We help IT Professionals succeed at work.

Security doubt when replicating Active Directory over a firewall

Last Modified: 2010-04-11

I have and Exchange Server placed in my DMZ that is also a DC for my domain. Demoting it to member server is not supported by Microsoft (http://support.microsoft.com/kb/822179) so I have to deal with AD replication through my FW.

I have followed this Microsoft document :
that although written for Windows 2000 is valid for Windows 2003.

I have followed the (theoretically) most secure approach of encapsulating traffic between DMZ and Internal DCs through IPSec.

My question is this :

Which is the difference between doing this, most secure solution, and just full opening traffic between DMZ DC and Internal DCs (first option in the document) ?.

I realize that obviously, there are far less involved ports that I have to open in my firewall between servers (just IP 50 , 51 and udp 500), but anyway what I am doing is to encapsulate ALL traffic between DMZ DC and the rest of internal DCs, so if someone hacks my Exchange Server, he/she will have anyhow open access to my internal DCs through the IPSec channel (with the other option she/he will have just direct access through the "hole" in my FW).

I think I am missing something here ...



Watch Question

Top Expert 2007

The difference is important when you have more then one server in your DMZ.
If you have a web server in there and it gets hacked, it would not be possible to eavesdrop your all import AD communication when using IPSEC.
Although I'm wondering why you have a DC in your DMZ. In general that's not a good idea. An exchange in DMZ should only be a front-end server without any domain info on it.



Hi J, thanks,

I can see the point in there. But this means that if the Exchange server gets hacked then i have a serious problem anyway.

And the Exchange Server is a DC because I "inherited" it like this. As I told, I thought about demoting it (cause I have 2 DCs in my internal network), but then I found that this was not possible/advisable.

And I think that it is better to have an Exchange Server (even if it is a DC) in the DMZ (protecting AD traffic), than place it in my internal network and DNAT SMTP internet connections to the Exchange Server in my internal network. Isn't it ?


Top Expert 2007
Unlock this solution and get a sample of our free trial.
(No credit card required)


Thanks a lot J, very useful thoughts.

Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.