New domain (child or new forest)?

We have a single active directory domain (internal.com). We need to setup a
second domain that will be accessed from the outside for non-employee users
(external.com). If we do not want the external.com domain to have any access
to the internal.com domain, shouldn't we create a "Domain in a new forest?"

Creating a "Child domain in an existing domain tree," or a "Domain tree in
an existing forest" will allow a two way trust between the root domain and
the child domain correct?

 

Howdie!

Yeah, you should create a new forest for this. The security boundary is
the forest, not the domain.

What type of access do they need, then? Why would you need to
authenticate them? What services do they access?

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
ANY advice you get on the Newsgroups should be tested thoroughly in your
lab.

 

Not sure how this works yet, but we have a medical system that will
automatically add users to this new domain(forest) so that they can access
their medical info and billing online. Thanks for your reply.