He says he wants :- "people can use resources in both domains"
So if you lock down RPC won't you need to lock down RPC on all servers? I guess it depends on the resources. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: 24 April 2006 21:25 To: [email protected] Subject: Re: [ActiveDir] ACtive directory Trusts and firewall configuration Jan, Just to add to what's been said...... 1. Your success and mileage may vary according to the type of firewall you're using (e.g... FW1/PIX/ISA2004 - easy'ish, ISA2K - forget it) 2. Constraining RPC (by limiting communicating ports above 1024) should be considered an absolute must ... this'll need a registry change on every DC 3. You'll need to allow all 8 Domain A DC's to communicate thru the firewall to Domain B (and obviously vice-versa) as each'll need to set a secure channel to the target domain 4. If applying ACL's between domains (say on file and print servers), bear in mind that the FAP's will also require visibility to the target domain as well thru the firewall, i.e. rules as well 5. Are you planning on using MIIS/IIFP to GAL Synch between the 2 domains? Regards, Mylo Dave Wade wrote: > 1) I think firewall config is beyond the scope of this group. However > my thoughts are that > a) if you trust the other party enough to trust their > domains, then > b) you should trust their firewall enough to keep nasty's > out fro their side so > c) The firewall should allow all ports from the VPN. > << However your level of paranoia may higher or lower than mine is > today>>> > > 2) If I remember properly down level (non-kerberos) trusts go to the > PDC emulator. At least we tend to loose ours when the PDC emulator > goes sick... > > ---------------------------------------------------------------------- > -- > *From:* [EMAIL PROTECTED] on behalf of > [EMAIL PROTECTED] > *Sent:* Mon 2006-04-24 12:28 > *To:* [email protected] > *Subject:* [ActiveDir] ACtive directory Trusts and firewall > configuration > > Dear list! > > I'm in the need of setting up trust between two existing Active > directory domains and i have a few questions regarding this. the goal > is that people can logon form either domains with their user > credentials and that people can use resources in both domains, we also > need the exchange addressbooks in both domain to replicate to each > other but thats maybe a different list. > Domain A has 8 domain controllers where as the operation master roles > are spread on different servers, domain b has only 1 domain controller. > > We have configured a VPN between the networks so the communication is > up and running. > > My questions are: > What ports do i need to open in the firewall to achive this? > And do i have to open trust from domain B to all of my DC's in domain > A or is it enough to open towards any DC or a specific DC? (wich > server roles does it need) > > Many thanks in advance. > > > Med vennlig hilsen / Best regards > > *Jan Wilhelmsen* > IT-Technician > > *Bilia Personbil as* > Økernveien 115 > 0510, Oslo > Norway > Tel: +47 22882546 > Mob:+47 95928392 > Fax: +47 22970387 > Mail: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > MSN: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > Gmail: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > > > > > ********************************************************************** > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. As a public body, the Council may be required to > disclose this email, or any response to it, under the Freedom of > Information Act 2000, unless the information in it is covered by one > of the exemptions in the Act. > > If you receive this email in error please notify Stockport e-Services > via [EMAIL PROTECTED] and then permanently remove it from > your system. > > Thank you. > > http://www.stockport.gov.uk > ********************************************************************** > >----------------------------------------------------------------------- >- > >No virus found in this incoming message. >Checked by AVG Free Edition. >Version: 7.1.385 / Virus Database: 268.4.5/322 - Release Date: >22/04/2006 > > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
