Hi, I'm interested to hear the different views on segmenting AD in a hosting environment. According to Microsoft, they recommend having separate forests for the front-end and back-end with a trust relationship to allow access to resources, and not to have the web servers part of the domain. http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/a dsegment.asp Yet: - Exchange Server 2003 (bridgehead) requires Windows 2003 to be part of the domain (Side note - Can't be Windows 2003 Web Edition) - Ipsec is recommended to allow traffic between the front-end active directory servers to replication with the back-end directory servers (Although this bypasses basically any firewall policy implementation). And in a switched environment is encryption necessary? - Integrated authentication to a SQL server requires IIS to authenticate the user (to change the user context to the client) thus the web server is required to be part of the domain. With the trust relationship can I have a user on the front-end with a mailbox on the back-end (different forests)? What is everyone doing in this regard? Thanks Steven ******************************************************** This Week's Sponsor: ThinPrint http://www.thinprint.com ********************************************************** Useful Thin Client Computing Links are available at: http://thethin.net/links.cfm For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm