locked
RODC replication in DMZ RRS feed

  • Question

  • Greetings from a 'newbie',

    I am involved in network security and am concerned about the number of ports (and destinations) that need to be opened up to allow AD integration from a server in the DMZ to our internal network.

    As background we are running a 2008 AD, and the RODC is a 2012 server.

    Firstly, I'm not a fan of placing Windows servers in the DMZ, however we have a business requirement to do so, the logical assumption then was to use a RODC in the DMZ so multiple DMZ servers could use this as the authentication server and thus reduce the size of incoming f/w ports.

    We have done that, however we seem unable to restrict the RODC from just using a small number of DC's located in our Data Centre.  When we force replication from a DC I see a significant number of requests being 'sprayed' from the RODC to any DC within the organisation (typically RPC requests using 135/tcp).

    Q:  Is there a way to limit the number of servers involved in replication to a RODC?  I understand there are a number of ports involved, and they are bi-directional, but if I could restrict the source/destination to 2 nodes (as opposed to 10.0.0.0/8) that would help my security posture greatly.

    We have tried several suggestions through various articles but can't seem to get it to work.

    Assistance is appreciated.

    Reece...

    Wednesday, November 11, 2015 7:24 AM

Answers

  • Q:  Is there a way to limit the number of servers involved in replication to a RODC?  I understand there are a number of ports involved, and they are bi-directional, but if I could restrict the source/destination to 2 nodes (as opposed to 10.0.0.0/8) that would help my security posture greatly.

    Hi Reece,

    A Domain Controller would only replicate with their own replication partners (Connection Objects), which are generated by KCC automatically.

    Please open AD Site and Service on a writable DC, then check for connection objects under NTDS settings of the RODC.

    If multiple connection objects for RODC exist, delete some of them based on your need.

    More information for you:

    Active Directory Replication Concepts
    https://technet.microsoft.com/en-us/library/cc756899(v=ws.10).aspx

    Best Regards,
    Amy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Amy Wang_ Monday, November 30, 2015 2:24 PM
    • Marked as answer by Amy Wang_ Tuesday, December 8, 2015 1:10 PM
    Sunday, November 15, 2015 3:58 PM