+ Reply to Thread
Results 1 to 17 of 17
  1. Junior Member
    Join Date
    Jul 2008
    Posts
    15
    #1

    Default New AD forest in the DMZ

    My company has asked to start a design for a new forest in the DMZ. Eventually all of the web servers will join this DMZ for centralized management. I am at a loss at starting a design however. I just need a push in the right direction. Any assistance would be great. We are running server 2003 by the way. Thanks
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #2
    It would probably help if you provided more information. You could do something like put all web servers in one OU, all DB servers in another, etc. You could put the servers into OUs based on what department/purpose they serve. Maybe you combine those two and have multiple levels. It's really hard to provide you with a solid plan with such limited information.
    Reply With Quote Quote  

  4. Junior Member
    Join Date
    Jul 2008
    Posts
    15
    #3
    Correct me if i'm wrong but this server should be separate from everything else and shouldnt have any trusts.
    Reply With Quote Quote  

  5. Senior Member rsutton's Avatar
    Join Date
    Sep 2007
    Location
    SF Bay Area, Ca
    Posts
    1,015

    Certifications
    83-640, 70-642, 70-662, ICND1
    #4
    What are you trying to accomplish by having a second forest in your DMZ?
    Reply With Quote Quote  

  6. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #5
    Quote Originally Posted by keving458 View Post
    Correct me if i'm wrong but this server should be separate from everything else and shouldnt have any trusts.
    Do you only have a single server? You need to at least give us the number of servers and what they're doing if you want a decent answer

    Quote Originally Posted by rsutton View Post
    What are you trying to accomplish by having a second forest in your DMZ?
    Some organizations create a management domain for their DMZ, so they can use group policy, etc.
    Reply With Quote Quote  

  7. The Colosus of Clout Paul Boz's Avatar
    Join Date
    Oct 2006
    Location
    Baton Rouge, LA
    Posts
    2,607

    Certifications
    CCNP, CCIP, CCDP, CCDA, CCNA, CCNA Security, NSTISSI 4011, GSEC, GCFW, GCIH, GCIA
    #6
    For non-MS people, hearing the word "forest" used is pretty funny
    Reply With Quote Quote  

  8. Junior Member
    Join Date
    Jul 2008
    Posts
    15
    #7
    Quote Originally Posted by rsutton View Post
    What are you trying to accomplish by having a second forest in your DMZ?
    This will be a new forest in our DMZ separate from our main Forest
    Reply With Quote Quote  

  9. Junior Member
    Join Date
    Jul 2008
    Posts
    15
    #8
    [QUOTE=dynamik;357528]Do you only have a single server? You need to at least give us the number of servers and what they're doing if you want a decent answer



    Our company merged with another so it is damn confusing trying to figure out whats what. Not to mention i started here 2 months ago only. We have about 100 or so member servers all with different jobs with 3 domain controller servers. We have about 10 web servers all dev,test, prod not part of our domain but within separate workgroups. THey want me to design a new forest separate of the current one to manage these webservers and the users that authenticate to them. I hope this helps. thanks
    Reply With Quote Quote  

  10. Senior Member rsutton's Avatar
    Join Date
    Sep 2007
    Location
    SF Bay Area, Ca
    Posts
    1,015

    Certifications
    83-640, 70-642, 70-662, ICND1
    #9
    Quote Originally Posted by keving458 View Post
    This will be a new forest in our DMZ separate from our main Forest
    That sounds like a fun project. You could start by building up a few DC's and creating your naming context. Everything branches out from there.
    Reply With Quote Quote  

  11. Junior Member
    Join Date
    Jul 2008
    Posts
    15
    #10
    Quote Originally Posted by rsutton View Post
    That sounds like a fun project. You could start by building up a few DC's and creating your naming context. Everything branches out from there.
    Unfortunately my boss doesnt want me to build anything until i have something designed but i work better by doing because i need to visually see everything as i go.
    Reply With Quote Quote  

  12. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #11
    I'd go through the 70-294 and 70-297 books if I were you.
    Reply With Quote Quote  

  13. Member
    Join Date
    Dec 2005
    Posts
    69

    Certifications
    MCSE, CCNA, Security+
    #12
    Quote Originally Posted by keving458 View Post
    Unfortunately my boss doesnt want me to build anything until i have something designed but i work better by doing because i need to visually see everything as i go.
    You can use vmware to create everything and demostrate your boss what are you going to do.
    I use vmware a lot to recreate different scenarios for testing, virtulization is great for these kind of things.
    Reply With Quote Quote  

  14. Senior Member
    Join Date
    Jul 2009
    Posts
    2,056

    Certifications
    Beer+
    #13
    Let your boss know that you feel you dont even know where to begin and it would be in the companys best interest to source a consultant or another employee that can perform the tasks.
    Reply With Quote Quote  

  15. Self-Described Huguenot blargoe's Avatar
    Join Date
    Nov 2005
    Location
    NC
    Posts
    4,098

    Certifications
    VCAP5-DCA; VCP 3/4/5/6 (DCV); EMCSA:CLARiiON; Linux+; MCSE:M 2000/2003; MCSE:S 2000/2003; MCTS:Exch2007; Security+; A+; CCNA (expired)
    #14
    If you have the luxury of time, lab it up in vmware, you will learn a lot.
    IT guy since 12/00

    Recent: 10/27/2017 - Passed Microsoft 70-410 (one exam left for MCSA 2012)
    Working on: MCSA 2012 upgrade from 2003 (to heck with 2008!!), MCSA 2016 upgrade, more Linux
    Thinking about: VCP6-CMA, AWS Solution Architect (Associate), Python, VCAP6-DCD (for completing VCIX)
    Reply With Quote Quote  

  16. Junior Member
    Join Date
    Jul 2008
    Posts
    15
    #15
    Quote Originally Posted by Gogousa View Post
    You can use vmware to create everything and demostrate your boss what are you going to do.
    I use vmware a lot to recreate different scenarios for testing, virtulization is great for these kind of things.

    This was my plan all along until he told me he wants to see a design first. I'll talk to him and see if i can just build something in a test environment first which is their policy anyway. Thanks for the posts.
    Reply With Quote Quote  

  17. Senior Member
    Join Date
    Apr 2008
    Location
    New York, NY
    Posts
    305

    Certifications
    Life
    #16
    This is a must read for anybody who wants to know Active directory.

    http://www.microsoft.com/downloads/d...ng=en#filelist

    Nothing beats MS own white papers, technet and HowTo's. The problem is finding them in timely manner.
    Reply With Quote Quote  

  18. INTJ wedge1988's Avatar
    Join Date
    Jan 2007
    Location
    UK
    Posts
    435
    #17
    Id really reccommend using selective authentication if you really have to do this. Enable selective authentication over a forest trust

    Take a look at that. Id create a one-way selective authenticated trust. Youll also need to know that you must allow what resources you want to have access to through the trust. for example:

    http://technet.microsoft.com/en-us/l...echNet.10).gif

    you must go into active directory, find the computer/s you want to have access to (both ways if 2 way trust) then you must check the "allowed to authenticate permission under the permissions tab, which is seen only when the advanced check button is enabled in AD)

    Hope this helps.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks