Hosting Provided By

RE: AD replication over WAN

From: Pidgorny, Slav <slav.pidgorny(at)anz.com>
Date: Tue Jan 21 2003 - 23:45:43 EST

Yes, SMTP is interdomain only.

According to my tests, the minimal set of protocols required for intradomain replication (DC to DC) is LDAP (389/UDP, 389/TCP), RPC for netlogon and ESE replication (135/TCP plus one assigned port for the RPC endpoint), CIFS for policy/FRS replication (445/TCP). Please correct me if I'm wrong but all the protocols here are using authentication.

Some configuration if servers is required: particularly, all DCs have to be DNS servers (with AD-integrated zones) to avoid the need for DNS query traffic. All DCs are KDCs - Kerberos not necessary (I wonder why MS puts it as required everywhere: a domain controller can issue Kerberos ticket for itself!). LDAP to Global Catalog is easy to avoid too. You can avoid NTP in the domain hierarchy, but I prefer to enable it across firewall and take advantage of autoconfiguration for time synch.

I find implementing raw protocols as above in multiDMZ scenario more convenient than using IPsec tunnelling. With a number of DCs increasing, management of IPsec policies becomes increasingly complex - yet firewall rule management pretty much no different. However, if the infrastructure is exposed to the Internet, VPN is the way, as previously said.

Regards

Slav Pidgorny, SCSA :)

-----Original Message-----
From: Kim, Anthony [mailto:anthony.kim@vwcredit.com] Sent: Tuesday, 14 January 2003 5:59 AM
To: 'Deus, Attonbitus'; Jim Harrison (SPG); Valentine M. Smith; focus-ms@securityfocus.com
Subject: RE: AD replication over WAN

Interesting discussion.

Do you need help?

Reminded me of this helpful little thing: http://www.microsoft.com/serviceproviders/columns/config_ipsec_P63623.asp

Also, is it still the case that replication via SMTP transport can only be used for INTER-domain replication and not for INTRA-domain replication?

-----Original Message-----
From: Deus, Attonbitus [mailto:Thor@HammerofGod.com] Sent: Monday, January 13, 2003 10:03 AM
To: Jim Harrison (SPG); Valentine M. Smith; focus-ms@securityfocus.com Subject: RE: AD replication over WAN

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 06:43 PM 1/12/2003, Jim Harrison (SPG) wrote:
>Given that the replication path (port/protocol) is well-defined and

Agreed- IP or RPC based replication should be via a VPN tunnel. You could, however, use SMTP as a replication transport, in which case certificates would be required and all replication information would be encrypted without the need to open up the DC's directly.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

Do you need more help?

iQA/AwUBPiLjI4hsmyD15h5gEQIN1ACfQT+uu96rwT1a0l8BDoK8zynfYKAAnisP f5Biz71mZTOYD3UEOtlu30FQ
=CkdT
-----END PGP SIGNATURE-----

DISCLAIMER:
The information transmitted may contain confidential material and is intended only for the person or entity to which it is addressed. Any review, retransmission, dissemination or other use of or taking of any action by persons or entities other than the intended recipient is prohibited. If you are not the intended recipient, please delete the information from your system and contact the sender.

Received on Thu Jan 23 12:00:27 2003

This message: [ Message body ]
Next message: Dan Uscatu: "w2k server compromised"
Previous message: Kolde, Jennifer E.: "RE: Bypass Traverse Checking?"
Maybe in reply to: Valentine M. Smith: "AD replication over WAN"
In reply to Jim Harrison (ISA): "RE: AD replication over WAN"
Reply: Laura A. Robinson: "RE: AD replication over WAN"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:25 EDT