Question on MOSS in DMZ - Need Help
-
Sunday, December 02, 2007 1:48 AM
We are trying to set up a configuration that was describe as approved by Microsoft (a verbal conversation).
We have a DMZ with two MOSS Servers (Server B and Server C). The DMZ has its own AD forest and domain.
There is another MOSS Server (Server A) in the network along with the SQL Server.
They should all be part of the same farm.
No trust relationship can exist between the Internal Network Forest and the one in the DMZ.
Our plan is to have them on the same farm and create an extranet. The Site Collection would be on all web servers. Internal people (employees) would hit the internal web server (Server A). Server A is a part of the internal domain and will authenticate to that internal AD.
The Non Employees would only hit the web servers in the DMZ (Servers B and C which are load balanced). Those machines are a part of the DMZ domain and will authenticate to the AD instance in the DMZ.
Due to security constraints, there is no trust between the Forests.
We have installed MOSS on Server B and are trying to attach it to the farm, but no luck. We tried using psconfig.exe, as if we used the Configuration Wizard, it would use the account which we logged into the Server B with (which is an AD account in the DMZ) and the internal SQL Server will not recognize the account.
So we tried psconfig.exe but are getting errors, saying that it cannot find the config database although I can ping the internal sql server box and even remoted desktop into itl (firewall rules are in place).
We used the psconfig.exe - cmd - connect command to connect to an existing configuration database. The password we are using is the farm account for the internal network. We even tried using a sql account, rather than a windows account, but we get an error saying that the user must be a local account or a global domain account.
Does anyone know if this configuration is supported? Is it a situation where we need to have a one way trust for the initial configuration, but after that, we can turn it off?
Any help would be apprecited.
All Replies
-
Sunday, December 02, 2007 3:03 PM
Unfortunately the information you have been given is incorrect. You cannot split a farm across multiple AD domains and remain in a supported configuration.
Each MOSS server needs to be able to run services using the SAME account on each machine. When this account is a domain account the servers must be in the same domain. This is especially true for the machine hosting the central admin site as this needs to be able to synchronise applications across all machines.
I did seea blog that discussed a fully SQL auth moss farm and will post it here for you when i find it
-
Sunday, December 02, 2007 6:32 PM
OK. Thanks for the info.
So it sounds like the options to handle this scenario would be
1) Have everything on the farm use SQL (forms based) authentication)
2) Establish a one way trust relationship in the DMZ so that it trusts the network accounts and then I can run the network accounts on the web servers in the DMZ as they would be trusted.
Is that correct?
I just want to be sure I understand your first comment:
" You cannot split a farm across multiple AD domains and remain in a supported configuration.". When you say that, you mean without a one way trust, right? I think I have seen configurations where this is possible (external vs internal Forest) but the trust relationship has to be there.
Thx
-
Monday, December 03, 2007 11:19 AM
All servers must be a member of the same AD domain. So the servers B and C must be a member of the internal domain, NOT the DMZ domain. Using trusts you can enable users of the DMZ domain to log into the SharePoint site.
A solution using an ISA Server might be more suitable for you. Place the ISA Server in the DMZ as a reverse proxy and place all servers on the internal network.
Regards,
Yorick
-
Monday, December 03, 2007 12:52 PM
First, thank you for everyone's response. We really appreciate it.
However, I'm a bit confused by the last response.
So are we saying that the servers in the DMZ must be joined to the internam domain?
I was under the impression that they should be belong to th external domain, but that the trust relationship should exist so that the accounts that run under the app pool and that run the services on the machines in the DMZ could operate.
Can somone else confirm/deny the last post?
Thx
-
Monday, December 03, 2007 1:22 PM
In post http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=1118842&SiteID=1 Joel Oleson (MS SharePoint guy)says "The farm (all servers) need to all be within 1 domain" (2nd post from the top). Placing server is different domains is a non-supported solution,
.png){kind=spacer}
