Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Firewall configuration for Domain controller communication?

Posted on 2011-02-14
3
656 Views
Last Modified: 2012-05-11
I've created a box to serve as my production domain controller at my data centre. The primary DCs sit at the office.

There is a VPN between the two locations and they sit on different subnets.

What modifications do I need to make to my new box's config to let it see the primary DC, and what firewall ports need opening to support full AD replication?
0
Comment
Question by:Borgs8472
3 Comments
 
LVL 6

Expert Comment

by:Ryan Smith
ID: 34890364
If you have a vpn setup between the two sites it's safe to open all ports on the vpn policy.  You should probably use vpn encryption though.
0
 
LVL 58

Accepted Solution

by:
tigermatt earned 500 total points
ID: 34891184

You have a number of options available to you:
Open all ports across the VPN link as previously suggested.
A quick and dirty fix, but also an insecure one. You should definitely use a high encryption connection between the two offices otherwise all your AD traffic is passing over the Internet in plain text, which is not secure. This also means that your data center servers could fairly easily be attacked on any weak / unpatched port, because all ports are allowed through the firewall.
Configure the server to use set RPC ports for Active Directory communications and then restrict the firewall to only allow the necessary ports.
Much more secure, a much smaller attack surface and you have complete control over what traffic passes between the two sites. It takes some additional time to plan, configure and document your AD setup using this method, but this is a more secure configuration and the one I prefer.

A document available at Microsoft explains in a lot more detail all the ports you need to open for the latter option and the registry changes required to fix the RPC ports at a particular value.
See http://technet.microsoft.com/en-us/library/bb727063.aspx for details.

Don't forget to set up Active Directory Sites and Services for the data center to ensure your DC situated there isn't contacted when the DCs at your main site are available.

-Matt
0
 
LVL 4

Author Closing Comment

by:Borgs8472
ID: 34937106
<3
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question