New AD forest in the DMZ

keving458keving458 Member Posts: 15 ■□□□□□□□□□
My company has asked to start a design for a new forest in the DMZ. Eventually all of the web servers will join this DMZ for centralized management. I am at a loss at starting a design however. I just need a push in the right direction. Any assistance would be great. We are running server 2003 by the way. Thanks

Comments

  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    It would probably help if you provided more information. You could do something like put all web servers in one OU, all DB servers in another, etc. You could put the servers into OUs based on what department/purpose they serve. Maybe you combine those two and have multiple levels. It's really hard to provide you with a solid plan with such limited information.
  • keving458keving458 Member Posts: 15 ■□□□□□□□□□
    Correct me if i'm wrong but this server should be separate from everything else and shouldnt have any trusts.
  • rsuttonrsutton Member Posts: 1,029 ■■■■■□□□□□
    What are you trying to accomplish by having a second forest in your DMZ?
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    keving458 wrote: »
    Correct me if i'm wrong but this server should be separate from everything else and shouldnt have any trusts.

    Do you only have a single server? You need to at least give us the number of servers and what they're doing if you want a decent answer
    rsutton wrote: »
    What are you trying to accomplish by having a second forest in your DMZ?

    Some organizations create a management domain for their DMZ, so they can use group policy, etc.
  • Paul BozPaul Boz Member Posts: 2,620 ■■■■■■■■□□
    For non-MS people, hearing the word "forest" used is pretty funny :)
    CCNP | CCIP | CCDP | CCNA, CCDA
    CCNA Security | GSEC |GCFW | GCIH | GCIA
    pbosworth@gmail.com
    http://twitter.com/paul_bosworth
    Blog: http://www.infosiege.net/
  • keving458keving458 Member Posts: 15 ■□□□□□□□□□
    rsutton wrote: »
    What are you trying to accomplish by having a second forest in your DMZ?

    This will be a new forest in our DMZ separate from our main Forest
  • keving458keving458 Member Posts: 15 ■□□□□□□□□□
    dynamik wrote: »
    Do you only have a single server? You need to at least give us the number of servers and what they're doing if you want a decent answer



    Our company merged with another so it is damn confusing trying to figure out whats what. Not to mention i started here 2 months ago only. We have about 100 or so member servers all with different jobs with 3 domain controller servers. We have about 10 web servers all dev,test, prod not part of our domain but within separate workgroups. THey want me to design a new forest separate of the current one to manage these webservers and the users that authenticate to them. I hope this helps. thanks
  • rsuttonrsutton Member Posts: 1,029 ■■■■■□□□□□
    keving458 wrote: »
    This will be a new forest in our DMZ separate from our main Forest

    That sounds like a fun project. You could start by building up a few DC's and creating your naming context. Everything branches out from there.
  • keving458keving458 Member Posts: 15 ■□□□□□□□□□
    rsutton wrote: »
    That sounds like a fun project. You could start by building up a few DC's and creating your naming context. Everything branches out from there.

    Unfortunately my boss doesnt want me to build anything until i have something designed but i work better by doing because i need to visually see everything as i go.
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    I'd go through the 70-294 and 70-297 books if I were you.
  • GogousaGogousa Member Posts: 68 ■■□□□□□□□□
    keving458 wrote: »
    Unfortunately my boss doesnt want me to build anything until i have something designed but i work better by doing because i need to visually see everything as i go.

    You can use vmware to create everything and demostrate your boss what are you going to do.
    I use vmware a lot to recreate different scenarios for testing, virtulization is great for these kind of things.
  • Hyper-MeHyper-Me Banned Posts: 2,059
    Let your boss know that you feel you dont even know where to begin and it would be in the companys best interest to source a consultant or another employee that can perform the tasks.
  • blargoeblargoe Member Posts: 4,174 ■■■■■■■■■□
    If you have the luxury of time, lab it up in vmware, you will learn a lot.
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
  • keving458keving458 Member Posts: 15 ■□□□□□□□□□
    Gogousa wrote: »
    You can use vmware to create everything and demostrate your boss what are you going to do.
    I use vmware a lot to recreate different scenarios for testing, virtulization is great for these kind of things.


    This was my plan all along until he told me he wants to see a design first. I'll talk to him and see if i can just build something in a test environment first which is their policy anyway. Thanks for the posts.
  • JBrownJBrown Member Posts: 308
    This is a must read for anybody who wants to know Active directory.

    http://www.microsoft.com/downloads/details.aspx?familyid=6CDE6EE7-5DF1-4394-92ED-2147C3A9EBBE&displaylang=en#filelist

    Nothing beats MS own white papers, technet and HowTo's. The problem is finding them in timely manner.
  • wedge1988wedge1988 Member Posts: 434 ■■■□□□□□□□
    Id really reccommend using selective authentication if you really have to do this. Enable selective authentication over a forest trust

    Take a look at that. Id create a one-way selective authenticated trust. Youll also need to know that you must allow what resources you want to have access to through the trust. for example:

    http://technet.microsoft.com/en-us/library/Bb877995.pw0303(en-us,TechNet.10).gif

    you must go into active directory, find the computer/s you want to have access to (both ways if 2 way trust) then you must check the "allowed to authenticate permission under the permissions tab, which is seen only when the advanced check button is enabled in AD)

    Hope this helps.
    ~ wedge1988 ~ IdioT Certified~
    MCSE:2003 ~ MCITP:EA ~ CCNP:R&S ~ CCNA:R&S ~ CCNA:Voice ~ Office 2000 MASTER ~ A+ ~ N+ ~ C&G:IT Diploma ~ Ofqual Entry Japanese
Sign In or Register to comment.