shanemccutch
asked on
Active Directory Topology
We have a 3 tierd external customer facing application that resides on our DMZ. The three tiers are Web, App, SQL. All tiers are separated by firewalls. We are trying to decide on a domain structure that provides security and ease of management. There are 4 servers in the Web tier, 20 in the app tier and 5 in the SQL tier. I'd personally like to use one domain for all external servers and use firewalls for windows authentication and application access, or possibly leaving the web servers in a workgroup. The other proposals are 3 isolated domains or 1 root domain and 3 child domains, one per tier.
Again, I'm leaning towards the single domain model but the CSO is worried about elevation of privelages attack.
Again, I'm leaning towards the single domain model but the CSO is worried about elevation of privelages attack.
Last Comment
ASKER
That document makes sense however the entire environment is external. We don't need to have trusts between our internal domain and external.
in that case, i cant imagine any benefit in segmenting the external servers - a single External AD should be fine unless you have a specific concern you want me to look at?
ASKER
I agree, the CTO is concerned that if someone compromised the web server they could take over the entire domain. My answer to that would be to leave the web servers in a workgroup. I'm just wondering if it's technically possible for someone to compromise the web server and take over the entire domain. The CTO initially wanted 6 domains total 3 for prod and 3 for dev so I'm trying to argue my case.
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Thanks for your feedback, very helpful.
Pleasure - good luck with it
Active Directory
Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.
86K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
http://www.block.net.au/help/ad-architecture/
Personally, i cant see why a two forest solution wouldnt work - one for external, one for internal, have a one way trust where the external trusts the internal, and away you go