain AA, Domain BB
and Domain CC. Make a local group in each Domain to give access to the
resource. Create a Global group in A's Domain (say Domain DD) and add
it to the local group which gives access to the resource. Everyone
from Domain DD who needs that access is put into the same group.

Person A then only logs in *once* and has access to the rsources
he/she needs in other Domains.

As an alternative to Global groups, you could use Universal groups
which cuts down on the number of groups but increases traffic when
there are changes.

Plan it all well, and you will not have to change the group structure
very often at all. You just add the people to the appropriate groups
and only when their needs change. They will only ever signon once.

Cheers,

Cliff

 

[Romano Jerez [MS]]

Hi Stuart,

Check this document

http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf-
9767-a9166368434e&DisplayLang=en

Thanks.

This posting is provided "AS IS" with no warranties, and confers no rights.

Romano Jerez
Microsoft Corporation

 

[Stuart Arnold]

Thanks guys for your comments - they have been extremely
helpful.

Regards

Stuart