Yep. The times I have fielded questions for this functionality both in the public space and in private consulting was all for people who wanted to pump AD Info to some remote site or DMZ and did not want the possibility of someone at the site or in the DMZ to compromise the machine and pump the changes back into the main AD.
Until we have the RO-DCs this isn't feasible, even then, I wouldn't recommend putting an RO-DC in the DMZ. Configuration changes of your main AD is only one issue with putting internal DCs in the DMZ. You also have information disclosure issues as well as DOS issues. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Friday, June 10, 2005 11:10 AM To: '[email protected]' Subject: RE: [ActiveDir] Sites to restrict traffic, OK, that makes sense, although as you say, this is still not possible. We don't (yet) have read-only DCs so this is just a non-starter :) I'd still like to hear the justification / explanation for such a behaviour. neil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 10 June 2005 15:32 To: [email protected] Subject: RE: [ActiveDir] Sites to restrict traffic, I read that differently than you did Neil. I read it as how do I allow replication to go in one direction... Into a site but not from the site back say like in a weird DMZ type configuration or something. If that is what the question is. The answer is you don't... Successfully. You may get it working but it will break when the DC can't update its own info in the rest of the environment. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Friday, June 10, 2005 5:44 AM To: '[email protected]' Subject: RE: [ActiveDir] Sites to restrict traffic, If you have your site links and costs setup correctly to reflect your underlying network topology and infra, then this should not be a concern, since you have already informed AD where and how it should replicate data. If 2 sites are replicating and you do not want them to, then either remove the link, or increase the cost, but naturally, you need to ensure that an alternative path exists between these 2 sites. I'm intrigued to know why you think you need to enforce these restrictions. If your underlying network allows data to flow from A to B then why not allow AD to use that underlying transport system? neil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube Sent: 10 June 2005 09:59 To: [email protected] Subject: [ActiveDir] Sites to restrict traffic, Hello, How can I use sites to prevent traffic from flowing from one site to another? I have a domain controller for each site, and I want to stop traffic flowing in certain direction (kind of like the trust relationships in windows NT). thanks r.c. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ============================================================================ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml ============================================================================ == List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ============================================================================ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml ============================================================================ == List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
