| Author |
Message |
Marlon Brown
Guest
|
 Posted:
Thu Nov 03, 2005 5:50 pm Post subject:
Question on DNS name space for New "Perimeter AD Forest" |
|
|
I have a Win2003 AD corporate domain, name space "mycompany.com".
My "external" DNS Servers name space is "company.com".
Now I need to build a Forest in the "Perimeter network". I will put
primarily Sharepoint servers in such "Perimeter Forest". I will let
"Internet" users as well my corporate users access such Sharepoint solution.
Users are accustomed to type http://mysharepoint.mycompany.com to get to our
existing (temporary) Sharepoint solution.
I think even if the DNS domain name is different in the Perimeter Domain I
could put a redirection in ISA 2004 to let that transparent to people, I
hope.
Typically how would you setup the DNS name for such "Perimeter Active
Directory Forest" ? |
|
| Back to top |
|
 |
Marlon Brown
Guest
|
| Posted:
Thu Nov 03, 2005 9:50 pm Post subject:
Re: Question on DNS name space for New "Perimeter AD Forest" |
|
|
Oops missing a dot: Internal name space is "my.company.com"
"Marlon Brown" <nomail@brown.com> wrote in message
news:OXupYqJ4FHA.2424@TK2MSFTNGP10.phx.gbl...
| Quote: | I have a Win2003 AD corporate domain, name space "mycompany.com".
My "external" DNS Servers name space is "company.com".
Now I need to build a Forest in the "Perimeter network". I will put
primarily Sharepoint servers in such "Perimeter Forest". I will let
"Internet" users as well my corporate users access such Sharepoint
solution.
Users are accustomed to type http://mysharepoint.mycompany.com to get to
our existing (temporary) Sharepoint solution.
I think even if the DNS domain name is different in the Perimeter Domain I
could put a redirection in ISA 2004 to let that transparent to people, I
hope.
Typically how would you setup the DNS name for such "Perimeter Active
Directory Forest" ?
|
|
|
| Back to top |
|
|
Ace Fekay [MVP]
Guest
|
| Posted:
Fri Nov 04, 2005 9:50 am Post subject:
Re: Question on DNS name space for New "Perimeter AD Forest" |
|
|
In news:OXupYqJ4FHA.2424@TK2MSFTNGP10.phx.gbl,
Marlon Brown <nomail@brown.com> made this post, which I then commented about
below:
| Quote: | I have a Win2003 AD corporate domain, name space "mycompany.com".
My "external" DNS Servers name space is "company.com".
Now I need to build a Forest in the "Perimeter network". I will put
primarily Sharepoint servers in such "Perimeter Forest". I will let
"Internet" users as well my corporate users access such Sharepoint
solution.
Users are accustomed to type http://mysharepoint.mycompany.com to get
to our existing (temporary) Sharepoint solution.
I think even if the DNS domain name is different in the Perimeter
Domain I could put a redirection in ISA 2004 to let that transparent
to people, I hope.
Typically how would you setup the DNS name for such "Perimeter Active
Directory Forest" ?
|
Assuming there';s a NAT device between the DMZ and the internal network, and
as long as the DMZ forest has nothing to do with the internal forest, you
can simply install DNS, then promote the first machine into this forest and
dcpromo will automatically create and configure the zone for you, whatever
you call the zone. In your scenario, it appears you want to create the
forest name as company.com. then you can create a subdomain called "my",
then another subdomain, or just simply an A record, called 'mysharepoint',
and provide the iP of the IIS server.
I'm not sure if you have a NAT device, and assuming so, I just wanted to
point out that NAT devices do not traverse LDAP, Kerberos or RPC
communication. This has always been a design challenge when domain
authenticated communication between the internal and external nets are
required. If you need to communicate between the two across the NAT using
UNCs, drive mappings, etc, it won't be possible, but you can configure
either a VPN between the Sharepoint machine to the internal net, or simply
install two NICs, one connected internally, one connected externally. But
dual NICs on a DC can be *very* problematic.
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
If this post is viewed at a non-Microsoft community website, and you were to
respond to it through that community's website, I may not see your reply
unless that website posts replies back to the original Microsoft forum.
Therefore, please direct all replies ONLY to the Microsoft public newsgroup
this thread originated in so all can benefit or ensure the web community
posts it back to the original forum.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Windows Server Directory Services
Microsoft Certified Trainer
Infinite Diversities in Infinite Combinations.
================================= |
|
| Back to top |
|
|
Marlon Brown
Guest
|
| Posted:
Fri Nov 04, 2005 5:50 pm Post subject:
Re: Question on DNS name space for New "Perimeter AD Forest" |
|
|
Thanks !
Between the "Perimeter AD Forest" and "my internal" network I will have ISA
2004, that yes, as far as I understand would be doing NAT since the
"Internet" NIC of the ISA server has IP address of 1.1.1.1.
Then the "Perimeter AD Forest" NIC is configured to use 192.168.x.x
addresses. I am wondering if this will work then...
"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&LastNameHere@hotmail.com> wrote in
message news:e6d9RyP4FHA.4076@TK2MSFTNGP15.phx.gbl...
| Quote: | In news:OXupYqJ4FHA.2424@TK2MSFTNGP10.phx.gbl,
Marlon Brown <nomail@brown.com> made this post, which I then commented
about below:
I have a Win2003 AD corporate domain, name space "mycompany.com".
My "external" DNS Servers name space is "company.com".
Now I need to build a Forest in the "Perimeter network". I will put
primarily Sharepoint servers in such "Perimeter Forest". I will let
"Internet" users as well my corporate users access such Sharepoint
solution.
Users are accustomed to type http://mysharepoint.mycompany.com to get
to our existing (temporary) Sharepoint solution.
I think even if the DNS domain name is different in the Perimeter
Domain I could put a redirection in ISA 2004 to let that transparent
to people, I hope.
Typically how would you setup the DNS name for such "Perimeter Active
Directory Forest" ?
Assuming there';s a NAT device between the DMZ and the internal network,
and as long as the DMZ forest has nothing to do with the internal forest,
you can simply install DNS, then promote the first machine into this
forest and dcpromo will automatically create and configure the zone for
you, whatever you call the zone. In your scenario, it appears you want to
create the forest name as company.com. then you can create a subdomain
called "my", then another subdomain, or just simply an A record, called
'mysharepoint', and provide the iP of the IIS server.
I'm not sure if you have a NAT device, and assuming so, I just wanted to
point out that NAT devices do not traverse LDAP, Kerberos or RPC
communication. This has always been a design challenge when domain
authenticated communication between the internal and external nets are
required. If you need to communicate between the two across the NAT using
UNCs, drive mappings, etc, it won't be possible, but you can configure
either a VPN between the Sharepoint machine to the internal net, or simply
install two NICs, one connected internally, one connected externally. But
dual NICs on a DC can be *very* problematic.
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
If this post is viewed at a non-Microsoft community website, and you were
to respond to it through that community's website, I may not see your
reply unless that website posts replies back to the original Microsoft
forum. Therefore, please direct all replies ONLY to the Microsoft public
newsgroup this thread originated in so all can benefit or ensure the web
community posts it back to the original forum.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Windows Server Directory Services
Microsoft Certified Trainer
Infinite Diversities in Infinite Combinations.
=================================
|
|
|
| Back to top |
|
|
Ace Fekay [MVP]
Guest
|
| Posted:
Sat Nov 05, 2005 9:50 am Post subject:
Re: Question on DNS name space for New "Perimeter AD Forest" |
|
|
In news:%23shHE0V4FHA.2364@TK2MSFTNGP12.phx.gbl,
Marlon Brown <nomail@brown.com> made this post, which I then commented about
below:
| Quote: | Thanks !
Between the "Perimeter AD Forest" and "my internal" network I will
have ISA 2004, that yes, as far as I understand would be doing NAT
since the "Internet" NIC of the ISA server has IP address of 1.1.1.1.
Then the "Perimeter AD Forest" NIC is configured to use 192.168.x.x
addresses. I am wondering if this will work then...
|
Sure, if the forest will be by itself in the perimeter (DMZ), and is on the
internal private side, I don't see why not.
Ace |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in