Discussion:
AD replication over WAN
(too old to reply)
Valentine M. Smith
2003-01-09 14:21:15 UTC
Permalink
Hi,

I'm looking for some feedback from the community regarding the transfer of AD
traffic over a public WAN.

The basic plan is this:

Single Win 2000 domain spread over two sites in different cities. Each site
has perimeter NAT device and are obscuring internal subnets with IP addresses
provided by a single ISP. No internetwork VPN planned. DNS is AD-integrated
at both sites. Both DCs are patched to SP3.

The MS documentation I've consulted indicates that AD replication, and by
extension, DNS zone information that is AD-integrated is automatically
encrypted.

My question: if the data is already encrypted and is passing only across a
single ISP's network, should one be bothering with a router-router VPN tunnel
for this traffic? IOW, would setting up such a tunnel for this data be
redundant/unnecessary or am I missing something important here? Would anyone
care to comment on the relative safety of AD encryption out-of-the-box?

Thanks in advance for any feedback,

VS
Brian W. Spolarich
2003-01-11 22:09:52 UTC
Permalink
Valerie, I have a very similar configuration: three sites, PAT/NAT at the perimeter, and AD controllers at each site.

I was not comfortable having my AD controllers communicate over the public Internet untunneled/unencrypted because of the heavy use of RPC by some parts of the AD protocol suite. I would strongly recommend considering establishing a meshed VPN topology if possible w/ your router hardware. It was relatively straighforward to set this up with the Cisco 1700-series routers I use at my network edges, and Cisco has since improved the detail of their example configs on their web site.

I would be happy to help w/ the Cisco configs if that's the flavor of routing hardware you're using.

-bws

-----Original Message-----
From: Valentine M. Smith [mailto:***@grokking.org]
Sent: Thu 1/9/2003 9:21 AM
To: focus-***@securityfocus.com
Cc:
Subject: AD replication over WAN



Hi,

I'm looking for some feedback from the community regarding the transfer of AD
traffic over a public WAN.

The basic plan is this:

Single Win 2000 domain spread over two sites in different cities. Each site
has perimeter NAT device and are obscuring internal subnets with IP addresses
provided by a single ISP. No internetwork VPN planned. DNS is AD-integrated
at both sites. Both DCs are patched to SP3.

The MS documentation I've consulted indicates that AD replication, and by
extension, DNS zone information that is AD-integrated is automatically
encrypted.

My question: if the data is already encrypted and is passing only across a
single ISP's network, should one be bothering with a router-router VPN tunnel
for this traffic? IOW, would setting up such a tunnel for this data be
redundant/unnecessary or am I missing something important here? Would anyone
care to comment on the relative safety of AD encryption out-of-the-box?

Thanks in advan
Jim Harrison (SPG)
2003-01-13 02:43:05 UTC
Permalink
Given that the replication path (port/protocol) is well-defined and generally understood, it also makes sense that they could also provide a "door" to your AD controllers for those who wish to do you harm for no apparent reason.

With that in mind, it seems clear to me that a site-to-site VPN is not only preferable, it's mandatory.

* Jim Harrison <mailto:***@microsoft.com>
MCP(NT4/2K), A+, Network+
Security Business Unit (ISA)

________________________________

From: Valentine M. Smith [mailto:***@grokking.org]
Sent: Thu 1/9/2003 06:21
To: focus-***@securityfocus.com
Subject: AD replication over WAN


Hi,

I'm looking for some feedback from the community regarding the transfer of AD
traffic over a public WAN.

The basic plan is this:

Single Win 2000 domain spread over two sites in different cities. Each site
has perimeter NAT device and are obscuring internal subnets with IP addresses
provided by a single ISP. No internetwork VPN planned. DNS is AD-integrated
at both sites. Both DCs are patched to SP3.

The MS documentation I've consulted indicates that AD replication, and by
extension, DNS zone information that is AD-integrated is automatically
encrypted.

My question: if the data is already encrypted and is passing only across a
single ISP's network, should one be bothering with a router-router VPN tunnel
for this traffic? IOW, would setting up such a tunnel for this data be
redundant/unnecessary or am I missing something important here? Would anyone
care to comment on the relative safety of AD encryption out-of-the-box?

Thanks in advance for any feedback,

VS
Keith Smith
2003-01-13 15:53:02 UTC
Permalink
I have a similar question, though in application to Outlook 2002 clients
accessing an exchange server across the Internet. Microsoft claims that with
OL2002, clients don't need to employ a VPN across the internet, as the RPC
is all encrypted.

Would a VPN also be recommended in this instance given the observations
below?

Thanks
Keith

-----Original Message-----
From: Jim Harrison (SPG) [mailto:***@microsoft.com]
Sent: Sunday January 12, 2003 9:43 PM
To: Valentine M. Smith; focus-***@securityfocus.com
Subject: RE: AD replication over WAN


Given that the replication path (port/protocol) is well-defined and
generally understood, it also makes sense that they could also provide a
"door" to your AD controllers for those who wish to do you harm for no
apparent reason.

With that in mind, it seems clear to me that a site-to-site VPN is not only
preferable, it's mandatory.

* Jim Harrison <mailto:***@microsoft.com>
MCP(NT4/2K), A+, Network+
Security Business Unit (ISA)

________________________________

From: Valentine M. Smith [mailto:***@grokking.org]
Sent: Thu 1/9/2003 06:21
To: focus-***@securityfocus.com
Subject: AD replication over WAN


Hi,

I'm looking for some feedback from the community regarding the transfer of
AD
traffic over a public WAN.

The basic plan is this:

Single Win 2000 domain spread over two sites in different cities. Each site
has perimeter NAT device and are obscuring internal subnets with IP
addresses
provided by a single ISP. No internetwork VPN planned. DNS is AD-integrated
at both sites. Both DCs are patched to SP3.

The MS documentation I've consulted indicates that AD replication, and by
extension, DNS zone information that is AD-integrated is automatically
encrypted.

My question: if the data is already encrypted and is passing only across a
single ISP's network, should one be bothering with a router-router VPN
tunnel
for this traffic? IOW, would setting up such a tunnel for this data be
redundant/unnecessary or am I missing something important here? Would anyone
care to comment on the relative safety of AD encryption out-of-the-box?

Thanks in advance for any feedback,

VS
Deus, Attonbitus
2003-01-13 16:02:43 UTC
Permalink
At 06:43 PM 1/12/2003, Jim Harrison (SPG) wrote:
>Given that the replication path (port/protocol) is well-defined and
>generally understood, it also makes sense that they could also provide a
>"door" to your AD controllers for those who wish to do you harm for no
>apparent reason.
>
>With that in mind, it seems clear to me that a site-to-site VPN is not
>only preferable, it's mandatory.
>

Agreed- IP or RPC based replication should be via a VPN tunnel. You
could, however, use SMTP as a replication transport, in which case
certificates would be required and all replication information would be
encrypted without the need to open up the DC's directly.

AD
Jim Harrison (SPG)
2003-01-13 21:41:15 UTC
Permalink
That's a very similar scenario, IMHO.
The point they're trying to make is that if data protection is your
biggest concern, then RPC encryption offers the same protection level as
a VPN tunnel.
My earlier point was, RPC uses known interfaces (multiple), which are
popular targets. Encrypting the data prevents some forms of snooping,
but it doesn't protect the machine interfaces that provide this
communication.
If you block access to them (via tunneling, for instance) and
RPC-encrypt them, you've just increased your jerk-resistance that much
more.
Of course, there may be times when you have to choose one over the
other.
In that case, I'd choose VPN.

* Jim Harrison
MCP(NT4/2K), A+, Network+
Security Business Unit (ISAQFE)

The burden of proof is not satisfied by a lack of evidence to the
contrary..



-----Original Message-----
From: Keith Smith [mailto:***@firesnacks.com]
Sent: Monday, January 13, 2003 07:53
To: focus-***@securityfocus.com
Subject: RE: AD replication over WAN



I have a similar question, though in application to Outlook 2002 clients
accessing an exchange server across the Internet. Microsoft claims that
with OL2002, clients don't need to employ a VPN across the internet, as
the RPC is all encrypted.

Would a VPN also be recommended in this instance given the observations
below?

Thanks
Keith

-----Original Message-----
From: Jim Harrison (SPG) [mailto:***@microsoft.com]
Sent: Sunday January 12, 2003 9:43 PM
To: Valentine M. Smith; focus-***@securityfocus.com
Subject: RE: AD replication over WAN


Given that the replication path (port/protocol) is well-defined and
generally understood, it also makes sense that they could also provide a
"door" to your AD controllers for those who wish to do you harm for no
apparent reason.

With that in mind, it seems clear to me that a site-to-site VPN is not
only preferable, it's mandatory.

* Jim Harrison <mailto:***@microsoft.com>
MCP(NT4/2K), A+, Network+
Security Business Unit (ISA)

________________________________

From: Valentine M. Smith [mailto:***@grokking.org]
Sent: Thu 1/9/2003 06:21
To: focus-***@securityfocus.com
Subject: AD replication over WAN


Hi,

I'm looking for some feedback from the community regarding the transfer
of AD traffic over a public WAN.

The basic plan is this:

Single Win 2000 domain spread over two sites in different cities. Each
site has perimeter NAT device and are obscuring internal subnets with IP
addresses provided by a single ISP. No internetwork VPN planned. DNS is
AD-integrated at both sites. Both DCs are patched to SP3.

The MS documentation I've consulted indicates that AD replication, and
by extension, DNS zone information that is AD-integrated is
automatically encrypted.

My question: if the data is already encrypted and is passing only across
a single ISP's network, should one be bothering with a router-router VPN
tunnel for this traffic? IOW, would setting up such a tunnel for this
data be redundant/unnecessary or am I missing something important here?
Would anyone care to comment on the relative safety of AD encryption
out-of-the-box?

Thanks in advance for any feedback,

VS
Keith Smith
2003-01-13 17:07:16 UTC
Permalink
All:

I apologize for not being more specific... I was referring to using OL2002
in MAPI mode. As I understand it, ISA server has publishing rules to make
the firewall config easy. In addition, I also read that MAPI uses
encryption of the RPC. Is anyone familiar with this?

The primary docs I was referring to are:

>From Microsoft Exchange 2000 Server Hosting Series
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/exchange/exchange2000/plan/exchterm.asp?frame=true

Chapter 3 (Planning) discuss clients.

Thanks
Keith


-----Original Message-----
From: Keith Smith [mailto:***@firesnacks.com]
Sent: Monday January 13, 2003 10:53 AM
To: focus-***@securityfocus.com
Subject: RE: AD replication over WAN



I have a similar question, though in application to Outlook 2002 clients
accessing an exchange server across the Internet. Microsoft claims that with
OL2002, clients don't need to employ a VPN across the internet, as the RPC
is all encrypted.

Would a VPN also be recommended in this instance given the observations
below?

Thanks
Keith

-----Original Message-----
From: Jim Harrison (SPG) [mailto:***@microsoft.com]
Sent: Sunday January 12, 2003 9:43 PM
To: Valentine M. Smith; focus-***@securityfocus.com
Subject: RE: AD replication over WAN


Given that the replication path (port/protocol) is well-defined and
generally understood, it also makes sense that they could also provide a
"door" to your AD controllers for those who wish to do you harm for no
apparent reason.

With that in mind, it seems clear to me that a site-to-site VPN is not only
preferable, it's mandatory.

* Jim Harrison <mailto:***@microsoft.com>
MCP(NT4/2K), A+, Network+
Security Business Unit (ISA)

________________________________

From: Valentine M. Smith [mailto:***@grokking.org]
Sent: Thu 1/9/2003 06:21
To: focus-***@securityfocus.com
Subject: AD replication over WAN


Hi,

I'm looking for some feedback from the community regarding the transfer of
AD
traffic over a public WAN.

The basic plan is this:

Single Win 2000 domain spread over two sites in different cities. Each site
has perimeter NAT device and are obscuring internal subnets with IP
addresses
provided by a single ISP. No internetwork VPN planned. DNS is AD-integrated
at both sites. Both DCs are patched to SP3.

The MS documentation I've consulted indicates that AD replication, and by
extension, DNS zone information that is AD-integrated is automatically
encrypted.

My question: if the data is already encrypted and is passing only across a
single ISP's network, should one be bothering with a router-router VPN
tunnel
for this traffic? IOW, would setting up such a tunnel for this data be
redundant/unnecessary or am I missing something important here? Would anyone
care to comment on the relative safety of AD encryption out-of-the-box?

Thanks in advance for any feedback,

VS
Chris Weiscopf
2003-01-13 17:05:53 UTC
Permalink
At the very least you can deploy a site to site VPN using Windows 2000
Routing and Remote Access Service. Open you LAN routers to pass the VPN
traffic, set up the site-to-site VPN in RRAS and set a static route in your
router pointing back to the server to reach the remote network. VPN
benefits with no additional hardware costs.


Chris Weiscopf
MCSE 2000, CCNA, Network+, A+
Uni-Point, LLC




-----Original Message-----
From: Valentine M. Smith [mailto:***@grokking.org]
Sent: Thursday, January 09, 2003 6:21 AM
To: focus-***@securityfocus.com
Subject: AD replication over WAN


Hi,

I'm looking for some feedback from the community regarding the transfer of
AD
traffic over a public WAN.

The basic plan is this:

Single Win 2000 domain spread over two sites in different cities. Each site
has perimeter NAT device and are obscuring internal subnets with IP
addresses
provided by a single ISP. No internetwork VPN planned. DNS is AD-integrated
at both sites. Both DCs are patched to SP3.

The MS documentation I've consulted indicates that AD replication, and by
extension, DNS zone information that is AD-integrated is automatically
encrypted.

My question: if the data is already encrypted and is passing only across a
single ISP's network, should one be bothering with a router-router VPN
tunnel
for this traffic? IOW, would setting up such a tunnel for this data be
redundant/unnecessary or am I missing something important here? Would anyone

care to comment on the relative safety of AD encryption out-of-the-box?

Thanks in advance for any feedback,

VS
Tom Sutherland
2003-01-16 15:55:29 UTC
Permalink
Or you can wait till Windows Server 2003 which purportedly can create VPN's
using IPSEC/L2TP that can traverse NAT. Or did I not read the MS sales
literature closely enough.

Tom Sutherland
silver-lake resources

-----Original Message-----
From: Chris Weiscopf [mailto:***@bamcom.net]
Sent: Monday, January 13, 2003 12:06 PM
To: 'Valentine M. Smith'; focus-***@securityfocus.com
Subject: RE: AD replication over WAN


At the very least you can deploy a site to site VPN using Windows 2000
Routing and Remote Access Service. Open you LAN routers to pass the VPN
traffic, set up the site-to-site VPN in RRAS and set a static route in your
router pointing back to the server to reach the remote network. VPN
benefits with no additional hardware costs.


Chris Weiscopf
MCSE 2000, CCNA, Network+, A+
Uni-Point, LLC




-----Original Message-----
From: Valentine M. Smith [mailto:***@grokking.org]
Sent: Thursday, January 09, 2003 6:21 AM
To: focus-***@securityfocus.com
Subject: AD replication over WAN


Hi,

I'm looking for some feedback from the community regarding the transfer of
AD
traffic over a public WAN.

The basic plan is this:

Single Win 2000 domain spread over two sites in different cities. Each site
has perimeter NAT device and are obscuring internal subnets with IP
addresses
provided by a single ISP. No internetwork VPN planned. DNS is AD-integrated
at both sites. Both DCs are patched to SP3.

The MS documentation I've consulted indicates that AD replication, and by
extension, DNS zone information that is AD-integrated is automatically
encrypted.

My question: if the data is already encrypted and is passing only across a
single ISP's network, should one be bothering with a router-router VPN
tunnel
for this traffic? IOW, would setting up such a tunnel for this data be
redundant/unnecessary or am I missing something important here? Would anyone

care to comment on the relative safety of AD encryption out-of-the-box?

Thanks in advance for any feedback,

VS
Jim Harrison (ISA)
2003-01-17 16:06:55 UTC
Permalink
Check out ISA FP1; it includes a new RPC filter that makes encrypted RPC
for Exchange a brain-dead operation, and also adds an OWA wizard to make
web-publishing OWA another brain-dead operation.
http://microsoft.com/downloads/details.aspx?FamilyID=2f92b02c-ac49-44df-
af6c-5be084b345f9&DisplayLang=en
(watch out for the wrap beast).

* Jim Harrison
MCP(NT4/2K), A+, Network+
Security Business Unit (ISAQFE)



-----Original Message-----
From: Keith Smith [mailto:***@firesnacks.com]
Sent: Monday, January 13, 2003 09:07
To: focus-***@securityfocus.com
Subject: FW: AD replication over WAN


All:

I apologize for not being more specific... I was referring to using
OL2002 in MAPI mode. As I understand it, ISA server has publishing
rules to make the firewall config easy. In addition, I also read that
MAPI uses encryption of the RPC. Is anyone familiar with this?

The primary docs I was referring to are:

>From Microsoft Exchange 2000 Server Hosting Series
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodt
echn
ol/exchange/exchange2000/plan/exchterm.asp?frame=true

Chapter 3 (Planning) discuss clients.

Thanks
Keith


-----Original Message-----
From: Keith Smith [mailto:***@firesnacks.com]
Sent: Monday January 13, 2003 10:53 AM
To: focus-***@securityfocus.com
Subject: RE: AD replication over WAN



I have a similar question, though in application to Outlook 2002 clients
accessing an exchange server across the Internet. Microsoft claims that
with OL2002, clients don't need to employ a VPN across the internet, as
the RPC is all encrypted.

Would a VPN also be recommended in this instance given the observations
below?

Thanks
Keith

-----Original Message-----
From: Jim Harrison (SPG) [mailto:***@microsoft.com]
Sent: Sunday January 12, 2003 9:43 PM
To: Valentine M. Smith; focus-***@securityfocus.com
Subject: RE: AD replication over WAN


Given that the replication path (port/protocol) is well-defined and
generally understood, it also makes sense that they could also provide a
"door" to your AD controllers for those who wish to do you harm for no
apparent reason.

With that in mind, it seems clear to me that a site-to-site VPN is not
only preferable, it's mandatory.

* Jim Harrison <mailto:***@microsoft.com>
MCP(NT4/2K), A+, Network+
Security Business Unit (ISA)

________________________________

From: Valentine M. Smith [mailto:***@grokking.org]
Sent: Thu 1/9/2003 06:21
To: focus-***@securityfocus.com
Subject: AD replication over WAN


Hi,

I'm looking for some feedback from the community regarding the transfer
of AD traffic over a public WAN.

The basic plan is this:

Single Win 2000 domain spread over two sites in different cities. Each
site has perimeter NAT device and are obscuring internal subnets with IP
addresses provided by a single ISP. No internetwork VPN planned. DNS is
AD-integrated at both sites. Both DCs are patched to SP3.

The MS documentation I've consulted indicates that AD replication, and
by extension, DNS zone information that is AD-integrated is
automatically encrypted.

My question: if the data is already encrypted and is passing only across
a single ISP's network, should one be bothering with a router-router VPN
tunnel for this traffic? IOW, would setting up such a tunnel for this
data be redundant/unnecessary or am I missing something important here?
Would anyone care to comment on the relative safety of AD encryption
out-of-the-box?

Thanks in advance for any feedback,

VS
Kim, Anthony
2003-01-13 18:58:34 UTC
Permalink
Interesting discussion.

Reminded me of this helpful little thing:
http://www.microsoft.com/serviceproviders/columns/config_ipsec_P63623.asp

Also, is it still the case that replication via SMTP transport
can only be used for INTER-domain replication and not for
INTRA-domain replication?


-----Original Message-----
From: Deus, Attonbitus [mailto:***@HammerofGod.com]
Sent: Monday, January 13, 2003 10:03 AM
To: Jim Harrison (SPG); Valentine M. Smith; focus-***@securityfocus.com
Subject: RE: AD replication over WAN



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 06:43 PM 1/12/2003, Jim Harrison (SPG) wrote:
>Given that the replication path (port/protocol) is well-defined and
>generally understood, it also makes sense that they could also provide a
>"door" to your AD controllers for those who wish to do you harm for no
>apparent reason.
>
>With that in mind, it seems clear to me that a site-to-site VPN is not
>only preferable, it's mandatory.
>

Agreed- IP or RPC based replication should be via a VPN tunnel. You
could, however, use SMTP as a replication transport, in which case
certificates would be required and all replication information would be
encrypted without the need to open up the DC's directly.

AD



-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPiLjI4hsmyD15h5gEQIN1ACfQT+uu96rwT1a0l8BDoK8zynfYKAAnisP
f5Biz71mZTOYD3UEOtlu30FQ
=CkdT
-----END PGP SIGNATURE-----


***********************************************************************
DISCLAIMER:
The information transmitted may contain confidential material and is
intended only for the person or entity to which it is addressed. Any
review, retransmission, dissemination or other use of or taking of any
action by persons or entities other than the intended recipient is
prohibited. If you are not the intended recipient, please delete the
information from your system and contact the sender.
***********************************************************************
Laura A. Robinson
2003-01-24 17:56:21 UTC
Permalink
Yes. This is because the File Replication Service requires a synchronous
transport mechanism for its replication. Since FRS is responsible for
replication of group policies and scripts (not to mention DFS, but that's
another discussion), and since those are domain-specific in terms of their
storage, you cannot replicate a domain partition via SMTP.

With that said, in all of the AD implementations I've seen or worked on, I
know of only one that used SMTP replication, and it was for a highly
specialized and unique purpose. Generally speaking, if an environment is
such that SMTP replication would be necessary, then it is probably also an
environment that would better lend itself to placing the remote site in its
own forest altogether.

Laura

> -----Original Message-----
> From: Kim, Anthony [mailto:***@vwcredit.com]
> Sent: Monday, January 13, 2003 1:59 PM
> To: 'Deus, Attonbitus'; Jim Harrison (SPG); Valentine M.
> Smith; focus-***@securityfocus.com
> Subject: RE: AD replication over WAN
>
>
> Interesting discussion.
>
> Reminded me of this helpful little thing:
> http://www.microsoft.com/serviceproviders/columns/config_ipsec
> _P63623.asp
>
> Also, is it still the case that replication via SMTP
> transport can only be used for INTER-domain replication and
> not for INTRA-domain replication?
>
>
> -----Original Message-----
> From: Deus, Attonbitus [mailto:***@HammerofGod.com]
> Sent: Monday, January 13, 2003 10:03 AM
> To: Jim Harrison (SPG); Valentine M. Smith; focus-***@securityfocus.com
> Subject: RE: AD replication over WAN
>
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> At 06:43 PM 1/12/2003, Jim Harrison (SPG) wrote:
> >Given that the replication path (port/protocol) is well-defined and
> >generally understood, it also makes sense that they could
> also provide a
> >"door" to your AD controllers for those who wish to do you
> harm for no
> >apparent reason.
> >
> >With that in mind, it seems clear to me that a site-to-site
> VPN is not
> >only preferable, it's mandatory.
> >
>
> Agreed- IP or RPC based replication should be via a VPN tunnel. You
> could, however, use SMTP as a replication transport, in which case
> certificates would be required and all replication
> information would be
> encrypted without the need to open up the DC's directly.
>
> AD
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 7.1
>
> iQA/AwUBPiLjI4hsmyD15h5gEQIN1ACfQT+uu96rwT1a0l8BDoK8zynfYKAAnisP
> f5Biz71mZTOYD3UEOtlu30FQ
> =CkdT
> -----END PGP SIGNATURE-----
>
>
> **************************************************************
> *********
> DISCLAIMER:
> The information transmitted may contain confidential material and is
> intended only for the person or entity to which it is addressed. Any
> review, retransmission, dissemination or other use of or taking of any
> action by persons or entities other than the intended recipient is
> prohibited. If you are not the intended recipient, please delete the
> information from your system and contact the sender.
>
> **************************************************************
> *********
>
Pidgorny, Slav
2003-01-22 04:45:43 UTC
Permalink
Yes, SMTP is interdomain only.

According to my tests, the minimal set of protocols required for intradomain
replication (DC to DC) is LDAP (389/UDP, 389/TCP), RPC for netlogon and ESE
replication (135/TCP plus one assigned port for the RPC endpoint), CIFS for
policy/FRS replication (445/TCP). Please correct me if I'm wrong but all the
protocols here are using authentication.

Some configuration if servers is required: particularly, all DCs have to be
DNS servers (with AD-integrated zones) to avoid the need for DNS query
traffic. All DCs are KDCs - Kerberos not necessary (I wonder why MS puts it
as required everywhere: a domain controller can issue Kerberos ticket for
itself!). LDAP to Global Catalog is easy to avoid too. You can avoid NTP in
the domain hierarchy, but I prefer to enable it across firewall and take
advantage of autoconfiguration for time synch.

I find implementing raw protocols as above in multiDMZ scenario more
convenient than using IPsec tunnelling. With a number of DCs increasing,
management of IPsec policies becomes increasingly complex - yet firewall
rule management pretty much no different. However, if the infrastructure is
exposed to the Internet, VPN is the way, as previously said.

Regards

Slav Pidgorny, SCSA :)

-----Original Message-----
From: Kim, Anthony [mailto:***@vwcredit.com]
Sent: Tuesday, 14 January 2003 5:59 AM
To: 'Deus, Attonbitus'; Jim Harrison (SPG); Valentine M. Smith;
focus-***@securityfocus.com
Subject: RE: AD replication over WAN


Interesting discussion.

Reminded me of this helpful little thing:
http://www.microsoft.com/serviceproviders/columns/config_ipsec_P63623.asp

Also, is it still the case that replication via SMTP transport
can only be used for INTER-domain replication and not for
INTRA-domain replication?


-----Original Message-----
From: Deus, Attonbitus [mailto:***@HammerofGod.com]
Sent: Monday, January 13, 2003 10:03 AM
To: Jim Harrison (SPG); Valentine M. Smith; focus-***@securityfocus.com
Subject: RE: AD replication over WAN



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 06:43 PM 1/12/2003, Jim Harrison (SPG) wrote:
>Given that the replication path (port/protocol) is well-defined and
>generally understood, it also makes sense that they could also provide a
>"door" to your AD controllers for those who wish to do you harm for no
>apparent reason.
>
>With that in mind, it seems clear to me that a site-to-site VPN is not
>only preferable, it's mandatory.
>

Agreed- IP or RPC based replication should be via a VPN tunnel. You
could, however, use SMTP as a replication transport, in which case
certificates would be required and all replication information would be
encrypted without the need to open up the DC's directly.

AD



-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPiLjI4hsmyD15h5gEQIN1ACfQT+uu96rwT1a0l8BDoK8zynfYKAAnisP
f5Biz71mZTOYD3UEOtlu30FQ
=CkdT
-----END PGP SIGNATURE-----


***********************************************************************
DISCLAIMER:
The information transmitted may contain confidential material and is
intended only for the person or entity to which it is addressed. Any
review, retransmission, dissemination or other use of or taking of any
action by persons or entities other than the intended recipient is
prohibited. If you are not the intended recipient, please delete the
information from your system and contact the sender.
***********************************************************************
Continue reading on narkive:
Loading...