active directory over firewalls

allenj · Sep 27, 2006

I have an environment where I need to have DC's in seperate "burbs"
segmented off from the rest of the network by firewalls. We are
investigating using IPSec to make DC to DC communication operate. I
have read several posts and articles on this, but cannot determine
whether I need to build IPSec between 2 DC's (one in burb and one in
production) or whether I need to build IPSec between ALL DC's??? It
appears in testing that it must be all DC's, or we start getting 1864
errors in event logs of DC's and when researching by doing DCDiags, I
see that I am getting REPLICATION RECEIVED LATENCY WARNINGS related to
the DC's in the "burb" which do not have connectivity built in via
IPSec.

any help would be appreciated

thanks

Jorge de Almeida Pinto [MVP - DS] · Sep 27, 2006

have you seen:
http://www.microsoft.com/technet/pr.../activedirectory/deploy/confeat/adrepfir.mspx

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx

chriss3 [MVP] · Sep 27, 2006

Hello,
Here is a few good articles as well to start with, Hope it helps.
Active Directory in Networks Segmented by Firewalls:
http://www.microsoft.com/downloads/...46-43f0-4caf-9767-a9166368434e&DisplayLang=en

Restricting Active Directory Replication Traffic to a Specific Port:
http://support.microsoft.com/default.aspx?scid=kb;en-us;224196

How to Configure a Global Catalog Server to Use a Specific Port When
Servicing MAPI Clients:
http://support.microsoft.com/default.aspx?scid=kb;en-us;298369

How to Restrict FRS Replication Traffic to a Specific Static Port:
http://support.microsoft.com/default.aspx?scid=kb;en-us;319553

How to Configure a Firewall for Domains and Trusts:
http://support.microsoft.com/defaul...port/kb/articles/q179/4/42.asp&NoWebContent=1

Paul Bergson · Sep 28, 2006

If I'm not mistaken, if you require your dc's to perform IPSec and you
aren't multi-homed ALL (Clients too) communications will need to be IPSec.
Multi-homed is not recommended for DC's.

--
Paul Bergson
MCT, MCSE, MCSA, Security+, BS CSi
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

Active directory TCP UDP ports	2	Jun 7, 2007
Securing Communication Between Domain Members and their Domain Controllers	1	May 26, 2004
Replication Problems	8	Feb 9, 2005
Active Directory movements	2	Oct 4, 2004
NTDS Replication error	3	Dec 1, 2003
Active Directory Replication Monitor can't open domaincontroller	7	May 16, 2007
Site link bridges always needed?	2	Oct 10, 2007
Active Directory Replication	1	Apr 6, 2004

active directory over firewalls

allenj

Jorge de Almeida Pinto [MVP - DS]

chriss3 [MVP]

Paul Bergson

Ask a Question

Similar Threads