Planning your perimeter network

Active Directory Domain Services in the Perimeter Network (Windows Server 2008)

Perimeter networks (also known as DMZs or extranets) can be a challenging environment for an information technology (IT) department. Security mandates, such as auditing and protecting assets, often contrast with the constantly changing connectivity requirements of mobile and remote users and applications that are deployed in a perimeter network.

This guide contains information about the following:

· Determining whether Active Directory® Domain Services (AD DS) is appropriate for your perimeter network

· The various models for deploying AD DS in perimeter networks

· Planning and deploying read-only domain controllers (RODCs) in perimeter networks

Because RODCs provide new capabilities for perimeter networks, most of the content in this guide describes how to plan for and deploy this new Windows Server 2008 feature. However, the other Active Directory models introduced later in this guide are also viable. Choose an appropriate model in accordance with the business needs of your organization.

In this guide

Planning Deployment of AD DS in the Perimeter Network

Designing RODCs in the Perimeter Network

Deploying RODCs in the Perimeter Network

Planning your perimeter network

Applications that provide services to customers, partners, and corporate users drive the security and connectivity requirements of a perimeter network. These applications greatly influence the design of the network topology and the infrastructure services that are provided.

As shown in the Figure 1, a typical perimeter network design can require constraints on communication between the internal network and the perimeter network. The constraints can be modeled either at the physical network layer (routers and firewalls) or at a logical layer (Internet Protocol security (IPsec), Secure Sockets Layer (SSL), and so on.

Figure 1 Perimeter networks