Active Directory running between 2 zones on a Firewall?

I have an Exchange 2003 server running on Win2k3 (10.10.10.10). It is in
the same directory structure as the File Server(Win2k3-192.168.1.200). I'd
like to seperate the two and put them in seperate zones but still have the
Active Directory Services running between them. I've found a ton of
articles but I still can't seem to get AD to run successfully between the
two zones. I could really use some serious help as I'm by no means
advanced with firewalls yet.

Well, you'll need a router to connect the subnets to begin with. A hard
router or a Windows server machine with two NICs will do. Once you get that
up and running please post back.

--
Todd J Heron, MCSE
Windows Server 2003/2000/NT
----------------------------------------------------------------------------
Note: I do not top-post or bottom-post so that my responses are always easy
to read in this forum and the Google Archives. This posting is provided
"as is" with no warranties and confers no rights.

Maybe I'm not being clear. I have a LAN zone and a DMZ on my firewall. The
Exchange 2k3 server sits in my DMZ. Wouldn't the firewall with NAT and the
right set of service policies effectively be a router? If I just use a full
on router, it would negate the purpose of putting the exchange server in a
seperate zone.

"Todd J Heron" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Well, you'll need a router to connect the subnets to begin with. A hard
> router or a Windows server machine with two NICs will do. Once you get
> that
> up and running please post back.
>
> --
> Todd J Heron, MCSE
> Windows Server 2003/2000/NT
> ----------------------------------------------------------------------------
> Note: I do not top-post or bottom-post so that my responses are always
> easy
> to read in this forum and the Google Archives. This posting is provided
> "as is" with no warranties and confers no rights.
>

What do you really see as the purpose of having the Exchange server is a
different subnet separated by a firewall?

I know that a lot of people rabbit on about increased security by
putting Exchange and/or RRAS servers in a DMZ, but it doesn't make a lot of
sense with AD. If the machine in the DMZ has to access AD resources, the
link between the private and DMZ has to allow all the things that AD needs
to function! Which means you have to punch holes in the firewall between
them to get AD to work. And NAT is a no-no.

"boe" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Maybe I'm not being clear. I have a LAN zone and a DMZ on my firewall.
> The Exchange 2k3 server sits in my DMZ. Wouldn't the firewall with NAT
> and the right set of service policies effectively be a router? If I just
> use a full on router, it would negate the purpose of putting the exchange
> server in a seperate zone.
>
> "Todd J Heron" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Well, you'll need a router to connect the subnets to begin with. A hard
>> router or a Windows server machine with two NICs will do. Once you get
>> that
>> up and running please post back.
>>
>> --
>> Todd J Heron, MCSE
>> Windows Server 2003/2000/NT
>> ----------------------------------------------------------------------------
>> Note: I do not top-post or bottom-post so that my responses are always
>> easy
>> to read in this forum and the Google Archives. This posting is provided
>> "as is" with no warranties and confers no rights.
>>
>
>

Sorry, for some reason I felt the firewall part wasn't clear in your initial
post but now I see it. Forget what I said then regarding an IP router. And
yes, a firewall/NAT device is effectively a router. Anyway, you are going
to need to open a lot of ports, so many in fact to allow AD replication that
everyone I've ever seen comment on this recommends specifically NOT to do
it. As you are essentially turning the firewall into "Swiss cheese". But
if you are determined to move forward, notwithstanding security
implications, this is how you do it.

How to Configure a Firewall for Domains and Trusts
http://support.microsoft.com/default...b;en-us;179442

--
Todd J Heron, MCSE
Windows Server 2003/2000/NT
----------------------------------------------------------------------------
Note: I do not top-post or bottom-post so that my responses are always easy
to read in this forum and the Google Archives. This posting is provided
"as is" with no warranties and confers no rights.

Thanks - hopefully 2000 and 2003 use the same ports.

"Todd J Heron" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Sorry, for some reason I felt the firewall part wasn't clear in your
> initial
> post but now I see it. Forget what I said then regarding an IP router.
> And
> yes, a firewall/NAT device is effectively a router. Anyway, you are going
> to need to open a lot of ports, so many in fact to allow AD replication
> that
> everyone I've ever seen comment on this recommends specifically NOT to do
> it. As you are essentially turning the firewall into "Swiss cheese". But
> if you are determined to move forward, notwithstanding security
> implications, this is how you do it.
>
> How to Configure a Firewall for Domains and Trusts
> http://support.microsoft.com/default...b;en-us;179442
>
> --
> Todd J Heron, MCSE
> Windows Server 2003/2000/NT
> ----------------------------------------------------------------------------
> Note: I do not top-post or bottom-post so that my responses are always
> easy
> to read in this forum and the Google Archives. This posting is provided
> "as is" with no warranties and confers no rights.
>

They do. Although I haven't seen that article (which has a section each for
NT and 2000) updated in a while. Maybe someone from MS looking in here can
make a comment/request for update. Anyone can actually make a request for
update, but it has more weight coming from an MS engineer.

--
Todd J Heron, MCSE
Windows Server 2003/2000/NT
----------------------------------------------------------------------------
Note: I do not top-post or bottom-post so that my responses are always easy
to read in this forum and the Google Archives. This posting is provided
"as is" with no warranties and confers no rights.

See what Bill Grant said as well regarding NAT. Your NAT device
functioning as a router between the local LAN and the DMZ will make it
(nearly) impossible to pass Kerberos, RPC traffic. I haven't tested this, I
heard it can't be done without special measures. And one of them cannot
pass through NAT at all. I'll research that and get back to you.

--
Todd J Heron, MCSE
Windows Server 2003/2000/NT
----------------------------------------------------------------------------
Note: I do not top-post or bottom-post so that my responses are always easy
to read in this forum and the Google Archives. This posting is provided
"as is" with no warranties and confers no rights.

Thanks everyone - this article -
http://support.microsoft.com/default...b;en-us;179442

was the key. I have the firewall in place and so far no issues.



"Todd J Heron" <(E-Mail Removed)> wrote in message
news:e$(E-Mail Removed)...
> See what Bill Grant said as well regarding NAT. Your NAT device
> functioning as a router between the local LAN and the DMZ will make it
> (nearly) impossible to pass Kerberos, RPC traffic. I haven't tested this,
> I
> heard it can't be done without special measures. And one of them cannot
> pass through NAT at all. I'll research that and get back to you.
>
> --
> Todd J Heron, MCSE
> Windows Server 2003/2000/NT
> ----------------------------------------------------------------------------
> Note: I do not top-post or bottom-post so that my responses are always
> easy
> to read in this forum and the Google Archives. This posting is provided
> "as is" with no warranties and confers no rights.
>

That sounds fine. My only comment is this. If you have allowed all of
those ports, what exactly is the point of having the firewall at all? Once
you have allowed file sharing, RPC, LDAP and Kerberos, what traffic is it
going to block?

"boe" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Thanks everyone - this article -
> http://support.microsoft.com/default...b;en-us;179442
>
> was the key. I have the firewall in place and so far no issues.
>
>
>
> "Todd J Heron" <(E-Mail Removed)> wrote in message
> news:e$(E-Mail Removed)...
>> See what Bill Grant said as well regarding NAT. Your NAT device
>> functioning as a router between the local LAN and the DMZ will make it
>> (nearly) impossible to pass Kerberos, RPC traffic. I haven't tested
>> this, I
>> heard it can't be done without special measures. And one of them cannot
>> pass through NAT at all. I'll research that and get back to you.
>>
>> --
>> Todd J Heron, MCSE
>> Windows Server 2003/2000/NT
>> ----------------------------------------------------------------------------
>> Note: I do not top-post or bottom-post so that my responses are always
>> easy
>> to read in this forum and the Google Archives. This posting is provided
>> "as is" with no warranties and confers no rights.
>>
>
>