Link to home
Start Free TrialLog in
Avatar of netsec545
netsec545

asked on

DIFFICULT Forest Trust w/ DMZ issue -- Same namespaces in DNS

I'm trying to create a one-way forest trust between my dmz and lan domains.  The DMZ has a 2003 active directory domain of dmz.local.  The internal lan has a 2003 active directory domain of company.com.  The problem I am having in creating the trust is that our dmz dns server contains a zone called company.com.  This is used as our public DNS record for this namespace.

The problem...our internal domain has the same namespace as a dns zone that is on our external dmz.  Therefore, I am unable to setup conditional forwarding on our external DC to point to our internal domain.  

I've tried using local host entries as well as local lmhosts entries to no avail.  I continue to get the error message saying there are currently no logon servers available.  

Is it possible to create the trust without using DNS forwarding in the dmz dns???  Is this possible by using the /etc/hosts or /etc/lmhosts???

PLEASE HELP!!!
Avatar of dan_blagut
dan_blagut
Flag of France image

Hi
Can you export the company.com externally zone to an DNS server that will manage only that zone? Usually in the DMZ all servers are stand allone servers, maximum member server. An trust relationship betwen your DMZ domain and internal domain will affect your security. So think again before implementing this trust.

Dan
ASKER CERTIFIED SOLUTION
Avatar of LauraEHunterMVP
LauraEHunterMVP
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of netsec545
netsec545

ASKER

I understand there are risks involved in establishing a trust between the 2 domains.  But the reasons for doing so are quite simple.  Allow internal developers, programmers, and administrators to access these DMZ machines by using their internal user id's.  Eliminate the sharing of a single administrator or web account used in the DMZ by many users and many departments.  

The design, while yes risky, does have some inherent advantages.  If we use IPSec filtering and encyrption between all DMZ machines and internal machines, and only allow the specific ports necessary for the trust, which is only a handful, and create only a one way trust in which the inside AD does not trust the outside AD.  Then to me, this option is worth investigating.  

I will look into the split-brain approach, but this does not seem to answer my trust issues.  From MSE-dwells response, it looks like DNS entries will be necessary for this to work.  

Right ... I'm trying to gain a better understanding of what the 'machines' are in the DMZ that the devs. are accessing?  Do any or some *need* to resolve the public company.com or is it merely a zone held on a name server that sits in the DMZ facing the Net?
We have roughly 40 - 50 servers in the DMZ ranging from web, ftp, application, and ISA servers.

Hmmm...I'd have to think about how the DMZ servers interact with each other.  I doubt they need to know the public IP addresses, only their internal IP addresses.  So I could take the DNS servers out of the AD environment and split them into a segmented workgroup.  This would remove the need to have the company.com zone in the DMZ AD DNS.
Aassuming you have at least a couple of DCs in the DMZ, I was thinking you'd configure all devices in the DMZ to resolve against at least 2 of the DMZ's DCs (i.e. - preferred and alternate).  These DCs would obviously have the DNS service installed and would be configured to maintain an AD-integrated stub zone representing the internal 'company.com' AD-zone.  They would then be configured to forward to the other name servers within the DMZ.  This would permit the devices in the DMZ to resolve against the internal 'company.com' zone when chasing references to the trusted domain.

Obviously, this assumes the DCs don't already require the public 'company.com' zone ... hopefully it's food for thought.
OK, so what I think I want to do, at least today.  Is move the public DNS records off the DMZ domain, and make them stand alone servers.  This will remove the conflict of the two domains that I have now.  

With that being the case, I know I can setup the trust by adding forwarders to the DMZ AD DNS server.  The problem with this, is that I do not want any of the servers in the DMZ to be able to resolve the IP addressses of the internal AD.  

With a forwarder, I would forward all company.com to the inside.  Therefore all the DMZ servers would be able to resolve internal addresses.  As well, I want the dmz servers to point to the new publc DNS standalone servers for company.com.

How do I do this, and have the trust work?