Q

How to join two Active Directories but limit user access

An admin has two domains and two Active Directories. He wants to know how to join the Active Directories so that internal staff can access both, but outside staff can only access the newer Active Directory. Server management expert Laura E. Hunter suggests a best practice to resolve this problem.

I run a SharePoint server on a Windows 2003 server on Active Directory (AD1), which our internal staff connects to through our internal network. I now need to create a new domain where staffers outside the internal network can access the same SharePoint server through a new Active Directory (AD2). Here's the catch -- our internal staff also needs the ability to access our SharePoint server using the new Active Directory (AD2). How can we join the AD1 andAD2 directories, so our internal staff can access both, but outside staff can only access the new AD2?
It is a best practice to keep internal and external Active Directory environments segregated. Use your internal AD to authenticate your internal users, and use your external AD to authenticate your external users, and assign permissions to groups in each forest as appropriate. The alternative, setting up a trust relationship between the two forests, will entail opening up far too many ports between your DMZ and your corporate network
This was first published in October 2007
This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close