Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

windows 2003 AD question

Status
Not open for further replies.
hellboy101

hellboy101

Programmer
Aug 31, 2005
247
US
Hello all-

If I decide to keep my "root empty" and have two or three child domains.. then where can I place my DMZ? Would it essentially be in the empty root? or could I just make it another child domain? Just curious about this and what is a best practice measure..

thanks for any support provided
hb101
 
Sort by date Sort by votes
Why would you want any DMZ computers listed on your domain contoller? That means that you would need to have the Domain Controller in the DMZ. Not a real good idea.
 
Upvote 0 Downvote
thx tfg13,

So essentially what would be the right answer? My DMZ computers could be assigned thru my PIX firewall and that would be all? If that is the way to handle this, then how will I be able to manage my DMZ's systems once my Active Directory schema is truly in place?

thanks for any support provided.

hb101
 
Upvote 0 Downvote
There are several solutions to this issue. One, would be to use the Remote Administration feature of the DMZ Servers, but this will mean that you need to configure your firewall to allow this only from internal IP's (best case scenario). Another would be to have your DMZ servers located in an easily accessible spot, and manage them "manually". Another solution is to set up a honeypot, or honeynet and attempt to have a DC in your DMZ. There is no guarantee that a hacker still wouldn't be able to get to your DC.
 
Upvote 0 Downvote
Hi tfg13,

Thanks for the great advice! I like the first option.. Remote Admin feature for DMZ boxes..

Let me ask you something pertaining to the empty root.. Is it true that in order to truly design an empty root I'd need another physical Domain Controller? If so, I've reasearched that you'd just apply Schema And Enterprise Admin accts on that server? What about the parent DNS name..

Yes, I know.. alot more than one question eh?

Can you provide a proper best practice measure?

Thanks for all your support and truly appreciate it.

hb101
 
Upvote 0 Downvote
If I remember correctly, you don't need anything in the root, if you have child domains. It is advised that you have additional DC's only due to a single point of failure. If you maintain a decent backup, you can get away with only one, but you do take a risk of having to rebuild.....

Personally, if I were to add more DC's, I would have replication happen on all. This eases the pain of losing everything, and able to take control if something happens to the GC (global catalog). Then, once the original GC is restored, it can resume control (of course after the needed configuration changes).

Good luck!
 
Upvote 0 Downvote
Gotcha,

So as far as a design standpoint, lets say I built a DC and placed it in the empty root and then what was left were my two child domains.. how would the contigious name for DNS look..

i.e,

empty root
|
DC 1
i.e, parent DNS name is benny.com
__________________ | ______
| |
| |
child domain child domain
i.e, DNS name is i.e, DNS name is
ronco.benny.com nampa.benny.com

Does this make sense.. I'm just wondering, how would I keep the root empty without having a DC at the root level.. I guess I can't wrap my mind around the fact that I could potentially just have the parent DNS name at the empty root BUT how do you design this without actually having a DC in there? Can you shed some light?

Thanks so much for all your support
hb101
 
Upvote 0 Downvote
If you choose, you can have a DC in the DMZ, but it is not advised. In the case of no DC's in the DMZ, think stand-alone. It is secure, and no possibility of getting the other DMZ server names from the DMZ "domain". You will need to make sure that you limit account names, and don't make them the same as the intranet accounts.
 
Upvote 0 Downvote
With an empty root, you should still have 2 DCs.
However, your A.D. structure does *not* have to match your DNS structure.
With your above DNS structure, you can have 1 domain, if you chose.
Your DNS structure is independent of your DMZ - or any IP structure for that matter.
It is not advised to have Domain Controllers on the DMZ. If you are OK at securing Windows servers for the Internet (and there are a few tricks here), then no problem. IN a perfect world, your DMZ servers *are* on the domain - but secure. It depends on your skill level.

D
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
292
suncit
suncit
Aquiles Vidal
  • Locked
  • Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
252
Aquiles Vidal
Aquiles Vidal
antonio_dsanchez
  • Locked
  • Question
post-installation WSUS windows server 2016
Replies
0
Views
215
antonio_dsanchez
antonio_dsanchez
mangentle
  • Locked
  • Question
What are the key advantages of using Microsoft Windows Servers for businesses?
Replies
1
Views
373
gbaughma
gbaughma
DrB0b
  • Locked
  • Question
Hybrid on prem AD with Azure AD
Replies
2
Views
136
DrB0b
DrB0b

Part and Inventory Search

Sponsor

Back
Top