locked
Pros Cons RODC vs Domain/Forest in DMZ

    Question

  • We have a windows 2003 domain. Because of an Extranet Sharepoint project Active Directory services have to be deployed in our DMZ.
    A sharepoint guru adviced us to use RODC in our DMZ. Liked the idea
    Reducing the costs of managing another domain or AD forest in the DMZ, and simplify overall management of the DMZ was the first thing that came to mind.

    But the last 2 weeks i've been reading several articles, and i'm not really convinced that a RODC is really secure compared to a domain/forest solution.
    I want to have it both ways, secure and simple management of the DMZ. Overall simple management with a RODC in DMZ..yeah..But secure.. i don't know.
    The fact that the external user is part of the internal AD enviroment, and that internal AD information is partially available in the DMZ, scares me a little bit.  

    The exernal user will use a RSA token, and will be authenticated through a SSL device(Juniper SA 4000) onto our DMZ.
    I don't have a lot of Windows 2008/RODC knowledge..yet..
    So i'm looking for the pros and cons. Security being the main issue.
    thanx

    Friday, August 28, 2009 10:05 AM

Answers

  • Hi,

     

    Thanks for your post.

     

    I assume that the domain/forest solution means you create a new forest in DMZ and establish forest trust with the forests in the internal network. From a security perspective, the domain/forest solution could be a better choice because it helps reduce the exposure of corporate information in the perimeter network.

     

    A drawback of this solution is the increased administration costs of maintaining an extra forest and the added complexity of managing firewall rules for domain controllers and client computers crossing trust boundaries.

     

    RODCs contain a complete copy of the Active Directory database in the sense that they contain a read-only copy of all partitions that are held by an equivalent writable domain controller.

     

    However, there is a set of attributes that, by default, are not replicated to an RODC:

     

    • Attributes that belong to the RODC FAS
    • Credentials, except for the RODC's own computer account credentials and a special krbtgt account for the RODC

     

    You can also extend the RODC FAS to include any credential-like attributes that you want to prevent from replicating to any RODC in the forest.

     

    RODC Filtered Attribute Set, Credential Caching, and the Authentication Process with an RODC

    http://technet.microsoft.com/en-us/library/cc753459(WS.10).aspx

     

     

    For more information about the deployment plan of Active Directory Domain Services (AD DS) in a perimeter network, you can refer to the following article:

     

    Planning Deployment of AD DS in the Perimeter Network

    http://technet.microsoft.com/en-us/library/dd728030(WS.10).aspx

     

    Thanks.

     

    Joson Zhou

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Biga_b Wednesday, September 02, 2009 2:39 PM
    Monday, August 31, 2009 7:29 AM
    • Marked as answer by Biga_b Wednesday, September 02, 2009 2:39 PM
    Monday, August 31, 2009 1:07 PM

All replies

  • Hi,

     

    Thanks for your post.

     

    I assume that the domain/forest solution means you create a new forest in DMZ and establish forest trust with the forests in the internal network. From a security perspective, the domain/forest solution could be a better choice because it helps reduce the exposure of corporate information in the perimeter network.

     

    A drawback of this solution is the increased administration costs of maintaining an extra forest and the added complexity of managing firewall rules for domain controllers and client computers crossing trust boundaries.

     

    RODCs contain a complete copy of the Active Directory database in the sense that they contain a read-only copy of all partitions that are held by an equivalent writable domain controller.

     

    However, there is a set of attributes that, by default, are not replicated to an RODC:

     

    • Attributes that belong to the RODC FAS
    • Credentials, except for the RODC's own computer account credentials and a special krbtgt account for the RODC

     

    You can also extend the RODC FAS to include any credential-like attributes that you want to prevent from replicating to any RODC in the forest.

     

    RODC Filtered Attribute Set, Credential Caching, and the Authentication Process with an RODC

    http://technet.microsoft.com/en-us/library/cc753459(WS.10).aspx

     

     

    For more information about the deployment plan of Active Directory Domain Services (AD DS) in a perimeter network, you can refer to the following article:

     

    Planning Deployment of AD DS in the Perimeter Network

    http://technet.microsoft.com/en-us/library/dd728030(WS.10).aspx

     

    Thanks.

     

    Joson Zhou

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Biga_b Wednesday, September 02, 2009 2:39 PM
    Monday, August 31, 2009 7:29 AM
    • Marked as answer by Biga_b Wednesday, September 02, 2009 2:39 PM
    Monday, August 31, 2009 1:07 PM
  • Hi,

     

    How’s everything going?

     

    I’m wondering if the information is helpful. If you have any questions or concerns, please feel free to respond back.

     

    Thanks.

     

    Joson Zhou

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Wednesday, September 02, 2009 8:53 AM
  • If you are concerned about security why not configure sharepoint to use ADLDS/ADAM in the DMZ?
    • Proposed as answer by Gary Hay Wednesday, September 02, 2009 3:00 PM
    Wednesday, September 02, 2009 11:01 AM
  • Sorry i didn't respond earlier.
    Thanx for the info guys. It was helpfull.. I was familiar with most of the information, but was looking for some confirmation.
    Joson, what i meant with "Domain/Forest", was the choice between a new domain or Forest in the DMZ. You mention the RODC FAS. Isn't that a feature you only use if all of the DC's are 2008?
    I think we are going for the RODC in DMZ. We will tighten up our firewalls a bit more if possible.
    So, i had my mind made up, and what happens, Gary Hay spoils the whole thing. :-)

    ADLDS?? Had to look it up. The past 15 miniutes i read a little bit about it, and it's not a bad idea. Maybe better then the RODC option.
    But not knowing much of windows 2008 and the new features, and i never used ADAM/LDS before, i have to look through a few white papers.

    Pros/Cons ADLDS vs RODC in DMZ???

    What i've read quickly:
    Pros: ADLDS doesn't need AD DS. Don't need to upgrade Active Directory.
    Cons:????

    Maybe i should open another post/Topic??

    Wednesday, September 02, 2009 2:42 PM
  • ADLDS/ADAM keeps your internal domain / network resources safe by allowing you to only store the required data in the DMZ.

    You can then secure the traffic between the ADLDS and the private network.

    You can think of ADLDS as a mini self contained directory just for your DMZ, but it can sync data from your live domain if you need it to.
    • Proposed as answer by vos1971 Wednesday, September 02, 2009 3:25 PM
    Wednesday, September 02, 2009 2:57 PM
  • Thanx Gary... I have to reconfigure my testenviroment to test this.. Will begin testing tomorrow.
    Any cons using this feature??

    Wednesday, September 02, 2009 3:28 PM
  • well you would have to maintain and managhe ADLDS outwith your normal domain but thats not much of an issue when you consider the advantage of not having a DC in your DMZ
    Thursday, September 03, 2009 7:47 AM
  • Hi,

     

    To use FAS, we only need one Windows Server 2008 writable DC in the same domain. An RODC only replicate domain updates from a writable domain controller running Windows Server 2008.

     

    Based on my understanding, using SharePoint with AD LDS could be much more complicated than placing an RODC in DMZ network. To use AD LDS as a user authentication store for SharePoint, the following blog could be helpful:

     

    SharePoint 2007 and ADAM

    http://blogs.msdn.com/scaravajal/archive/2007/10/23/sharepoint-2007-and-adam.aspx

     

    Thanks.

     

    Joson Zhou

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Thursday, September 03, 2009 10:11 AM
  • Joson,
    i,ve read the articles in the link you posted. Those articles are about windows 2003 ADAM. You're right, it's much more complicated then placing a RODC in DMZ. WSSv3, Sharepoint Peoplepicker and especially the AD provider for ADAM. See Caveat Of Using ADAM in the following link: http://www.sharepointsecurity.com/sharepoint/sharepoint-security/the-active-directory-membership-provider-and-sharepoint/

    But i went searching for articles about ADLDS, and found this http://www.gk.id.au/2009/05/ad-lds-sharepoint-and-forms-based.html and http://leedale.wordpress.com/2008/09/11/moss-2007-forms-based-authentication-using-ad-lds-and-windows-server-2008/
    Configuring LDS is almost similar as ADAM, but it seems that the Sharepoint part is much easier to setup. Still not as easy as setting up and RODC.
    I must say, from what i've read so far, i can see some benefits using LDS. No DC or AD DS in DMZ, no AD upgrade needed(adprep), little bit more secure then RODC, i think. Only downside so far is the setup.

    Don't get me wrong Joson, RODC is still an option. FAS and credential caching(PRP) do provide security. The coming days i will test ADLDS. I,ve only read about it, and maybe during my test i will stumble upon things, not worth it to install LDS.
    I have a 5 day sharepoint course started today, but i will post my findings as soon as i done some tests.

    Thanks guys, for giving me more work, :-) but making it more interesting, and to quench one's thirst for knowledge. (Did i spell/say that correct??) hhmmm...
    Thanx

    Thursday, September 03, 2009 2:01 PM
  • Hi,

     

    Here is more information about the AD LDS. Hope it is helpful for your work:

     

    Active Directory Lightweight Directory Services

    http://technet.microsoft.com/en-us/library/cc731868(WS.10).aspx

     

    If you need assistance on SharePoint, you can also post to the SharePoint forum:

     

    http://social.technet.microsoft.com/Forums/en-US/category/sharepoint

     

    Have a nice day.

     

    Joson Zhou

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Friday, September 04, 2009 6:09 AM
  • Hi, I have the same problem and I would like if you solved yours?

    Best regards,
    Thursday, September 24, 2009 9:03 AM