Yes, SMTP is interdomain only.

According to my tests, the minimal set of protocols required for intradomain
replication (DC to DC) is LDAP (389/UDP, 389/TCP), RPC for netlogon and ESE
replication (135/TCP plus one assigned port for the RPC endpoint), CIFS for
policy/FRS replication (445/TCP). Please correct me if I'm wrong but all the
protocols here are using authentication.

Some configuration if servers is required: particularly, all DCs have to be
DNS servers (with AD-integrated zones) to avoid the need for DNS query
traffic. All DCs are KDCs - Kerberos not necessary (I wonder why MS puts it
as required everywhere: a domain controller can issue Kerberos ticket for
itself!). LDAP to Global Catalog is easy to avoid too. You can avoid NTP in
the domain hierarchy, but I prefer to enable it across firewall and take
advantage of autoconfiguration for time synch.

I find implementing raw protocols as above in multiDMZ scenario more
convenient than using IPsec tunnelling. With a number of DCs increasing,
management of IPsec policies becomes increasingly complex - yet firewall
rule management pretty much no different. However, if the infrastructure is
exposed to the Internet, VPN is the way, as previously said.

Regards

Slav Pidgorny, SCSA :)

-----Original Message-----
From: Kim, Anthony [mailto:anthony.kimvwcredit.com]
Sent: Tuesday, 14 January 2003 5:59 AM
To: 'Deus, Attonbitus'; Jim Harrison (SPG); Valentine M. Smith;
focus-mssecurityfocus.com
Subject: RE: AD replication over WAN

Interesting discussion.

Reminded me of this helpful little thing:
http://www.microsoft.com/serviceproviders/columns/config_ipsec_P63623.asp

Also, is it still the case that replication via SMTP transport
can only be used for INTER-domain replication and not for
INTRA-domain replication?

-----Original Message-----
From: Deus, Attonbitus [mailto:ThorHammerofGod.com]
Sent: Monday, January 13, 2003 10:03 AM
To: Jim Harrison (SPG); Valentine M. Smith; focus-mssecurityfocus.com
Subject: RE: AD replication over WAN

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 06:43 PM 1/12/2003, Jim Harrison (SPG) wrote:
>Given that the replication path (port/protocol) is well-defined and
>generally understood, it also makes sense that they could also provide a
>"door" to your AD controllers for those who wish to do you harm for no
>apparent reason.
>
>With that in mind, it seems clear to me that a site-to-site VPN is not
>only preferable, it's mandatory.
>

Agreed- IP or RPC based replication should be via a VPN tunnel. You
could, however, use SMTP as a replication transport, in which case
certificates would be required and all replication information would be
encrypted without the need to open up the DC's directly.

AD

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPiLjI4hsmyD15h5gEQIN1ACfQT+uu96rwT1a0l8BDoK8zynfYKAAnisP
f5Biz71mZTOYD3UEOtlu30FQ
=CkdT
-----END PGP SIGNATURE-----

***********************************************************************
DISCLAIMER:
The information transmitted may contain confidential material and is
intended only for the person or entity to which it is addressed. Any
review, retransmission, dissemination or other use of or taking of any
action by persons or entities other than the intended recipient is
prohibited. If you are not the intended recipient, please delete the
information from your system and contact the sender.
 ***********************************************************************

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]