Will
Guest
|
 Posted:
Sun Oct 30, 2005 9:50 am Post subject:
Domain Controller That Service a DMZ |
|
|
Assume that a network has several segments that together comprise a DMZ for
the network. One of the DMZ network segments holds an Active Directory
domain controller that is tightly controlled behind a firewall to provide
for authentication, group policy, etc for the DMZ. The DMZ AD domain is a
leaf domain in a forest. The other nodes of the forest are on a different
segment behind the firewall. How should I configure the DMZ AD domain
controller if I want to have users in the DMZ login with the same domain
accounts that they use on the internal network, BUT I do NOT want anyone in
the DMZ to be able to use the DMZ domain controller to lookup the DNS
information for machines on the internal domain?
Up to now, I have configured leaf domain domain controllers in DNS to
forward any unresolved request to the root domain. In this case I don't
want to do that since the root is all knowing and would reveal back the
locations of any internal machine. At the same time the DMZ domain cannot
authenticate against the internal user database without going through the
root domain. Does that create a Catch22 where I need to forward user login
and authentication information to the root, but I don't want to forward DNS
queries? Or is the behavior of forwarding user credentials and machine
authentication from the leaf domain to the root domain just intrinsic to
Active Directory, and totally independent of the DNS forwarding
configuration on the leaf domain's domain controllers' DNS server settings?
It's not clear to me what - if any - impact DNS server forwarder settings
have on user and machine authentication in AD.
--
Will |
|
Roger Abell [MVP]
Guest
|
| Posted:
Sun Oct 30, 2005 1:50 pm Post subject:
Re: Domain Controller That Service a DMZ |
|
|
Where DNS resolution is done, and what resolution path is used, is
independent from how accounts are authenticated and what kerberos
referral path might be used. What is important is that DNS resolution
is provided as it is needed for finding the DC's SRV records.
So, you evidently have machines in that DMZ on which people can
cause things they desire to execute ? Otherwise why are you concerned
about the DNS server of the root domain being accessible from the
machines in the DMZ (if they only did what you have designed for them
to do).
Just as an FYI, I find the design you outline hazardous, using a domain
of the main corp forest out in the DMZ instead of having a separate
forest out there, and if needed having it trust an internal account domain.
"Will" <westes-usc@noemail.nospam> wrote in message
news:%23%23khi5Q3FHA.732@TK2MSFTNGP10.phx.gbl...
| Quote: | Assume that a network has several segments that together comprise a DMZ
for
the network. One of the DMZ network segments holds an Active Directory
domain controller that is tightly controlled behind a firewall to provide
for authentication, group policy, etc for the DMZ. The DMZ AD domain is
a
leaf domain in a forest. The other nodes of the forest are on a
different
segment behind the firewall. How should I configure the DMZ AD domain
controller if I want to have users in the DMZ login with the same domain
accounts that they use on the internal network, BUT I do NOT want anyone
in
the DMZ to be able to use the DMZ domain controller to lookup the DNS
information for machines on the internal domain?
Up to now, I have configured leaf domain domain controllers in DNS to
forward any unresolved request to the root domain. In this case I don't
want to do that since the root is all knowing and would reveal back the
locations of any internal machine. At the same time the DMZ domain
cannot
authenticate against the internal user database without going through the
root domain. Does that create a Catch22 where I need to forward user
login
and authentication information to the root, but I don't want to forward
DNS
queries? Or is the behavior of forwarding user credentials and machine
authentication from the leaf domain to the root domain just intrinsic to
Active Directory, and totally independent of the DNS forwarding
configuration on the leaf domain's domain controllers' DNS server
settings?
It's not clear to me what - if any - impact DNS server forwarder settings
have on user and machine authentication in AD.
--
Will
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in