We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Computer account updates with RODC in DMC

DataCenterNorc
on
Medium Priority
1,022 Views
Last Modified: 2012-05-11
I've read up on putting a RODC in the DMZ, and have seen some conflicting information.  The primary reason I want to put one in the DMZ is to reduce the risk associated with poking holes in the firewall, or have a regular DC in the DMZ.  However, will other servers in the DMZ be able to keep their computer accounts up to date with just the RODC in the DMZ?  What issues might I have by having the only DC in the DMZ be a RODC?
Comment
Watch Question

Adam BrownSenior Systems Admin
CERTIFIED EXPERT
Top Expert 2010

Commented:
RODC still needs to replicate with the rest of the network, so you will still need to open ports for communication with the Domain in the internal firewall. The only major advantages you gain with an RODC is that it makes it so someone can't change data on your AD if it is taken over and you can pick and choose which data gets replicated to it. You can overcome the issue of opening ports a little bit by utilizing IPSec as outlined in Tasmant's links, but this just lowers the attack surface rather than fully securing things.

In general, I recommend that if the servers in a DMZ do not absolutely require AD integration with the internal network, it's better to have them in a Workgroup or on their own domain. It's important to realize that any holes in the internal firewall of a DMZ network decreases the security standing of the internal network significantly. There are better security designs than the outdated DMZ aproach that can be designed with modern technology.

Author

Commented:
We have servers and apps that require being able to authenticate from AD, so having a DC in the DMZ, or accessible from the DMZ is a requirement.  My question, which I'm not sure has been directly answered, is regarding computer account updates.
Adam BrownSenior Systems Admin
CERTIFIED EXPERT
Top Expert 2010

Commented:
Account information gets replicated to RODC just like DCs, so yes, the computer account updates would happen normally as long as the appropriate replication connectivity exists between the RODC and a Windows 2008 DC.

Author

Commented:
acbrown2010, I'm not sure I was clear..

The environment I want to move towards is one with regular Windows 2003/2008 servers in the DMZ, and the only DC in the DMZ being a RODC.  So if the RODC is the only DC in the DMZ, how are computer account updates for servers in the DMZ handled?
Senior Systems Admin
CERTIFIED EXPERT
Top Expert 2010
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
It seems that would defeat the purpose of having the RODC if I still have to poke holes in the firewall..  I have seen articles that refer to the RODC basically proxying those changes, and others that refer to disabling the changing of computer account passwords.  Anyone else have any insight on how this is supposed to work?
Adam BrownSenior Systems Admin
CERTIFIED EXPERT
Top Expert 2010
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
CERTIFIED EXPERT
Author of the Year 2010
Top Expert 2010

Commented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.