Re: Core servers
- From: "Jorge de Almeida Pinto [MVP]" <SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx>
- Date: Thu, 8 Jun 2006 14:01:51 +0200
I would add block RPc on port 135
why?
Any reference you are aware of I would be pleased to research
????
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"peterc" <peterc@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:42A6C6E8-BB50-4BDC-9937-DC113598C145@xxxxxxxxxxxxxxxx
Ok! I get what you are suggesting, I would add block RPc on port 135. The
question I am asking is WHY?
This is not my design (I have migrated and upgraded other companies) I am
being presented with a design that is isolating these DCs as a matter of
good
practice, but I can find no references to this methodology.
Any reference you are aware of I would be pleased to research.
Peter
"Jorge de Almeida Pinto [MVP]" wrote:
the only to do that is to place those servers in a site linked with one
or
more subnet(s) and will only be used in a last resort...
another way to prevent authentiction is to tweak the priority and the
weight
of the SRV RRs of the DC with the FSMO roles or to only make it register
certain SRV RRs
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"peterc" <peterc@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:311D4CC2-4D91-4D73-AD86-7A156E8FE6F1@xxxxxxxxxxxxxxxx
I am involved with an AD migration. The new domain structure is and
empty
root, two DCs different sites, no user accounts. One child domain
crossing
multiple sites. The designer has specified that the two domain
controllers
holding the PDc, INF and RID roles for the child domain be isolated
from
user
logons by placing in different subnet, authentication for user
accounts
to
be carried out by other DCs on the site.
Given that authentcation is carried out to a local domain controller as
configured in Sites and Services, a local subnet will not isolate the
two
DCs
holding these fsmo roles from being used to authenticate accounts,
separate
subnet or not. The term core servers is being used to describe these
DCs
and
they are described as needing protection from user logons. Personally I
have
never heard of this configuration before. I cannot find any reference
to
this
methodology. Can anyone shed any light on it?
.
- References:
- Re: Core servers
- From: Jorge de Almeida Pinto [MVP]
- Re: Core servers
- Prev by Date: Re: SNMP Group Policy Settings
- Next by Date: Re: DNS not getting Info from Clients
- Previous by thread: Re: Core servers
- Next by thread: Re: Reconnecting a DC to the network - tombstone issues?
- Index(es):
Relevant Pages
|
