Active Directory in DMZ
-
Monday, August 20, 2012 12:54 AM
Hi
We need to deploy the active directory in dmz in all my active directory sites.
We have 4 active directory sites in these 4 sites we are planning to deploy the additional domain controller.
For each dmz we need to deploy two domain controller totally 8 domain controller need to be deployed for all dmz.
All 4 sites are protected with firewall. Let me know the procedure and ports need to be blocked and opened for the active directory replication.
Os: windows server 2008r2
Regards
Balasubramaniam
All Replies
-
Monday, August 20, 2012 1:06 AM
Guidance for Active Directory in the DMZ and required ports?
http://blogs.technet.com/b/activedirectoryua/archive/2009/08/19/where-is-the-guidance-for-active-directory-in-the-dmz.aspxActive Directory Firewall Ports
http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx
Deploying domain controllers in a DMZ
http://www.techrepublic.com/article/solutionbase-deploying-domain-controllers-in-a-dmz/5238083Hope this helps
Best Regards,
Sandesh Dubey.
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.- Proposed As Answer by VenkatSP Tuesday, August 21, 2012 3:32 PM
- Marked As Answer by Miya YaoModerator Wednesday, August 29, 2012 5:30 AM
-
Monday, August 20, 2012 1:40 AM
Are you planning a full Read/Write DC or have you considered RODCs, remember security becomes even more important in a DMZ. Microsoft has a white paper you should definitely check out
http://www.microsoft.com/en-us/download/details.aspx?id=3957
Active Directory Domain Services in the Perimeter Network
Thanks
Mike
- Proposed As Answer by Meinolf WeberMVP Monday, August 20, 2012 6:39 AM
- Marked As Answer by Miya YaoModerator Wednesday, August 29, 2012 5:30 AM
-
Monday, August 20, 2012 11:49 AM
Hello,
Since you are planning to add DCs in the DMZ zone and that here you will have a security constraint, I would recommend that you use RODCs. The reason is that these RODCs are Read Only and update operations can not be done directly on them. However, applications which will use these RODCs may not support such type of DCs. For this reason, you have to check this part before proceeding.
Note that, if you will add a DC in the DMZ zone, these DCs should be able to replication with at least one RWDC with GC. All the needed ports should be opened in both direction: http://social.technet.microsoft.com/wiki/contents/articles/584.active-directory-replication-over-firewalls-en-us.aspx
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.Microsoft Student Partner 2010 / 2011
Microsoft Certified Professional
Microsoft Certified Systems Administrator: Security
Microsoft Certified Systems Engineer: Security
Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows 7, Configuring
Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
Microsoft Certified IT Professional: Enterprise Administrator
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Trainer- Proposed As Answer by VenkatSP Tuesday, August 21, 2012 3:31 PM
- Marked As Answer by Miya YaoModerator Wednesday, August 29, 2012 5:30 AM
-
Tuesday, August 21, 2012 11:46 AMModerator
Are you going to deploy RWDC or RODC in the segmented network? If you plan to use RODC, then surely you need to consider the pros/cons of the RODC in the perimeter network.
Finding Additional Resources for Windows Server 2008 Active Directory Logical Structure Design
http://technet.microsoft.com/en-us/library/cc771620%28v=ws.10%29.aspx
All About (RODC)Read Only Domain Controllers http://awinish.wordpress.com/2011/10/04/rodc-read-only-domain-controller/
Awinish Vishwakarma - MVP
My Blog: awinish.wordpress.com
Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.
.png)
