|
Posted by Roger Abell [MVP] on October 30, 2005, 5:05 am
Please log in for more thread options
Where DNS resolution is done, and what resolution path is used, is
independent from how accounts are authenticated and what kerberos
referral path might be used. What is important is that DNS resolution
is provided as it is needed for finding the DC's SRV records.
So, you evidently have machines in that DMZ on which people can
cause things they desire to execute ? Otherwise why are you concerned
about the DNS server of the root domain being accessible from the
machines in the DMZ (if they only did what you have designed for them
to do).
Just as an FYI, I find the design you outline hazardous, using a domain
of the main corp forest out in the DMZ instead of having a separate
forest out there, and if needed having it trust an internal account domain.
> Assume that a network has several segments that together comprise a DMZ
> for
> the network. One of the DMZ network segments holds an Active Directory
> domain controller that is tightly controlled behind a firewall to provide
> for authentication, group policy, etc for the DMZ. The DMZ AD domain is
> a
> leaf domain in a forest. The other nodes of the forest are on a
> different
> segment behind the firewall. How should I configure the DMZ AD domain
> controller if I want to have users in the DMZ login with the same domain
> accounts that they use on the internal network, BUT I do NOT want anyone
> in
> the DMZ to be able to use the DMZ domain controller to lookup the DNS
> information for machines on the internal domain?
>
> Up to now, I have configured leaf domain domain controllers in DNS to
> forward any unresolved request to the root domain. In this case I don't
> want to do that since the root is all knowing and would reveal back the
> locations of any internal machine. At the same time the DMZ domain
> cannot
> authenticate against the internal user database without going through the
> root domain. Does that create a Catch22 where I need to forward user
> login
> and authentication information to the root, but I don't want to forward
> DNS
> queries? Or is the behavior of forwarding user credentials and machine
> authentication from the leaf domain to the root domain just intrinsic to
> Active Directory, and totally independent of the DNS forwarding
> configuration on the leaf domain's domain controllers' DNS server
> settings?
> It's not clear to me what - if any - impact DNS server forwarder settings
> have on user and machine authentication in AD.
>
> --
> Will
>
>
| 
XML Sitemap