Hello Sam,
Check out this one about using RODCs in a DMZ, applies on 2008 or higher:
http://technet.microsoft.com/en-us/l...34(WS.10).aspx
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!
http://www.blakjak.demon.co.uk/mul_crss.htm
> Hi,
>
> I wonder if any of you can help me out with what is now the best
> practice for configuring a DMZ?
>
> I have always been of the opinion that it's best not to have a domain
> in the DMZ if possible (just use a workgroup with all servers having
> their file & printer sharing and Microsoft networking client disabled)
> as this would seem to be the most secure configuration. At the moment
> I have followed this arrangement: we have several servers in the DMZ
> but we log into them all locally when we need to administer them and
> they all only pull information from an FTP site, a SQL server and an
> application server inside our LAN. Sometimes this has been a pain but
> we've always worked around it for the sake of security.
>
> I am now looking into migrating to using IIS7 for our web servers and
> the Shared Configuration feature is very appealling (where you can
> store the config centrally where it is referenced by all of the
> servers in your web farm) but it's proving very difficult to get it to
> work reliably without a domain as it needs shares and certain
> permission levels.
>
> From looking around the web I get the impression that making a domain
> inside the DMZ is not as much of a "don't you dare" thing to do as it
> used to be, especially if it's a standalone domain i.e. doesn't talk
> to your internal domain. So I'm thinking that I might make a domain
> in my DMZ to help me out with this sort of thing. I've not been able
> to find any articles online that talk about this sort of situation so
> was wondering whether you guys would still be saying "don't you dare"
> to this idea or whether this is now commonplace.
>
> Just to be clear: I am not wanting my new domain in the DMZ to
> communicate with my internal domain at all. Hopefully this makes it a
> simpler decision. The domain controller would not be one of the web
> servers, it would not be accessible by the public at all as it
> wouldn't be hosting anything for them; but it would be in the DMZ.
>
> Thanks,
>
> Sam
>
Similar Threads
Linear Mode
