|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
RE: AD replication over WAN
Date: Sun Jan 12 2003 - 21:43:05 EST
Given that the replication path (port/protocol) is well-defined and generally understood, it also makes sense that they could also provide a "door" to your AD controllers for those who wish to do you harm for no apparent reason.
With that in mind, it seems clear to me that a site-to-site VPN is not only preferable, it's mandatory.
- Jim Harrison <mailto:jmharr@microsoft.com>
MCP(NT4/2K), A+, Network+
Security Business Unit (ISA)
From: Valentine M. Smith [mailto:vmsmith@grokking.org] Sent: Thu 1/9/2003 06:21 To: focus-ms@securityfocus.com Subject: AD replication over WAN
Hi,
I'm looking for some feedback from the community regarding the transfer of AD traffic over a public WAN.
The basic plan is this:
Single Win 2000 domain spread over two sites in different cities. Each site has perimeter NAT device and are obscuring internal subnets with IP addresses provided by a single ISP. No internetwork VPN planned. DNS is AD-integrated at both sites. Both DCs are patched to SP3.
The MS documentation I've consulted indicates that AD replication, and by extension, DNS zone information that is AD-integrated is automatically encrypted.
My question: if the data is already encrypted and is passing only across a single ISP's network, should one be bothering with a router-router VPN tunnel for this traffic? IOW, would setting up such a tunnel for this data be redundant/unnecessary or am I missing something important here? Would anyone care to comment on the relative safety of AD encryption out-of-the-box?
Thanks in advance for any feedback,
VS Received on Mon Jan 13 10:13:24 2003
This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:25 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |