Adding extended perimeter network to existing domain
I had this question after viewing Advice on fixing AD replication.
So after everyone helped me resolve my replication tweak, I would appreciate some advice on my next task- creating a RODC on an extended perimeter network.
I need to create a new RODC on a new subnet that will be part of our existing domain. It will be a new "DMZ" site in ADSS. It will be located in the same colocation facility as my "VPN" site. My plan is to create a site link b/t the "DMZ" and "VPN" sites so the RODC only communicates with the local writable DC in the subnet closest to it.
I'm reading through all the TechNet guides now on all the various tasks to do (firewall rules, password policies, filtered attribute set).
I've created a server-core install of W2K12.
If anyone has any advice on their favorite doc that walks me through the details for this scenario, that would be greatly appreciated. TechNet is lacking on the details sometimes
So after everyone helped me resolve my replication tweak, I would appreciate some advice on my next task- creating a RODC on an extended perimeter network.
I need to create a new RODC on a new subnet that will be part of our existing domain. It will be a new "DMZ" site in ADSS. It will be located in the same colocation facility as my "VPN" site. My plan is to create a site link b/t the "DMZ" and "VPN" sites so the RODC only communicates with the local writable DC in the subnet closest to it.
I'm reading through all the TechNet guides now on all the various tasks to do (firewall rules, password policies, filtered attribute set).
I've created a server-core install of W2K12.
If anyone has any advice on their favorite doc that walks me through the details for this scenario, that would be greatly appreciated. TechNet is lacking on the details sometimes
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
OK, these 2 documents would be your friends for couple of days ;)
First one is about good practices to deploy RODC in DMZ
https://technet.microsoft.
the second one is about securing replication between RODC from DMZ to your network by limiting dynamic ports range
https://blogs.technet.micr
You should avoid situation which allows to have all dynamic ports opened in perimeter network, for security reasons.
and of course also very important topic, setting up Site for RODC, defining Subnet(s) and connecting it to other Site(s). Please also take a look at this article explaining the topic about Sites, Subnets and Site links at https://technet.microsoft.
If you would have more questions, do not hesitate to ask.
Regards,
Krzysztof
First one is about good practices to deploy RODC in DMZ
https://technet.microsoft.
the second one is about securing replication between RODC from DMZ to your network by limiting dynamic ports range
https://blogs.technet.micr
You should avoid situation which allows to have all dynamic ports opened in perimeter network, for security reasons.
and of course also very important topic, setting up Site for RODC, defining Subnet(s) and connecting it to other Site(s). Please also take a look at this article explaining the topic about Sites, Subnets and Site links at https://technet.microsoft.
If you would have more questions, do not hesitate to ask.
Regards,
Krzysztof
So you were right. You have to take your time reading through these. I'm only through the first "design" doc now.
I have a bit of a chicken and egg situation. Our domain and forest functional levels are still at 2003 b/t we needed to hold on to a W2K3 DC for an old Exchange 2003 instance. That restriction is no longer in place. Should I replace that W2K3 DC first before adding the RODC, and up the domain and forest functional levels to 2008?
Our other DC's are 2008 already. The RODC will not rely on the W2K3 DC, but on one, and only one, of the W2K8 DC's. I already have this particular writable DC in its own site, so I can setup the proper site link with just the one DC and the RODC.
I also have questions about DNS, but will withhold my questions to a single file formation.
Thanks!
I have a bit of a chicken and egg situation. Our domain and forest functional levels are still at 2003 b/t we needed to hold on to a W2K3 DC for an old Exchange 2003 instance. That restriction is no longer in place. Should I replace that W2K3 DC first before adding the RODC, and up the domain and forest functional levels to 2008?
Our other DC's are 2008 already. The RODC will not rely on the W2K3 DC, but on one, and only one, of the W2K8 DC's. I already have this particular writable DC in its own site, so I can setup the proper site link with just the one DC and the RODC.
I also have questions about DNS, but will withhold my questions to a single file formation.
Thanks!
Premium Content
You need an Expert Office subscription to comment.Start Free Trial