I agree...I want it in a separate forest by itself. I just couldn't think of any reasons why one would include it in your internal forest. However that is the current plan for some reason :/ -----Original Message----- From: Deus, Attonbitus [mailto:Thor@xxxxxxxxxxxxxxx] Sent: Thursday, July 10, 2003 1:39 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: AD in DMZ http://www.ISAserver.org At 10:01 AM 7/10/2003, you wrote: >http://www.ISAserver.org > >Can anyone think of any reason to have a public DMZ domain placed in the >same forest as your internal AD domain? Not any *secure* reason. You cannot prevent a domain admin in one domain from being a domain admin in another domain in the same forest. I know of people who do this for some freaky organization reason, but it is a grave mistake security-wise. t ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: rogersb@xxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')