?
Solved

Computer account updates with RODC in DMC

Posted on 2011-04-19
10
Medium Priority
?
1,006 Views
Last Modified: 2012-05-11
I've read up on putting a RODC in the DMZ, and have seen some conflicting information.  The primary reason I want to put one in the DMZ is to reduce the risk associated with poking holes in the firewall, or have a regular DC in the DMZ.  However, will other servers in the DMZ be able to keep their computer accounts up to date with just the RODC in the DMZ?  What issues might I have by having the only DC in the DMZ be a RODC?
0
Comment
Question by:DataCenterNorc
9 Comments
 
LVL 11

Expert Comment

by:Tasmant
ID: 35425677
0
 
LVL 43

Expert Comment

by:Adam Brown
ID: 35425830
RODC still needs to replicate with the rest of the network, so you will still need to open ports for communication with the Domain in the internal firewall. The only major advantages you gain with an RODC is that it makes it so someone can't change data on your AD if it is taken over and you can pick and choose which data gets replicated to it. You can overcome the issue of opening ports a little bit by utilizing IPSec as outlined in Tasmant's links, but this just lowers the attack surface rather than fully securing things.

In general, I recommend that if the servers in a DMZ do not absolutely require AD integration with the internal network, it's better to have them in a Workgroup or on their own domain. It's important to realize that any holes in the internal firewall of a DMZ network decreases the security standing of the internal network significantly. There are better security designs than the outdated DMZ aproach that can be designed with modern technology.
0
 

Author Comment

by:DataCenterNorc
ID: 35427114
We have servers and apps that require being able to authenticate from AD, so having a DC in the DMZ, or accessible from the DMZ is a requirement.  My question, which I'm not sure has been directly answered, is regarding computer account updates.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 43

Expert Comment

by:Adam Brown
ID: 35427145
Account information gets replicated to RODC just like DCs, so yes, the computer account updates would happen normally as long as the appropriate replication connectivity exists between the RODC and a Windows 2008 DC.
0
 

Author Comment

by:DataCenterNorc
ID: 35427570
acbrown2010, I'm not sure I was clear..

The environment I want to move towards is one with regular Windows 2003/2008 servers in the DMZ, and the only DC in the DMZ being a RODC.  So if the RODC is the only DC in the DMZ, how are computer account updates for servers in the DMZ handled?
0
 
LVL 43

Accepted Solution

by:
Adam Brown earned 2000 total points
ID: 35427608
They have to be replicated from a Domain Controller outside of the DMZ. This is done through normal AD replication traffic, so you still have to have holes open in the firewall for replication. If there is no replication traffic passed to the RODC from the rest of the domain, the RODC will never have the computer account information updated.
0
 

Author Comment

by:DataCenterNorc
ID: 35427793
It seems that would defeat the purpose of having the RODC if I still have to poke holes in the firewall..  I have seen articles that refer to the RODC basically proxying those changes, and others that refer to disabling the changing of computer account passwords.  Anyone else have any insight on how this is supposed to work?
0
 
LVL 43

Assisted Solution

by:Adam Brown
Adam Brown earned 2000 total points
ID: 35427858
Essentially, the RODC pulls data from your Active Directory Domain, but does not send any data back. When the Domain resets a Computer Account's password (or other updates), the change is replicated to the RODC through normal channels, and the computer is given the new information from there. The trick here is that you can allow replication traffic coming *from* your private network, but you don't have to have open ports going in the other direction. So it's more secure in that you can block all traffic going from the DMZ to the Domain, but traffic from the Domain to the DMZ is still allowed.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 37485298
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question