Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
567
Views
2
Helpful
4
Replies

Active directory on DMZ

mrmozaffari
Level 1
Level 1

‎09-28-2006 03:09 AM - edited ‎03-09-2019 04:20 PM

Hi

Is it possible to locate "active directory server" on dmz and domain users in inside interface ?

If it possible can you tell me more ?

Thanks.

Best Regards bahman mozaffari.

Labels:
0 Helpful
4 Replies 4

oabduo983
Level 1
Level 1

‎09-29-2006 11:52 AM

Hi Bahman,

I would not advise you to have the active directory on your DMZ. You can have any server on the DMZ but not the DC. You usually have the Domain controller on the inside network for two main reasons:

1- You never give access from outside to inside directly as it would be insecure... you place your DC on your inside because you don't give permission for anybody to access it from outside... On the other hand you don't have any problems letting people to access the mail server through the known ports (smtp, pop3...etc)... and this is why you place the mail server on the DMZ... in summary if the DMZ was hacked, there is another layer of security from the DMZ to the inside network.

2- You will have a problem with the non-routable protocols (e.g. netbios, and netbui) if the DC and the users are on different zone, therefore it is always advisable to have the DC on the same zone as the users...

I hope this helps, please rate if it does...

Osama

cprice2k7
Level 1
Level 1
In response to oabduo983

‎09-29-2006 01:00 PM

I actually worked for an organization that did have it's domain controllers on a dmz. We had to do this as we were members of a large Active Directory forest that had members of other organizations. This allowed active directory access from the other sites without giving them access to our internal network.

This took a lot of work to configure and maintain. I would agree with Osama not to do this unless it is absolutely necessary.

0 Helpful

mrmozaffari
Level 1
Level 1
In response to cprice2k7

‎09-29-2006 11:02 PM

Thank you for your reply

But i dont want to access outside to inside i only want to insert my DC to one of my dmz there is no any other server ,the things is access between dmz and inside zone ,is it possible ?

Thanks.

Best Regards Bahman Mozaffari.

0 Helpful

oabduo983
Level 1
Level 1
In response to mrmozaffari

‎09-30-2006 12:25 AM

Hi Bahman,

It is possible, I have seen it once, althought I don't believe it is the best design... you might need the (alias) command dependent on where you place your DNS server...

Best regards,

0 Helpful
Customers Also Viewed These Support Documents