Shoul;d I use a one way trust in this scenario?

[blackrabbit]

I haven't used domain trusts all that often so I'm not sure what would work here. Our scenario is that we have a AD domain setup in the dmz, lets say company.dmz. Its used for sharepoint stuff becuase our company is an enginerring firm and our clients need access to the project stuff using sharepoint. We create a user account in this dmz domain and they log into the sharepoint from outside so all the people involved can share documents and stuff. This is the way it was explained to me by the people that originally set it up.

Right now some of our internal people need to access the documents on the dmz domain since they are also involved on the projects so we create user account for them there. We would like to setup a trust on the dmz domain that will trust user accounts on our internal domain but not the other way around. That way our internal people can log into the dmx sharepoint using thier internal domain account so we don't have to keep creating dmz user accounts for them.

Is a one way trust from the dmz domain to the internal domain the way to go? I know a domain in the DMZ might not be a good idea but I didn't implement this. I just need to know about setting up the trust. Thanks.

 

[Dublin73]

in terms of simply setting up the trust, if the DMZ AD domain trusts the internal LAN AD domain, your internal LAN AD user accounts can access it, but it cannot access anything on your internal LAN AD domain.

This is strictly speaking from a Microsoft NTFS permissions point of view. From a security point of view it's not the best, as you'd be making SMB connections into your DMZ from your internal LAN. Technically speaking there is some level of security risk associated with that