1

I am designing an Active Directory with multiple domains. At this point I am trying to decide if our DMZ should be in a separate forest or in a separate domain. I recognize that some of this discussion is based on opinion, there are pluses and minuses to both approaches. The main focus is Securing the inside from the DMZ which will live on the internet with broad firewall rules. This is a new forest and will be Server 2008R2 functional, there are no legacy resources. There is also no email services in the environment.

The requirements are listed below in order of importance.

  1. Protect the inside network
  2. Provide Single Sign on (tests show this works fine in both cases)
  3. Provide maximum flexibility for differing security models. (End users do crazy things)
  4. Minimize complexity (I know this argues for single forest and contradicts #3)

I am leaning towards single forest, any one to argue the alternative?

Tom Seibert
  • 189
  • 1
  • 10

1 Answers1

1

From a security perspective, the single forest method obviously introduces some concerns. You'll need to weigh those when you're making your decision.

For me, the most obvious issue would be that in a single forest deployment, it's likely that the DC you place in the DMZ is going to be required to house the Global Catalog (GC) to effectively service the applications and users you're looking to reach. In that case, you've now placed a copy of every AD object in the entire forest onto that server. I'd be careful with that.

CurtM
  • 2,870
  • 1
  • 16
  • 11
  • Yes, I am concerned about that. I've also deployed a DC without a GC but it makes usage difficult and introduces complexity. – Tom Seibert Nov 22 '10 at 18:37
  • Well you're asking the questions at the right time (the design phase). My gut would be to go with the secondary forest now if there's a probability that an application in the future is going to require a GC. The worst outcome is finding you need the GC for a new service later and then running both a secondary domain and forest in the DMZ. – CurtM Nov 22 '10 at 20:09