I just recently worked with a vendor to upgrade a Windows NT domain
into a Windows 2003 Active Directory Domain. I currently have a empty
root for security purposes and a child domain with all of our
resources. A contractor will be arriving to move Active Directory into
the DMZ. I would like to get a head start on the AD move prior to his
arrival. I have very little experience with firewalls, so i'm at a
disadvantage. What all is needed to make this happen?
Any suggestions and or direction will be greatly appreciated.

Michael

Hi,

http://www.interhack.net/pubs/fwfaq/

You should hire an other contractor if you are not sure what you are doing
with a firewall. It is not difficult setting it up, if you would like full
advantages you should consider an expert.

Greetings,


<m-(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I just recently worked with a vendor to upgrade a Windows NT domain
> into a Windows 2003 Active Directory Domain. I currently have a empty
> root for security purposes and a child domain with all of our
> resources. A contractor will be arriving to move Active Directory into
> the DMZ. I would like to get a head start on the AD move prior to his
> arrival. I have very little experience with firewalls, so i'm at a
> disadvantage. What all is needed to make this happen?
> Any suggestions and or direction will be greatly appreciated.
>
> Michael
>

In news:(E-Mail Removed),
m-(E-Mail Removed) <m-(E-Mail Removed)> stated, which I commented on
below:
> I just recently worked with a vendor to upgrade a Windows NT domain
> into a Windows 2003 Active Directory Domain. I currently have a empty
> root for security purposes and a child domain with all of our
> resources. A contractor will be arriving to move Active Directory into
> the DMZ. I would like to get a head start on the AD move prior to his
> arrival. I have very little experience with firewalls, so i'm at a
> disadvantage. What all is needed to make this happen?
> Any suggestions and or direction will be greatly appreciated.
>
> Michael

May I ask exactly why would you want to put a DC that is part of your
private internal protected network and domain and then expose it to the
Internet (firewall or not)?

There are about 29 ports, not to mention the dynamic emperical response
ports UDP 1024 and above, that AD requires for DC to DC communications, and
about 15, including those UDP ports, for client to DC communication. Do you
want to open them up? That would expose too much.

If you are trying to allow access from remote users, consider a 3rd party
VPN solution, such as a Cisco PIX (which I like, but of course I assume the
firewall you are installing has that feature) to create tunnels for your
users to access internal resources, rather than putting a DC outside.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.

It's easy:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations
Assimilation Imminent. Resistance is Futile
"Very funny Scotty. Now, beam down my clothes."

The only thing in life is change. Anything more is a blackhole consuming
unnecessary energy. - [Me]