Manage Learn to apply best practices and optimize your operations.

How to join two Active Directories but limit user access

An admin has two domains and two Active Directories. He wants to know how to join the Active Directories so that internal staff can access both, but outside staff can only access the newer Active Directory. Server management expert Laura E. Hunter suggests a best practice to resolve this problem.

I run a SharePoint server on a Windows 2003 server on Active Directory (AD1), which our internal staff connects to through our internal network. I now need to create a new domain where staffers outside the internal network can access the same SharePoint server through a new Active Directory (AD2). Here's the catch -- our internal staff also needs the ability to access our SharePoint server using the new Active Directory (AD2). How can we join the AD1 andAD2 directories, so our internal staff can access both, but outside staff can only access the new AD2?
It is a best practice to keep internal and external Active Directory environments segregated. Use your internal AD to authenticate your internal users, and use your external AD to authenticate your external users, and assign permissions to groups in each forest as appropriate. The alternative, setting up a trust relationship between the two forests, will entail opening up far too many ports between your DMZ and your corporate network

Dig Deeper on Microsoft Hyper-V management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.