locked
RODC in DMZ - replication RRS feed

  • Question

  • Hello, I'm hoping someone can help with my questions, I've read so many articles, technet etc but cant seem to get a definitve answer. Maybe I'm asking myself the wrong questions, but here goes!

    We have a 2003 domain with a 2008 R2 DC amongst some 2003 ones. In the DMZ I want to put a RODC, with cached credential of all users (to allow an external application to run and users use their AD credentials).

    My questions though are around replication between the 2008 RODC and the 2008 RWDC in the lan. The rules in are org are that there cannot be any dmz instigated traffic into the corporate LAN. 

    What I've read so far is about unidirectional/internal replication etc, but it always seems to come back to the RODC pulling replication from the RWDC. Is this correct? What makes the initial communication?

    In the ideal situation I need an RODC configured that gets 'pushed' changes from the RWDC at regular intervals. Is this possible, and if so, how do I configure it? if the RWDC instigates the replication, then any further communication will be allowed through our firewall.

    The guys who look after the firewall wont open the ports (even if i set the RPC to specific ports) between the DMZ and the network. Even with it being read only, if it was compromised there is still a way into our network.

    Apologies for the long post, wanted to make sure i got everything in! Cheers.

    Wednesday, May 4, 2011 2:20 PM

Answers

All replies

  • What I've read so far is about unidirectional/internal replication etc, but it always seems to come back to the RODC pulling replication from the RWDC. Is this correct? What makes the initial communication?

    Changes are replicated from a RWDC to a RODC. RODC replicate nothing to a RWDC as it is a read only DC.

    In the ideal situation I need an RODC configured that gets 'pushed' changes from the RWDC at regular intervals. Is this possible, and if so, how do I configure it? if the RWDC instigates the replication, then any further communication will be allowed through our firewall.

    You can put your RODC in a new AD site and affect to it the used subnet. Once done, you can configure the AD replication intervals between RWDC and RODC.

    For needed ports for replication: http://technet.microsoft.com/en-us/library/bb727063.aspx

    These ports should be opened. If you don't open them, RWDC will not replicate to RODC.

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration

    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration

    Wednesday, May 4, 2011 2:32 PM
  • thanks for the quick response.

     

    When you say "Changes are replicated from a RWDC to a RODC" - how is this process started? does the RODC connect first and attempt to pull the changes, or does the RWDC start the process?

     

    I've got the ports needed already, as I asked the firewall team to set them up, which is when they raised the questions I've asked. the ports isn't the issue, its the direction in which replication is instigated, and i cant seem to find a definitive asnwer

    Wednesday, May 4, 2011 2:43 PM
  • If you are concerned about limiting number of ports opened on your firewalls, use IPSec by following http://technet.microsoft.com/en-us/library/dd728035(WS.10).aspx#prepare_firewall_rules_RODC_writeable_dc_communication

    Otherwise, your configuration would need to include all ports listed in http://technet.microsoft.com/en-us/library/dd728028(WS.10).aspx - note this includes requird communication ports in BOTH directions...

    hth
    Marcin

    Wednesday, May 4, 2011 5:25 PM
  • Personally, after reading the articles below, i would not recommend to use RODC in perimeter network, still you wish, then review the article below & plan carefully.

    http://technet.microsoft.com/it-it/library/cc725669(WS.10).aspx

    Authentication fails when an external client tries to log on to a Windows Server 2008 server by using a read-only domain controller in a perimeter network

    http://support.microsoft.com/kb/977510

    http://blogs.technet.com/b/instan/archive/2009/03/24/troubleshooting-rodc-s-troubleshooting-rodc-location-in-the-dmz.aspx

    Here’s a good article on planning RODCs in the Perimeter Network. Click the links to additional documents that discuss RODC.

    http://technet.microsoft.com/en-us/library/dd728034(WS.10).aspx

    Description of the Windows Server 2008 read-only domain controller compatibility pack for Windows Server 2003 clients and for Windows XP clients and for Windows Vista

    http://support.microsoft.com/kb/944043

    How to join perimeter machines to the domain via a RODC (patch may fix this), how to promote the RODC on the intranet first, create perimeter site and how to configure firewall:

    http://technet.microsoft.com/en-us/library/dd728035(WS.10).aspx


    Regards  


    Awinish Vishwakarma| MY Blog

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Thursday, May 5, 2011 2:48 AM