Ask the Expert

Having separate domains for your DMZs is a good idea

We have two DMZs with a total of 30 Windows 2000 stand alone servers. We have a request to provide a solution to make it easy to administer IDs and passwords on these boxes. One solution would be to put an AD (Active Directory) domain just for the DMZ. Is this a good security solution? If not what do you suggest?

    Requires Free Membership to View

Having separate domains for your DMZs is a good idea. However, you suggest one domain for the two DMZs. If there is sufficient reason to have two separate DMZs, there is likely reason enough to have separate domains as well. Without knowing more about your network setup, it is difficult to know for sure. The different domains in and of themselves probably don't add that much value in the way of security (although they could if the appropriate trust relationships/restrictions are put in place.) However, making it easier to determine who has administrative authority over specific servers is a good thing.

For more info on this topic, check out these resources:
  • Best Web Links: Infrastructure and network security
  • Ask the Expert: Guidelines for designing a DMZ with defined levels of access
  • Featured Topic: Demilitarized zones

  • This was first published in July 2003

    There are Comments. Add yours.

    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: