We have two DMZs with a total of 30 Windows 2000 stand alone servers. We have a request to provide a solution to make it easy to administer IDs and passwords on these boxes. One solution would be to put an AD (Active Directory) domain just for the DMZ. Is this a good security solution? If not what do you suggest?
Having separate domains for your DMZs is a good idea. However, you suggest one domain for the two DMZs. If there is sufficient reason to have two separate DMZs, there is likely reason enough to have separate domains as well. Without knowing more about your network setup, it is difficult to know for sure. The different domains in and of themselves probably don't add that much value in the way of security (although they could if the appropriate trust relationships/restrictions are put in place.) However, making it easier to determine who has administrative authority over specific servers is a good thing.
For more info on this topic, check out these SearchSecurity.com resources:
Dig Deeper on Enterprise network security
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.