Brad.Smith@xxxx.yyy
 | | 11/08/2005 9:22 AM |
| Hello List,
I have a situation I would be interested in getting feedback from you all
on. Our setup is Single Forest, Single domain, all W2K or later, DFL is W2K
Native. We have a user population of around 14k and this domain is THE
central AD service for the entire company. I am working with some
colleagues on projects that are going to see a large number of users (around
7k) external to the company require AD type authentication (mainly for
things like Share point and web based stuff). My preferred proposal is to
create a second single forest single domain structure, place the services
and external user accounts in it, and have our core domain be trusted by the
external user domain so that internal users can access the service they need
to. This will take time to document and procure hardware for, etc, so the
business want justification as to why we shouldn't just add them to a
dedicated OU. The reasons I am using thus far as follows:
1) I want to stipulate a more stringent password policy for external users
2) I want to prevent external users being members of the Authenticated Users
group for our core domain
3) I want a clear line of demarcation between services/data used for
external access and those provided for internal users
What other issues/considerations have list reader come across when
incorporating large amounts of external users?
TIA,
Brad
This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
|
sbradcpa
Posts:354
| | 11/08/2005 3:13 AM |
| Windows 2003 r2 Enterprise [not standard] [and not a free upgrade]
Tomasz Onyszko wrote:
Smith, Brad wrote:
(...)
What other issues/considerations have list reader come across when
incorporating large amounts of external users?
If You are building this solution from the scratch or You can do some
development on Your web app I will strongly encourae You to take a ook
at ADFS services which will be shipped with Windows 2003 R2 in this year.
Some food for reading:
http://download.microsoft.com/download/d/8/2/d827e89e-760a-40e5-a69a-4e75723998c5/ADFS_Overview.doc
http://www.microsoft.com/downloads/details.aspx?FamilyID=062f7382-a82f-4428-9bbd-a103b9f27654&DisplayLang=en
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
|
tonyszko
Posts:56
| | 11/08/2005 4:45 AM |
| Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
Windows 2003 r2 Enterprise [not standard] [and not a free upgrade]
Yes, that is a pain. The good thing is that if you want to use ADFS You
don't have to upgrade all of your servers in organization. It can be
deployed in Windows 2000 networks as well - of course it will require
ADSF Server on WIndows 2030 R2 and Windows 2003 R2 for IIS boxes.
ADFS Web SSO Agent will be shipped (AFAIK) in Standard version as well
so deploying ADFS will require at least (in simple scenario):
- Windows 2003 R2 Ent for ADFS Server
- Windows 2003 R2 Std for each IIS box hosting .NET claim aware application
--
Tomasz Onyszko
http://www.w2k.pl
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
|
sbradcpa
Posts:354
| | 11/08/2005 4:54 AM |
| That I'm not sure of.... I do know the R2 grid indicates ADFS only in
Enterprise.
Tomasz Onyszko wrote:
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
Windows 2003 r2 Enterprise [not standard] [and not a free upgrade]
Yes, that is a pain. The good thing is that if you want to use ADFS
You don't have to upgrade all of your servers in organization. It can
be deployed in Windows 2000 networks as well - of course it will
require ADSF Server on WIndows 2030 R2 and Windows 2003 R2 for IIS boxes.
ADFS Web SSO Agent will be shipped (AFAIK) in Standard version as well
so deploying ADFS will require at least (in simple scenario):
- Windows 2003 R2 Ent for ADFS Server
- Windows 2003 R2 Std for each IIS box hosting .NET claim aware
application
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
|
tonyszko
Posts:56
| | 11/08/2005 4:58 AM |
| Tomasz Onyszko wrote:
Just as an update ADFS reuqirements from Technet web page:
http://technet2.microsoft.com/WindowsServer/en/Library/1c2f6235-833a-421e-8529-3e9cd97da6771033.mspx
--
Tomasz Onyszko
http://www.w2k.pl
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
|
tonyszko
Posts:56
| | 11/08/2005 10:07 AM |
| Smith, Brad wrote:
(...)
What other issues/considerations have list reader come across when
incorporating large amounts of external users?
If You are building this solution from the scratch or You can do some
development on Your web app I will strongly encourae You to take a ook
at ADFS services which will be shipped with Windows 2003 R2 in this year.
Some food for reading:
http://download.microsoft.com/download/d/8/2/d827e89e-760a-40e5-a69a-4e75723998c5/ADFS_Overview.doc
http://www.microsoft.com/downloads/details.aspx?FamilyID=062f7382-a82f-4428-9bbd-a103b9f27654&DisplayLang=en
--
Tomasz Onyszko
http://www.w2k.pl
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
|
Brad.Smith@xxxx.yyy
| | 11/08/2005 10:12 AM |
| Thanks, I will certainly look into that . I neglected to mention that I need
to have a solution ready for pilot within Dec/Jan time frame.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tomasz Onyszko
Sent: 08 November 2005 10:06
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Incorporating external users.......
Smith, Brad wrote:
(...)
>
> What other issues/considerations have list reader come across when
> incorporating large amounts of external users?
If You are building this solution from the scratch or You can do some
development on Your web app I will strongly encourae You to take a ook at
ADFS services which will be shipped with Windows 2003 R2 in this year.
Some food for reading:
http://download.microsoft.com/download/d/8/2/d827e89e-760a-40e5-a69a-4e75723
998c5/ADFS_Overview.doc
http://www.microsoft.com/downloads/details.aspx?FamilyID=062f7382-a82f-4428-
9bbd-a103b9f27654&DisplayLang=en
--
Tomasz Onyszko
http://www.w2k.pl
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
This message has been scanned for viruses by MailControl - (see
http://bluepages.wsatkins.co.uk/?4318150)
This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
|
lists1
Posts:4
| | 11/08/2005 10:25 AM |
| > [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Susan
> Bradley, CPA aka Ebitz - SBS Rocks [MVP]
>
> Windows 2003 r2 Enterprise [not standard] [and not a free upgrade]
>
Excepting for customers with Software Assurance, and you only need the
enterprise version on the Federation Servers and Federation Server Proxies.
Ulf
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
|
tonyszko
Posts:56
| | 11/08/2005 10:27 AM |
| Smith, Brad wrote:
Thanks, I will certainly look into that . I neglected to mention that I need
to have a solution ready for pilot within Dec/Jan time frame.
You can test Your solution with Windows 2003 R2 RC now - it is working
with Windows SharePoint Services from R2 server and with .NET
application if You make them claim-aware. I don't remember time frame
for R2 but it should be available at the end of this year so I think
that if You find ADFS suitable for Your needs and You can start working
with RC version You will be ready on this date.
--
Tomasz Onyszko
http://www.w2k.pl
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
|
Brad.Smith@xxxx.yyy
| | 11/08/2005 10:38 AM |
| Our domain level is at W2K Native, and isn't to be upgraded until the DCs
are migrated to W2K3 around March next year.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tomasz Onyszko
Sent: 08 November 2005 10:25
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Incorporating external users.......
Smith, Brad wrote:
> Thanks, I will certainly look into that . I neglected to mention that
> I need to have a solution ready for pilot within Dec/Jan time frame.
You can test Your solution with Windows 2003 R2 RC now - it is working with
Windows SharePoint Services from R2 server and with .NET application if You
make them claim-aware. I don't remember time frame for R2 but it should be
available at the end of this year so I think that if You find ADFS suitable
for Your needs and You can start working with RC version You will be ready
on this date.
--
Tomasz Onyszko
http://www.w2k.pl
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
This message has been scanned for viruses by MailControl - (see
http://bluepages.wsatkins.co.uk/?4318150)
This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
|
Brad.Smith@xxxx.yyy
| | 11/10/2005 11:05 AM |
| Just as an update.....
We have decided on an additional and new separate Forest/Domain
infastructure to host external user accounts...
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Ulf B.
Simon-Weidner
Sent: 08 November 2005 22:24
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Incorporating external users.......
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Susan
> Bradley, CPA aka Ebitz - SBS Rocks [MVP]
>
> Windows 2003 r2 Enterprise [not standard] [and not a free upgrade]
>
Excepting for customers with Software Assurance, and you only need the
enterprise version on the Federation Servers and Federation Server Proxies.
Ulf
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
This message has been scanned for viruses by MailControl - (see
http://bluepages.wsatkins.co.uk/?4318150)
This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
|
AD00000124
Posts:0
| | 11/14/2005 4:21 AM |
| Brad,
We are implementing the same forest/domain structure as you are (ie, separate for external user access) and for the same purpose. We do not have a trust to the internal "core" domain/forest; internal users who need access to the extranet domain must have separate accounts.
The other tweak I've done is to have the external user accounts in a separate OU with the business unit doing some of the account provisioning. A major issue, I think, is to ensure lifecycle management of these external user accounts, just as you would internal--otherwise a lot of junk could accumulate rather quickly.
AL
Al Maurer
Service Manager, Naming and Authentication Services
IT | Information Technology
Agilent Technologies
(719) 590-2639; Telnet 590-2639
http://activedirectory.it.agilent.com
----------------------------------------------
"Cry 'Havoc!' and let slip the dogs of war" - Anthony, in Julius Caesar III i.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Smith, Brad
Sent: Thursday, November 10, 2005 4:04 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Incorporating external users.......
Just as an update.....
We have decided on an additional and new separate Forest/Domain
infastructure to host external user accounts...
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Ulf B.
Simon-Weidner
Sent: 08 November 2005 22:24
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Incorporating external users.......
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Susan
> Bradley, CPA aka Ebitz - SBS Rocks [MVP]
>
> Windows 2003 r2 Enterprise [not standard] [and not a free upgrade]
>
Excepting for customers with Software Assurance, and you only need the
enterprise version on the Federation Servers and Federation Server Proxies.
Ulf
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
This message has been scanned for viruses by MailControl - (see
http://bluepages.wsatkins.co.uk/?4318150)
This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
|