Replicate AD through a DMZ. what ports to open?

Can anyone tell me what holes I need to open in my firewall DMZ to allow a
server to be added as a Member Server?
TIA

--
Dave Harry

"Dave Harry" wrote in message news:%23$(E-Mail Removed)...
: Can anyone tell me what holes I need to open in my firewall DMZ to allow a
: server to be added as a Member Server?
: TIA

Dave...

Before you decide to open up holes to your internal network from the
perimeter, it might be worthwhile to read through this chapter...
http://www.oreilly.com/catalog/secur...h01.html#33965

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Online Support for IT Professionals -
http://support.microsoft.com/service...p?fr=0&sd=tech
How-to: Windows 2000 DNS:
http://support.microsoft.com/default...b;EN-US;308201
FAQ W2K/2K3 DNS:
http://support.microsoft.com/default...b;EN-US;291382

Pretty much everything the hackers want you to open and pretty much
everything you're never supposed to open. It'd be about the equivalent of
eliminating your firewall and letting your network sit "bare" out on the
Internet. The whole point of the firewall is to prevent what you asking to
do.

The closest to a "safe way" would be to establish a VPN between the machine
in the DMZ and your Internal System. Then do this "membership" through the
VPN. However if they get into the Member Server then they can just follow
the link in through the VPN from there and you are back in the same mess.
Using an Account for the VPN with no prviledge or rights other than to
establish a "dial-up" can help some but you are still at risk, particularly
if the Member server is "logged in" at the console giving them opportunities
with the "Currently logged on user". I don't believe there is any real
"safe" way to do this.

I've done this with one Server once using VPN, but I never made it a member
of the Domain. It is used so we can FTP to the box without the FTP sending
the username/password in clear-text over a publicly exposed link.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"Dave Harry" <(E-Mail Removed)> wrote in
message news:%23$(E-Mail Removed)...
> Can anyone tell me what holes I need to open in my firewall DMZ to allow a
> server to be added as a Member Server?
> TIA
>
> --
> Dave Harry
>
>

If an Active Directory domain structure is absolutely required in your
environment, Microsoft does have a white paper available that discusses the
network and host configuration steps required in order for AD to function
properly.You can find the paper at
http://www.microsoft.com/windows2000...y/adsegment.as
p. This paper discusses which ports are required to be open between the DMZ
hosts and the domain controller, suggestions for IPSec configuration, and
Registry edits to further limit the number of TCP ports needed for
authentication and replication.

Good link. I'll have to hang onto that one. Although I don't like the idea
doing this with AD, the question does come up from time to time.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

"Jetro" <no.spam@internet> wrote in message
news:(E-Mail Removed)...
> If an Active Directory domain structure is absolutely required in your
> environment, Microsoft does have a white paper available that discusses
the
> network and host configuration steps required in order for AD to function
> properly.You can find the paper at
>
http://www.microsoft.com/windows2000...y/adsegment.as
> p. This paper discusses which ports are required to be open between the
DMZ
> hosts and the domain controller, suggestions for IPSec configuration, and
> Registry edits to further limit the number of TCP ports needed for
> authentication and replication.
>
>

Neither do I. DMZ is DMZ and must be it.