Re: AD requirements for DMZ?

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Make sure all the dc's can communicate with one another. My guess is there is a firewall between them and that will break communications. I will further guess you have seperate dmz's and you have placed a dc in each dmz.

I would suggest you define exactly what your topology looks like and post yuor ipconfig /all for the dc's in question. Also define exactly what you are trying to do. By standards it is a bad idea to have dc's in a dmz even if they are only used for external access. Consider creating a 2008 AD and firewall off the RWDC and provide the RODC's themselves unfettered access to the RWDC.

I have an article on firewall ports that need to be opened for firewalled off dc's.
http://www.pbbergs.com/windows/articles.htm
Select Firewall Ports Needed for Replication

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.


"CM" <CM@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:E22FF76C-D595-4AB8-A902-0725A3C4FD24@xxxxxxxxxxxxxxxx
Hi,

I searched some topics, but couldn't find related answers.. so..

In our internal lab environment, we have 3 servers setup as Windows NLB.
There is a need for a group of external users to be authenticated to the NLB
cluster. Therefore, we decided to use AD to help on the issue (instead of
creating all users on all 3 servers)
We have setup a new AD and created a new domain such as "dname.local". We
then added the other two servers to the domain and act as DC. Everything
seems to work just fine in our lab environment. So, these 3 servers are
working as NLB and AD has its own domain and users. Those users are only
required on that AD – no to confuse with any internal users from other domain.

However, when we tried the same procedures to setup the AD in DMZ
environment, the first server seems to be created okay through dcpromo and
created a new domain called “dnamedmz.local”. When we tried to add the
second server be the additional DC to the existing domain, it failed with
error – “the RPC server is unavailable”

Please advise - what are the requirements for those 3 DMZ servers to work as
a group to use/run the same AD in DMZ environment? Such as the
communications/ports required for them to work together in DMZ environment?

Note: All OS - 2003 Windows Server.

Thanks in advance,
Frank


.

Relevant Pages

  • Re: Securing the DMZ and Trusted domain with a firewall
    ... you can setup firewall to have DMZ completely separate, ... > separated by a Cisco Pix 520 firewall. ... All servers in the DMZ and trusted are multi ... > WINS and DHCP in the trusted domain. ...
    (microsoft.public.security)
  • RE: Basic Network Configuration
    ... Yes, mail servers, web servers, ftp etc are your DMZ buddies. ... firewall> dmz> firewall> lan layout but physically it does not. ...
    (Security-Basics)
  • Re: Moving servers beind firewall
    ... >> I need to move two servers from outside a firewall to a DMZ. ... >> from both the internet and internal segments. ... I may as well keep those servers outside the ...
    (comp.os.linux.security)
  • Re: Svr-03 and DMZ
    ... If you use the back-to-back firewall model there is an additional firewall between the DMZ and the private LAN. ... The best candidates for a DMZ are servers which need to be accessed routinely from the Internet but only occasionally or never from the LAN. ...
    (microsoft.public.windows.server.networking)
  • Re: traffic creation
    ... In my test environment i have some servers. ... firewall rules by creating a traffic and see whether the packages are passing ... hping is the tool for creating packages. ...
    (Security-Basics)