Best A.D design – Child domain or one-way trust?
Posted on 2011-05-12
We are designing a new production network for a new web facing customer application. The network will have quite a few web servers in a DMZ which will need to communicate with various SQL clusters and other application servers on the internal network. For ease of management all the servers will be part of a domain. The servers in the DMZ need to do LDAP writes to the DMZ domain controllers so using read-only DCs won’t work. Our options at this point are to configure two separate domains/forests, one for the DMZ and one for the internal network. The other option is to configure the DMZ as a child-domain to the internal domain. Microsoft recommends using the “isolated forest model” which uses two separate forests, one in the DMZ and one in the internal network. A one-way trust would be established from the internal network to the DMZ. This seems like it would work for us but my concern is account authentication from the DMZ back into the internal network. There are specific accounts that the web servers use to connect to the SQL databases as well as to connect to other application servers.
Can accounts be created in a DMZ forest that can authenticate to servers on the internal network forest when there isn’t a two-way trust? Would we be better suited to use a child-domain in the DMZ instead of two forests even though this isn’t Microsoft’s best practice? I would like to use two forests and a one-way trust but I need to make sure the servers in the DMZ can still authenticate to internal systems before we start building out the infrastructure.
Any advice would be greatly appreciated – specifically if I can get communication to work from the DMZ to in internal network without a two-way trust.
All the domain controllers are Windows 2008 R2