Hi Andy, Check out the following: * Active Directory in Networks Segmented by Firewalls - http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf- 9767-a9166368434e&DisplayLang=en * Restricting Active Directory Replication Traffic to a Specific Port (MS-KBQ224196) - http://support.microsoft.com/default.aspx?scid=kb;en-us;224196 * How to Restrict FRS Replication Traffic to a Specific Static Port (MS-KBQ319553) - http://support.microsoft.com/default.aspx?scid=kb;en-us;319553 * Port Requirements for the Microsoft Windows Server System (MS-KBQ832017) - http://support.microsoft.com/default.aspx?scid=kb;en-us;832017
The only experience I have with AD an firewalls is that a firewall is a real pain when performing AD Forest Disaster Recovery procedures (I have been setting up these procedures with a collegue for one of our customers and that was presented recently at the DEC). With AD I sometimes think that a firewall in time turns into swiss cheese. You can also use a IP site link and restrict directory replication to a specific port in the firewall as mentioned in the articles above. According to your description below that division does not trust you guys. If they don't trust you, it would be better if you use a separate forest because a forest in AD is the ultimate security boundary. Within one forest each domain admin must trust each other! If not.. -> separate forests! If each domain has its own service admins to administer the DCs in the particular domain than those service admins have the possibility to control each domain in the forest. That's why each admin MUST trust each other in one forest. Check the security requirements of that division (and yours of course) to see if a separate forest is needed for service and/or data isolation. Regards, Jorge -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, March 31, 2004 20:36 To: [EMAIL PROTECTED] Subject: [ActiveDir] Domains Separated by Firewall Hi: We are doing an AD/E2K3 migration, and we have a scenario that I haven't found covered in the archives: Our AD forest presently consists of an empty forest root, with a single child domain. We have a division, however, with significantly higher security requirements than the rest of the organization. Presently, they are running Exchange 55 as a site within our organization but with a separate NT domain with NO trust between our domains. They are separated from us by a firewall, with the only connectivity between us being port 102 (x400), and all communication must be initiated from their side. No resource sharing other than email is required, and no cross-domain authentication is needed. I'm looking at setting them up as a separate domain in our forest, with an SMTP site link for directory replication. We will be kicking the tires in the lab, but does anyone have any real-life experiences (traumas, acquired phobias, etc.) with similar scenarios? Thanks, Andy Schan List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
