Hello,
I am building a web application with the following components:
2 Web Servers
- Windows Server 2003
- IIS 6
- .Net Framework version 2.0
- Reside in Domain A
2 Clustered Database Servers
- Windows Server 2003
- SQL Server 2000
- Reside in Domain B
I am also setting up a share on the a separately partitioned drive on
the database server cluster to act as a central repository for storing
and retrieving documents which pertain to data in the database. To
accomplish this, I was going to create a Windows Share on the Documents
folder and create two accounts for access from the web servers, a User
account which only has Read access to the share and an Admin account
which has Read/Write access to the share and underlying folders.
The web app was going to be separated into two ASP.Net applications,
one for Users and the other for Admins. I was going to create a
virtual directory on the user app which would point to the Share on the
remote server and set the anonymous account on that virtual directory
to be the User account I created for Reading the documents. This would
allow anyone to be able to directly download the documents via a URL.
For the administrative side, I was going to create a separate
Application Pool which contains the Admin application and establish the
Admin account with Read/Write permissions on the share as the Custom
Service account within which the appplication would run. Therefore, I
would know for sure that only users accessing the administrative
application would have rights to Write to the Share.
After researching the options for some time, I found that the easiest
way to do this is to create either mirrored local accounts on the web
and database servers or set up domain accounts to span both servers.
The only problem is that I have been told by my infrastructure team
that because the database servers are clustered, they cannot establish
local accounts on the servers. I am not sure if this is true or not,
but I have to go by what they tell me.
Also, the servers are within different domains which are not trusted,
so I don't think the domain account solution would work as I could not
establish a domain account as the Service Account for the Application
Pool which could span all of the servers. Somebody did mention that it
maybe possible to establish mirrored domain accounts, however I have
not read this anywhere in the research I conducted.
So given the information provided above, could somebody please help me
out with these questions:
1. Is it possible possible to create local accounts on clustered
servers in order to go with the mirrored local accounts solution?
2. Is it possible to establish mirrored domain accounts for cross
domain access?
3. Given the scenario presented above, what is the easiest and/or best
solution to use to implement the desired environment?
Thanks in advance for any help.
John Fleming
jf******@misicompany.com
