locked
RODC in DMZ RRS feed

  • Question

  • Im new to AD and I am currently in the middle of a Novell edirectory to AD migration.  All my Windows Servers are 2008 R2 and therefore my Domain is also at the 2008 R2 level.  It appears that we are going to need a RODC in our DMZ.  The reason I believe we need this is because there are several servers that are being built that will need to live in our DMZ zone and have access to AD credentials.  In addition, these servers need to be able to join the domain from the DMZ Zone (unless its ok to join the domain in the private LAN and then move the server to the DMZ) and communicate to the Domain in order to authenticate users and provide application access based on AD group memberships.  We will also have sharepoint in our DMZ.

    I've been reading several articles and it seems that there are many schools of thought on this subject.  This is a good one I came across-->> http://social.technet.microsoft.com/Forums/en-US/windowsserver2008r2general/thread/27ecce5d-3b0b-48c3-a7e4-c852c7d03c50.  I can either use ldap lookups from the DMZ to our Private LAN, which requires I open up ports in the firewall for LDAP traffic into our private LAN or I can setup an RODC in the DMZ connected to the private LAN via IPSec and have Domain traffic communicate via the IPSec tunnel.  I think I read that I can also create a new Forest in the DMZ and create a Domain trust from the New DMZ Forest to my private Production Domain, again over ipsec.  So many options, but I'm not sure which is best for our needs.

    In respect to security, I like the ipsec options.  Also, I like the RODC via IPSec option because its still only 1 Forest (Less administration overhead).  My questions are:

    1. Is using Ldap from the DMZ to our private network by opening ports in our firewall from 1 RODC ip address in the DMZ to 1 RWDC ip address in the Private Lan enough to provide secure communication?  If so and we choose this option, I'm guessing I can join a server to the Domain on the Private network, then move it to the DMZ and open ports through he firewall to allow for Domain communication back to the private LAN?  Doesn't seem very secure, but would like to hear another opinion.  Is this what they call ADLDS/ADAM?

    2. As I said before, I just need to be able to join servers to the domain from the DMZ and utilize the private AD Domain for authentication and application access.  To support these functions, should I use an RODC that communicates to the private AD Domain via an IPSec tunnel or create a new Forest in the DMZ and create a domain trust over an IPSec tunnel?

    3. I'm thinking the RODC in the DMZ should also be the Core version of Server 2008 R2, correct?

    I have an idea that the RODC is the way to go, but would like to hear other opinions.

    Friday, August 19, 2011 4:13 PM

Answers

  • My suggestion would be dedicated forests for DMZ would be viable option considering the no of application you have in DMZ. RODC doesn't go well with all the application & one i know is Exchange server, no version of Exchange support RODC & there can be others too.If you plan to keep RODC in DMZ, since RODC depends heavily on RWDC to update its database, so you need to plan accordingly. Also, if you plan to keep RODC in various site, additional replication traffic could be the point too as RODC requires to contact RWDC for updates & RODC registers site specific records only in DNS. As Marcin has pointed the link of sharepoint but RODC doesn't go well & personally i'm not big fan of RODC because of the known issues. RODC doesn't go well with DFSR too.

    Known Issues for Deploying RODCs

    http://technet.microsoft.com/en-us/library/cc725669%28WS.10%29.aspx

    http://technet.microsoft.com/en-us/library/cc754956%28WS.10%29.aspx

    Designing RODCs in the Perimeter Network

    http://technet.microsoft.com/en-us/library/dd728028%28WS.10%29.aspx

     

    Regards  


    Awinish Vishwakarma

    MVP-Directory Services

    MY BLOG:  http://awinish.wordpress.com 

    This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Marked as answer by Elytis Cheng Thursday, August 25, 2011 1:14 AM
    Saturday, August 20, 2011 5:25 AM
  • 1. You would want to allow communication to more than an single RWDC for redundancy reasons. Besides, you would probably want to open communication to other computers on your network to provide additional management features (AV/patch updates, remote administration, etc.)

    Note that some applications/features might not work in this type of setup - more at http://technet.microsoft.com/en-us/library/cc772597(WS.10).aspx

    2. If you want to join DMZ computers to domain while restricting traffic by allowing only RODC to RWDC communication, then you will need to resort to a workaround  described at  http://blogs.dirteam.com/blogs/jorge/archive/2009/01/02/domain-join-through-an-rodc-instead-of-an-rwdc.aspx or offline join (http://technet.microsoft.com/en-us/library/offline-domain-join-djoin-step-by-step(WS.10).aspx ) if joining Windows Server 2008 R2 computers.

    3. Using server core makes sense - as long as you don't need functionality that's not supported on it

    hth
    Marcin


    • Proposed as answer by iamrafic Friday, August 19, 2011 4:41 PM
    • Marked as answer by Elytis Cheng Thursday, August 25, 2011 1:14 AM
    Friday, August 19, 2011 4:39 PM
  • Hello,

    Im new to AD and I am currently in the middle of a Novell edirectory to AD migration.  All my Windows Servers are 2008 R2 and therefore my Domain is also at the 2008 R2 level.  It appears that we are going to need a RODC in our DMZ.  

    It is better for security reasons. I recommend filtering attributes that you don't want them to be replicated to RODCs for security reasons.

      In addition, these servers need to be able to join the domain from the DMZ Zone (unless its ok to join the domain in the private LAN and then move the server to the DMZ) and communicate to the Domain in order to authenticate users and provide application access based on AD group memberships.  We will also have sharepoint in our DMZ.

    You can let them access your LAN without adding RODCs.

    In this case, the needed ports to be opened are: http://msmvps.com/blogs/rexiology/archive/2006/04/05/89389.aspx

    If you want to add RODCs then the needed ports to be opened are: http://technet.microsoft.com/en-us/library/bb727063.aspx

     I can setup an RODC in the DMZ connected to the private LAN via IPSec and have Domain traffic communicate via the IPSec tunnel. 

    For Security reasons, I recommend using IPSec tunnels if possible and making sure that the traffic is encrypted.

     I think I read that I can also create a new Forest in the DMZ and create a Domain trust from the New DMZ Forest to my private Production Domain, again over ipsec.  So many options, but I'm not sure which is best for our needs.

    Yes, this is possible. Here, If you want to proceed like that then I recommend using at least two DC / DNS / GC servers for this domain.

    1. Is using Ldap from the DMZ to our private network by opening ports in our firewall from 1 RODC ip address in the DMZ to 1 RWDC ip address in the Private Lan enough to provide secure communication?  If so and we choose this option, I'm guessing I can join a server to the Domain on the Private network, then move it to the DMZ and open ports through he firewall to allow for Domain communication back to the private LAN?  Doesn't seem very secure, but would like to hear another opinion.  Is this what they call ADLDS/ADAM?

    Allowing communication with one RWDC should be enough. I recommend allowing communication with at least two RWDCs for redundancy. For ports check article I provided. They should be opended in both directions.

    2. As I said before, I just need to be able to join servers to the domain from the DMZ and utilize the private AD Domain for authentication and application access.  To support these functions, should I use an RODC that communicates to the private AD Domain via an IPSec tunnel or create a new Forest in the DMZ and create a domain trust over an IPSec tunnel?

    You can use both options. You have just to choose one. For joining, make sure that your servers are pointing to the correct DNS server as primary DNS server and that the needed ports I provided are opended.

    3. I'm thinking the RODC in the DMZ should also be the Core version of Server 2008 R2, correct?

    For security reasons yes but not that not all features are available using the Core mode.

    Not sure which option you were referring to as "the viable option"?

    1. A separate Forest in the DMZ and creating a Domain trust to the Private Domain

    2. Or the RODC in the DMZ method

    You can choose one of them. For the second option, make sure that each domain has at least two DC / DNS / GC servers.

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator 

    • Marked as answer by Elytis Cheng Thursday, August 25, 2011 1:14 AM
    Friday, August 19, 2011 7:01 PM

All replies

  • 1. You would want to allow communication to more than an single RWDC for redundancy reasons. Besides, you would probably want to open communication to other computers on your network to provide additional management features (AV/patch updates, remote administration, etc.)

    Note that some applications/features might not work in this type of setup - more at http://technet.microsoft.com/en-us/library/cc772597(WS.10).aspx

    2. If you want to join DMZ computers to domain while restricting traffic by allowing only RODC to RWDC communication, then you will need to resort to a workaround  described at  http://blogs.dirteam.com/blogs/jorge/archive/2009/01/02/domain-join-through-an-rodc-instead-of-an-rwdc.aspx or offline join (http://technet.microsoft.com/en-us/library/offline-domain-join-djoin-step-by-step(WS.10).aspx ) if joining Windows Server 2008 R2 computers.

    3. Using server core makes sense - as long as you don't need functionality that's not supported on it

    hth
    Marcin


    • Proposed as answer by iamrafic Friday, August 19, 2011 4:41 PM
    • Marked as answer by Elytis Cheng Thursday, August 25, 2011 1:14 AM
    Friday, August 19, 2011 4:39 PM
  • Good information.  What are your feelings about having a separate Forest in the DMZ and creating a Domain trust to the Private Domain -VS- the RODC in the DMZ method?
    Friday, August 19, 2011 5:35 PM
  • This is a viable option - giving you higher degree of isolation and ability to join computers to the domain without resorting to offline join. It's not clear though based on the info you provided what level of cross-forest interaction you would need - so this might be a factor to consider...

    hth
    Marcin

    Friday, August 19, 2011 6:03 PM
  • Not sure which option you were referring to as "the viable option"?

    1. A separate Forest in the DMZ and creating a Domain trust to the Private Domain

    2. Or the RODC in the DMZ method

    For more information on what cross-forest interaction we would need, read this:

    The reason I believe we need this is because there are several servers that are being built that will need to live in our DMZ zone and have access to AD credentials.  In addition, these servers need to be able to join the domain from the DMZ Zone (unless its ok to join the domain in the private LAN and then move the server to the DMZ) and communicate to the Domain in order to authenticate users and provide application access based on AD group memberships.  We will also have sharepoint in our DMZ.

    If that isnt what you're looking for, then I'm not sure what you're referring to when you say "It's not clear though based on the info you provided what level of cross-forest interaction you would need ".

    Friday, August 19, 2011 6:28 PM
  • I meant that both of these are viable options - but purely from AD perspective.

    You can perform domain join in both cases, although this will be easier with a separate DMZ forest in place (considerably easier with Windows Server 2008 R2, if your intention is to prevent servers in DMZ communicating with RWDCs).

    Access to apps would depend primarily on their ability to properly handle interaction with RODC (refer to the link I provided earlier - http://technet.microsoft.com/en-us/library/cc772597(WS.10).aspx ). Unfortunately, as far as I understand, SharePoint does not perform well in this scenario ( http://social.technet.microsoft.com/Forums/en-US/sharepoint2010setup/thread/34d1c961-9e79-4818-a56a-208c1bdf6bda/  - although you might want to check directly on the SharePoint forum) - which suggests that the DMZ-based forest might be a better way to go...

    hth
    Marcin

     

    Friday, August 19, 2011 6:40 PM
  • Hello,

    Im new to AD and I am currently in the middle of a Novell edirectory to AD migration.  All my Windows Servers are 2008 R2 and therefore my Domain is also at the 2008 R2 level.  It appears that we are going to need a RODC in our DMZ.  

    It is better for security reasons. I recommend filtering attributes that you don't want them to be replicated to RODCs for security reasons.

      In addition, these servers need to be able to join the domain from the DMZ Zone (unless its ok to join the domain in the private LAN and then move the server to the DMZ) and communicate to the Domain in order to authenticate users and provide application access based on AD group memberships.  We will also have sharepoint in our DMZ.

    You can let them access your LAN without adding RODCs.

    In this case, the needed ports to be opened are: http://msmvps.com/blogs/rexiology/archive/2006/04/05/89389.aspx

    If you want to add RODCs then the needed ports to be opened are: http://technet.microsoft.com/en-us/library/bb727063.aspx

     I can setup an RODC in the DMZ connected to the private LAN via IPSec and have Domain traffic communicate via the IPSec tunnel. 

    For Security reasons, I recommend using IPSec tunnels if possible and making sure that the traffic is encrypted.

     I think I read that I can also create a new Forest in the DMZ and create a Domain trust from the New DMZ Forest to my private Production Domain, again over ipsec.  So many options, but I'm not sure which is best for our needs.

    Yes, this is possible. Here, If you want to proceed like that then I recommend using at least two DC / DNS / GC servers for this domain.

    1. Is using Ldap from the DMZ to our private network by opening ports in our firewall from 1 RODC ip address in the DMZ to 1 RWDC ip address in the Private Lan enough to provide secure communication?  If so and we choose this option, I'm guessing I can join a server to the Domain on the Private network, then move it to the DMZ and open ports through he firewall to allow for Domain communication back to the private LAN?  Doesn't seem very secure, but would like to hear another opinion.  Is this what they call ADLDS/ADAM?

    Allowing communication with one RWDC should be enough. I recommend allowing communication with at least two RWDCs for redundancy. For ports check article I provided. They should be opended in both directions.

    2. As I said before, I just need to be able to join servers to the domain from the DMZ and utilize the private AD Domain for authentication and application access.  To support these functions, should I use an RODC that communicates to the private AD Domain via an IPSec tunnel or create a new Forest in the DMZ and create a domain trust over an IPSec tunnel?

    You can use both options. You have just to choose one. For joining, make sure that your servers are pointing to the correct DNS server as primary DNS server and that the needed ports I provided are opended.

    3. I'm thinking the RODC in the DMZ should also be the Core version of Server 2008 R2, correct?

    For security reasons yes but not that not all features are available using the Core mode.

    Not sure which option you were referring to as "the viable option"?

    1. A separate Forest in the DMZ and creating a Domain trust to the Private Domain

    2. Or the RODC in the DMZ method

    You can choose one of them. For the second option, make sure that each domain has at least two DC / DNS / GC servers.

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator 

    • Marked as answer by Elytis Cheng Thursday, August 25, 2011 1:14 AM
    Friday, August 19, 2011 7:01 PM
  • My suggestion would be dedicated forests for DMZ would be viable option considering the no of application you have in DMZ. RODC doesn't go well with all the application & one i know is Exchange server, no version of Exchange support RODC & there can be others too.If you plan to keep RODC in DMZ, since RODC depends heavily on RWDC to update its database, so you need to plan accordingly. Also, if you plan to keep RODC in various site, additional replication traffic could be the point too as RODC requires to contact RWDC for updates & RODC registers site specific records only in DNS. As Marcin has pointed the link of sharepoint but RODC doesn't go well & personally i'm not big fan of RODC because of the known issues. RODC doesn't go well with DFSR too.

    Known Issues for Deploying RODCs

    http://technet.microsoft.com/en-us/library/cc725669%28WS.10%29.aspx

    http://technet.microsoft.com/en-us/library/cc754956%28WS.10%29.aspx

    Designing RODCs in the Perimeter Network

    http://technet.microsoft.com/en-us/library/dd728028%28WS.10%29.aspx

     

    Regards  


    Awinish Vishwakarma

    MVP-Directory Services

    MY BLOG:  http://awinish.wordpress.com 

    This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Marked as answer by Elytis Cheng Thursday, August 25, 2011 1:14 AM
    Saturday, August 20, 2011 5:25 AM
  • Thank you all for the information.  I agree that the RODC and additional Forest in the DMZ are both viable options and probably provide more functionality than the ldap method.  I just have to choose the best fit given the requirements of my enviornment and utilize as many security features/best practices as necessary to mitigate risk.

    Wednesday, August 24, 2011 8:22 PM