Link to home
Create AccountLog in
Avatar of jwhitlock31
jwhitlock31

asked on

windows 2003 forest design

We are redesigning windows infrastructure.  Our new design will include a single 2003 forest with 25 child domains.  FROM 25 forest to one forest and 25 child domains.  The problem i have is our network infrastructure, currently has a firewall on every vlan, which they say is best practice?  The designs from MS and talking to MS directly says NO firewall between domains in a single forest and NO nat'ed address.  WELL network group say MS is crazy.  The security group doesnt want IPSEC because they can't sniff it.    AND the NETWORK group doesnt want to open all the port neccessary across the firewall "which are all internal by the way, we are not asking them to open across firewalls outside the company."  

AND NOW FOR THE QUESTION: Does anyone have a single forest multiple child domain design, that i can talk to and see how you handled the network?  THIS leads into another project which is single sign on for the company.
Avatar of Jay_Jay70
Jay_Jay70
Flag of Australia image

Hi jwhitlock31,

i work in a single forest multiple domain environment of 8 domains at the moment - here comes the fun, in the process of upgrading to over 500 domains in a single forest. One firewall at the root currently and not looking at changing that

what exactly do you need to know?

Cheers!
Avatar of jwhitlock31
jwhitlock31

ASKER

i guess my question is what did you network group say about the design?  OURS believe that everything need to go through a firewall.. and having all those firewalls between the DC's have been a real pain... AND the network groups say they are doing best practice.  BUT it is completely against the single forest design....and really hard to implement  I guess i would like to know that other companies design their forest with out firewall internally between their child domains and root domains?

we have all our domains inside a private ip network which provides us with an extra bit of security but we still have one giant NOKIA firewall running at a central location

having a firewall at each site is going to be secure but it is also going to require a whole load of configuration, it think it is important however to have some form of security exepcially if you are not sitting within a private network originally      configuring a firewall at each site probably isnt a bad idea and ms best practices arent always the most logical practices  there are often scenarios that dont get taken into considertion by MS

im very keen to see what other experts have to say on this topic also
ALL the DC's are at the same site, inside the forest....
all the DC' are at the same site??!!!???

you are going to have 25 Domains authenticating over a WAN link to your DC's??   what happens if a WAN link goes down.......

good rule of thumb

minimum of 1 DC per site
minumum of 1 GC persite and max of 2
Minimum of 1 DNS server per site max of 2

Not over a wan, over a lan link ... that is why i think that all the firewalls are unneccessary...
we have 4 DC per domain all running dns, and two GC's

ASKER CERTIFIED SOLUTION
Avatar of Jay_Jay70
Jay_Jay70
Flag of Australia image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer