I'm in the process of planning an ISA Server 2006 (Standard Edition) implementation; however I'm not clear as to whether this will require an Active Directory schema edit? I seem to recall that previous versions of ISA Server extended the schema but does 2006 do this?
I seem to recall that previous versions of ISA Server extended the schema but does 2006 do this?
U r correct , the schema was changed with ISA 2000 EE, but starting with ISA 2004 EE and also ISA 2006 EE, there is something called ADAM , Active Dirtectory Application Mode. It is an LDAP compliance directory and runs as a non-operating-system service and it does not require deployment on a domain controller. You might need to check more on this new technology , ADAM .
Thanks for your responses guys - back in ISA 2004 days I had a chat with Steve Lamb (Microsoft Security evangelist here in the UK) about whether an ISA server should be domain member or not and he didn't seem to have any concerns about it; having said that, I do take on board the point that a standalone server (i.e. not a domain member) could be seen as another layer of security.
The main reason I can see for leaving the ISA Server in a domain is manageability (automatic patching via group policy, etc.).
I know a little bit about ADAM... using it for ISA sounds interesting. I can't really see what the advantage would be though for a single server as there are no AD schema changes to worry about and if I just wanted a local account database I could use the SAM - I guess if I had multiple ISA servers then they could share ADAM for an organisation with a security policy that precluded domain-joined ISA Servers.
< Message edited by markwilson -- 4.Mar.2007 3:57:26 AM >