Archived from groups: microsoft.public.win2000.dns (
More info?)
Arne And wrote:
> I have 2 domains in my LAN. One is where all the users that works in
> the corporation. And I have a different domain in my DMZ.
>
>
>
> The DMZ is between your Internet connection and LAN, and not between
> two
>
> trusted networks
>
>
>
> Have only gained access too send ftp from my internal domain to the
> domain in the DMZ. From DMZ I have not open up for anything.
>
>
>
> Well, my intension was failover and easy backup of users for my
> domain in the DMZ. If I had 2 servers in there (2 DC) and I have
> replicated everything on my web/ftp server too the second one. If the
> original server went down, the other one could take over. Just route
> everything too the 2 server.
>
>
>
> The users that are in my DMZ zone don't have anything with my domain
> on the inside.
>
>
>
> If I just have a windows 2003 server with IIS installed etc. I haft
> to use local users and groups too set up my 100 external users. If
> that server went down, too rebuild it, would take a lot of time.
>
>
>
> But is there a better way too have 2 Win2003 server then, that is
> configured exactly the same. But one is not plugged in too my DMZ. If
> the original webserver should go down, then I could just boot up the
> "cold" one. But it would bee much more work to keep those servers
> alike (one online and the other not")
>
>
>
> So that you recommend is just one standalone server, and backup
> systemstate, and IIS, and use that too restore the server?
That's what I'd do, if this indeed had to be a Windows server in the first
place, which it doesn't need to be. If someone hacks your DMZ, all your DCs
are probably toast anyway - and although I do now understand your setup
(which you didn't explain clearly in your first post, hence my erroneous
assumptions), I still think it sounds like it isn't optimal. Also, it sounds
expensive. Do you have CALs for each of these 100 users in your DMZ domain?
You need them. I probably wouldn't use Windows/IIS for this server at all.
>
>
>
> Regards
>
>
>
> -AA-
>
>
>
>
>
>
>
>
>
>
> "Kevin D. Goodknecht Sr. [MVP]" <admin@nospam.WFTX.US> skrev i melding
> news:%23fIcShqCFHA.3528@TK2MSFTNGP10.phx.gbl...
>> In news:yovMd.7164$Sl3.172968@news4.e.nsc.no,
>> Arne And <kjellhoy@start.no> commented
>> Then Kevin replied below:
>>> Hmmm well, if i have just a ftp server in my DMZ, and its
>>> packed with 100 users that have there one username and
>>> password and there own folder in my ftp site. Its a hell
>>> of a admin work too manage all this, when the server is
>>> only a mebmerserver.
>>
>> You need to rethink this, a member server gets its ACL accounts from
>> its Domain Controller. You can also use local accounts but it is not
>> required to
>> use local accounts.
>>
>>> Lets say that I have a server crach, and I haft to
>>> restore.. It would bee easyer too have a DC there, then
>>> it would have all the useraccount on the second DC. While
>>> on the memberserver I would have too punch them in all
>>> manually....
>>>
>>
>> If the member server crashes and dies, it is a whole lot simpler and
>> easier
>> to revive it from the dead, even on brand new hardware. If a DC
>> crashes and
>> dies you'll have to remove all traces of it from AD before you can
>> re-use its name, unless you have a current upto date backup of the
>> dead DC. If any
>> of the backup data is more than sixty days old don't even attempt to
>> restore from your backup.
>> I went through that this past week with someone who restored one DC
>> from a three month old backup. The two DCs totally refused to
>> replicate with each other because the data on the restored DC was
>> older than the sixty day tombstone life. The only way out was to do
>> a force removal of AD on the restored DC, do a metadata cleanup on
>> the other DC, then DCPromo it restored
>> from backup DC back into the domain. This was a six hour process by
>> itself.
>>
>>> or am I way off here....
>> You are.
>>
>> --
>> Best regards,
>> Kevin D4 Dad Goodknecht Sr. [MVP]
>> Hope This Helps
>> ===================================
>> When responding to posts, please "Reply to Group"
>> via your newsreader so that others may learn and
>> benefit from your issue, to respond directly to
>> me remove the nospam. from my email address.
>> ===================================
>> http://www.lonestaramerica.com/
>> ===================================
>> Use Outlook Express?... Get OE_Quotefix:
>> It will strip signature out and more
>> http://home.in.tum.de/~jain/software/oe-quotefix/
>> ===================================
>> Keep a back up of your OE settings and folders
>> with OEBackup:
>>
http://www.oehelp.com/OEBackup/Default.aspx
>> ===================================