Re: DNS/Active directory

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

It is not a smart idea to have Active Directory in DMZ at all (if it needs
to talk to DC in LAN).

Personally I would consider putting Terminal Service in LAN as member of
domain and then open the ports from internet to LAN to allow users to get
access to TS. In this case you could consider use of two factor
authentication for logging on to TS (e.g. smart cards)...

--
Mike
Microsoft MVP - Windows Security

"tshad" <tfs@xxxxxxxxxxxxxx> wrote in message
news:uioGOvl7FHA.1032@xxxxxxxxxxxxxxxxxxxxxxx
>
> "tshad" <tfs@xxxxxxxxxxxxxx> wrote in message
> news:OHoSnCE7FHA.3752@xxxxxxxxxxxxxxxxxxxxxxx
>>
>> "Miha Pihler [MVP]" <mihap-news@xxxxxxxxxxx> wrote in message
>> news:uHbGFB86FHA.3172@xxxxxxxxxxxxxxxxxxxxxxx
>> > Hi,
>> >
>> > Server that is member of domain will need quite a few ports opened to
> talk
>> > to domain controller on the other side of firewall.
>> >
>> > Here is a short list protocols used...
>> >
>> > RPC endpoint mapper 135/tcp, 135/udp
>> > Network basic input/output system (NetBIOS) name service 137/tcp,
> 137/udp
>> > NetBIOS datagram service 138/udp
>> > NetBIOS session service 139/tcp
>> > RPC dynamic assignment 1024-65535/tcp
>> > Server message block (SMB) over IP (Microsoft-DS) 445/tcp, 445/udp
>> > Lightweight Directory Access Protocol (LDAP) 389/tcp
>> > LDAP over SSL 636/tcp
>> > Global catalog LDAP 3268/tcp
>> > Global catalog LDAP over SSL 3269/tcp
>> > Kerberos 88/tcp, 88/udp
>> > Domain Name Service (DNS) 53/tcp1, 53/udp
>> > Windows Internet Naming Service (WINS) resolution (if required)
> 1512/tcp,
>> > 1512/udp
>> > WINS replication (if required) 42/tcp, 42/udp
>> > and ICMP protocol.
>> >
>> > Service overview and network port requirements for the Windows Server
>> system
>> >
>>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;832017&Product=winsvr2003
>> >
>> > Note: by placing server that is member of domain in DMZ you are not
> doing
>> > much for protecting your LAN where your domain controller is... If for
>> some
>> > reason I can gain access to your server in DMZ I have full access to
> your
>> > LAN...
>> >
>> I agree.
>>
>> This is why we are trying to get around that by not making it part of the
>> domain.
>>
>> This machine is going to have Terminal Server on it running one
> application.
>> The only port we are going to have open is the one to Sql Server with no
> Sql
>> Tools on it. And the user will only get access to the program we are
>> running with NO desktop.
>>
>> The problem we face is trying to set up groups that we can set different
>> policies on. We need one group to have NO desktop and another that will
>> have limited desktop and admin that will have full desktop. But we can't
>> find a way to do that without setting up Active Directory on the machine
>> which will need to have access to the Domain Controller.
>>
>
> I am looking at setting up Active Directory in the DMZ with just one
> server
> (the Terminal Server) - but I was told this was not a good idea - to have
> a
> TS as a DC. But that would mean getting a Computer to just be a DC -
> which
> is a little bit of overkill, I would think
>
> Tom
>> Thanks,
>>
>> Tom
>>
>>
>> > --
>> > Mike
>> > Microsoft MVP - Windows Security
>> >
>> > "tshad" <tscheiderich@xxxxxxxxxxxxxxx> wrote in message
>> > news:%23VM08366FHA.4012@xxxxxxxxxxxxxxxxxxxxxxx
>> > >I have a Server that is in a DMZ and is not pointing at the Active
>> > >Directory.
>> > >
>> > > To access Active Directory for Domain User authentication, I need to
>> open
>> > > a port on my firewall.
>> > >
>> > > Would this be the same port as DNS (53) or Does Active Directory use
>> > > a
>> > > different port?
>> > >
>> > > Thanks,
>> > >
>> > > Tom
>> > >
>> >
>> >
>>
>>
>
>


.

Relevant Pages

  • Re: Web portal security
    ... win2003 standard server with IIS, SSL enabled and will be placed on ... So I will be fwding port 443 in firewall to my DMZ port. ... Well, assuming you are going to use teh SQL database from SBS, you can ... subnet than my LAN and map one to one from firewall to dmz. ...
    (microsoft.public.windows.server.sbs)
  • Re: 2 NICs Configuration Problem
    ... Servers on the DMZ are public, ... provides NAT for the LAN machines, allowing them to reach the Internet ... effectively bypassing firewall filtering to that server. ... Ethernet adapter Server Local Area Connection: ...
    (microsoft.public.windows.server.networking)
  • Re: Where to put the server
    ... Put the 2003 IIS Server in the DMZ. ... SBS box or another LAN server. ...
    (microsoft.public.backoffice.smallbiz2000)
  • PIX ,and Domain Controller errors to the DMZ
    ... I have a PIX 515e running 7.02, and for the most part, it works great. ... We're putting a file server into the DMZ so that outside users will ... a domain controller on the INSIDE of the PIX. ...
    (comp.dcom.sys.cisco)
  • Re: Hosting, in or out?
    ... proprietary SQL based application is the core of the business. ... A new requirement calls for a report only server, ... SBS LAN is called PRIVATE or LAN ... Web LAN is called RESTRICTED or DMZ ...
    (microsoft.public.windows.server.sbs)