Comments on: Domain Controller

By: maryam82

maryam82 — Thu, 20 Dec 2007 14:49:00 +0000

We are several companies not necessarily connecting to the same ISP.

We are using our own set of private IP (192.168.0.0) and NATing them to public IPs. We decided to use other sets of private IP for the new private companies’ network (172.16.0.0)

We’ll be sharing application, data, portal access, videoconferencing, etc.

The thing is Active Directory needs to part of both networks to authenticate users. We have a firewall and a proxy server for web access.

So for example, if users want to go to the Internet they’ll be mapped to IP1, if they want to access data in one of the other companies they’ll be mapped to IP2.

Connecting between all sites will be done from behind a firewall. I tried NATing the AD server to IP1 when accessing the Internet and IP2 when accessing the private network. It didn’t seem to work. There was a problem and I wasn’t able to figure out the cause. Anyway wouldn’t that be an overhead on the firewall.

Did I provide sufficient information or am I missing something?

Thanks for the help

By: bhargrave

bhargrave — Mon, 17 Dec 2007 19:09:27 +0000

I would first throw a firewall in there with a public address, and then allow the firewall to give out private ip addresses to your internal network . This way you can allow the other private networks to communicate with your network via the rules setup in your firewall. I would never allow my ad server to be viewed by the other networks without having a firewall in between.

By: wrobinson

wrobinson — Mon, 17 Dec 2007 14:07:19 +0000

To quickly answer this question, in Active Directory, there are sites and subnets — these objects specifically address spanning across multiple physical and logical sites and physical networks. Before we start talking about trusts, we must first determine if there is even a Microsoft domain infrastructure in place in the environment being brought online. If not, then there is no need for a trust.

I agree that more information is need to draw more complete conclusions. You really need to understand what is happening currently in the “other compaines”. This will in effect, determine how to integrate them. There are also some considerations that go along with this, such as data and service autonomy and isolation.

You really shouldn’t need another network adapter unless you plan on using routing functionality within RRAS to setup your VPNs.