[THIN] Re: attention active directory design gurus..again
- To: <thin@xxxxxxxxxxxxx>
- Date: Wed, 17 Sep 2003 11:19:04 +0200
Hi,
I'm interested to hear the different views on segmenting AD in a hosting
environment.
According to Microsoft, they recommend having separate forests for the
front-end and back-end with a trust relationship to allow access to
resources, and not to have the web servers part of the domain.
http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/a
dsegment.asp
Yet:
- Exchange Server 2003 (bridgehead) requires Windows 2003 to be part of
the domain (Side note - Can't be Windows 2003 Web Edition)
- Ipsec is recommended to allow traffic between the front-end active
directory servers to replication with the back-end directory servers
(Although this bypasses basically any firewall policy implementation).
And in a switched environment is encryption necessary?
- Integrated authentication to a SQL server requires IIS to authenticate
the user (to change the user context to the client) thus the web server
is required to be part of the domain.
With the trust relationship can I have a user on the front-end with a
mailbox on the back-end (different forests)? What is everyone doing in
this regard?
Thanks
Steven
********************************************************
This Week's Sponsor: ThinPrint
http://www.thinprint.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
Other related posts:
