AD publicly available

[disturbedone]

I work at a school and we have a piece of software/database for all staff, students & parents. This has details like names, addresses, DOBs, timetables, attendance, marks, correspondence etc (a LOT of stuff). Staff log using AD credentials to mark the roll, enter test marks etc.

The staff component of this software is publicly available via a website. This web server is hosted by us on a W2K8R2 server in our DMZ. Another website (on the same web server) is available for parents to logon to download student reports etc but this is not currently running.

A new piece of software that does a variety of things is soon to be implemented. This will primarily be a LMS (Learning Management System) where teachers can enter class work that students can access from home. Parents need to be put in AD for this to work and we will implement Microsoft Forefront Identity Manager to manage account creation/change/deletion.

We currently have a single W2K8R2 domain ie myschool.local. Staff & students are in this domain. There are 2x DCs in the LAN. I'm looking for thoughts/advice on the best way to configure AD to allow this to work.

Questions I can think of:
[ol 1]
[li]Should a new domain (trust to existing domain?) be created for parents?[/li]
[li]Should a DC be put in the DMZ?[/li]
[li]Is it safe to have a new DC in the DMZ on the existing domain?[/li]
[/ol]

 

[ntinlin]

You would never put a DC into a DMZ.

Since you already have a solution set up that works for you I don't see the point in setting up a separate domain.
And you've obviously already got the firewall rules set up to allow your DMZ server through to your internal DC for authentication.

Therefore I would just add your parents to your existing AD under another OU with the most basic permissions you can.

If this is a requirement from your local education department or county authority I would have thought they would also be supplying you with best practise?

 

[disturbedone]

This is an independent private school so no overall education department is involved.

The LMS provider wants to use SLDAP. I'm thinking of getting them to not use port 636 but rather eg 12636 and use port redirection to port 636 on the DC. The reason for thinking of putting a DC in the DMZ is that without it I'm allowing direct access from the Internet to our LAN. But I guess it will be locked down to the provider's IP address so it should be ok.

 

[disturbedone]

I'm going to look into this

http://www.thegeekispeak.com/ad-lds-101

Anyone used it for such a scenario?

 

[58sniper]

Never EVER put a DC in the DMZ. If you need to publish something, you can use TMG (if you already have it, as it's no longer available) or UAG.

Do you have your Tek-Tips.com Swag? I've got mine!

Stop by the new Tek-Tips group at LinkedIn.

 

[disturbedone]

A couple of questions....

1. How was this done before TMG/UAG existed?
2. Would LDS be able to achieve this if UAG was over the top for what is required

 

[58sniper]

Well, TMG has been around for a while, and before that there was ISA, which has been around forever. And before that, the security threats were much different than they are now.

Do you have your Tek-Tips.com Swag? I've got mine!

Stop by the new Tek-Tips group at LinkedIn.

 

[disturbedone]

Of course, I forgot about ISA.

What about LDS? Would be it be possible to use as a simple option?