Radius / ADAM / RODC which to use and where to place it.

Currently we have a number of servers in a DMZ zone, some configured without
a domain and some configured in a domain before being moved to the DMZ.
Management of these servers including user access are becoming more
difficult with increased usage.

Currently we are running a mixture of 2003 / 2008 servers with our DC being
2003, I am planning to upgrade to 2008 early next year.

So my question, what are the best practices or recommendations to control
user access to the DMZ?
Ho can I centrally manage patches/updates/security policies on the servers
in the DMZ?
Do I use a RODC in the DMZ that synchronizes internally?
Do I place a Radius server in the DMZ for user authentication?

Some clarification on this would be appreciated.

Thanks,
Michael

"Michael" <> wrote in
news:EA874B4B-F56B-4462-AA0E-:

> Currently we have a number of servers in a DMZ zone, some configured
> without a domain and some configured in a domain before being moved to
> the DMZ. Management of these servers including user access are
> becoming more difficult with increased usage.
>
> Currently we are running a mixture of 2003 / 2008 servers with our DC
> being 2003, I am planning to upgrade to 2008 early next year.
>
> So my question, what are the best practices or recommendations to
> control user access to the DMZ?
> Ho can I centrally manage patches/updates/security policies on the
> servers in the DMZ?
> Do I use a RODC in the DMZ that synchronizes internally?
> Do I place a Radius server in the DMZ for user authentication?
>
> Some clarification on this would be appreciated.
>
> Thanks,
> Michael
>
>
Hi Michael --

You can use Windows Server Update Services (WSUS) to centrally manage
updates on your servers. WSUS is a server role in Windows Server 2008 and
can be installed using Server Manager.

You can definitely use Network Policy Server (NPS) in WS08/R2 or Internet
Authentication Service (IAS) in WS03 for user authentication and
authorization.

If you are using VPN servers to allow emplyees to access the DMZ resources,
just configure the VPN servers as RADIUS clients in NPS or IAS, and from
that point forward NPS or IAS will perform authentication and authorization
for connection requests from employees.

If the employees are authenticated and authorized to access the network
during the connection attempt, they will then be able to access the network
resources for which they have permissions.

For NPS documentation, see "Network Policy Server for Windows Server 2008"
at http://technet.microsoft.com/en-us/l...55(WS.10).aspx

For IAS documentation, see "Internet Authentication Service" at
http://technet.microsoft.com/en-us/l...75(WS.10).aspx

Both the IAS and NPS content contain Best Practices documents that you can
review.

Thanks --


--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.