Re: How To Force LDAP Queries Through One Domain?

Well, Todd, do you want to show us the Microsoft Best Practices document
that says you should put a domain controller out on the Internet with no
firewall in front of it? I guess that document doesn't exist either
because some things are just common sense.

In any case, my focus wasn't on whether a firewall was necessary, but more
on what kind of access a member server in a foreign domain must have to a
domain controller in a trusted domain, when some entity from the trusted
domain needs to be referenced in an ACL, or for user authentication during
login. I'm just trying to define the behavior.

There is at least one Microsoft Knowledge Base article that details what
ports to open between a client and a domain:

http://support.microsoft.com/default.aspx?scid=kb;en-us;179442

And this Knowledge Base article details how to configure RPC for this case:

http://support.microsoft.com/kb/154596/

And this White Paper discusses "best practices" for domains behind
firewalls:

http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf-9767-a9166368434e&displaylang=en

Other white papers on the topic of isolating domain controllers behind
firewalls:

http://www.microsoft.com/downloads/details.aspx?familyid=9A3E2B2B-695D-4FF9-BCB1-5F2F3001845E&displaylang=en
http://www.microsoft.com/downloads/details.aspx?familyid=9353A4F6-A8A8-40BB-9FA7-3A95C9540112&displaylang=en
http://www.microsoft.com/downloads/details.aspx?familyid=156C73A1-F9C2-41C7-B5C1-A509FB255447&displaylang=en

And finally there is Microsoft document on planning Federated Forests with
Windows 2003 that documents behavior between two forests in a trust, and all
of those images in this document clearly show firewalls between the forests.

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/activedirectory/fedffin2.mspx#EHAA

--
Will

"Todd J Heron" <todd_heron(delete)@hotmail.com> wrote in message
news:OYGTuo#AGHA.312@xxxxxxxxxxxxxxxxxxxxxxx
> I think what you want is unsupported. You don't see suggestions to setup
> firewalls between domains in any of the MS Best Practices documents.
>
> --
> Todd J Heron, MCSE
> Windows Server 2003/2000/NT; CCA
>
> "Will" <westes-usc@xxxxxxxxxxxxxx> wrote in message...
> > When you login to a domain on a computer that is a member server in the
> > domain, and then create an ACL against a file that refers to entities in
> > other domains in the same forest, it appears that the LDAP query is
placed
> > directly to the domain controllers for each domain you reference in the
> > ACL.
> > I can see this in the firewall log pretty clearly (there is a firewall
> > between the clients and the domain controllers). Is there any way to
> > configure a client or its member domain's DC so that the LDAP queries
for
> > entities in other domains go through the member server's domain as a
proxy
> > for the other domains? I want to avoid the direct contact between the
> > computer that is a member server of a domain and the DCs of any other
> > domain.
> >
> > Would this behavior be any different if the domains were in different
> > forests with a trust between them? In the case of a trust, where a user
> > on
> > a member server logged into its domain creates an ACL on a file that
> > references a trusted domain, will the LDAP queries go directly to the
> > trusted domain's DC? Is there any way to stop that behavior?
> >
> > --
> > Will
> >
> >
>


.

Relevant Pages

  • W2K Member Server and NT4 DC separated by firewall --> Ports
    ... we have to member server with w2k installed on it. ... domain controllers are placed in front of the firewall. ... kind regard & Thank you ...
    (comp.os.ms-windows.nt.admin.security)
  • Re: W2K Member Server and NT4 DC separated by firewall --> Ports
    ... Q179442 How to Configure a Firewall for Domains and Trusts ... > we have to member server with w2k installed on it. ... > domain controllers are placed in front of the firewall. ...
    (comp.os.ms-windows.nt.admin.security)
  • Re: External trust and a member server
    ... I was not sure about that whether this issue is caused by firewall. ... please help me to capture a screen shot of the error ... Restricting Active Directory Replication Traffic to a Specific Port ... External trust and a member server ...
    (microsoft.public.win2000.active_directory)
  • Re: Cant ping out thru SBS from member server
    ... I installed the ISA Firewall Client on the member server and it ... Firewall enabled, but that was disastrous. ...
    (microsoft.public.windows.server.sbs)
  • Re: Windows firewall for domain controllers
    ... So, if the Windows Firewall on the Domain Controllers is blocking the authentication requests, you will get the symptoms your users report. ... It is quite possible that the Firewall Policy you configured for the Domain has different settings for the Standard Profile than for the Domain Profile in the Windows Firewall part of the GPO. ...
    (microsoft.public.windows.group_policy)