Also note that with the Windows Server 2008 AD infrastructure, there are going to be some features that might more closely address what you are looking in a branch office environment.
With the advent of officially supported, native, read-only domain controllers, depending on your user volume in those remote offices, you now have a capability where you can use low cost site to site VPN links over standard internet or WAN connections to allow users to login and update AD stored data entries while still maintaining your primary credential cache close to the segment of your user base. The primary item of interest here is potentially lower administration overhead and an element of risk mitigation inherent in your infrastructure architecture by limiting the threat to your potentially more "exposed" branch office servers. James Eaton-Lee has provided you the principal resources here that really govern how to work with AD in a segmented infrastructure, use those and at 2008 RTM you may want to examine your environment to see if there are risk factors that you might be able to re-assess at that time with updated windows products. Wayne S. Anderson http://www.linkedin.com/in/wayneanderson -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James (njan) Eaton-Lee Sent: Tuesday, July 24, 2007 1:31 PM To: 'Focus-MS' Subject: Re: win2k3 active directory - firewall ports dubaisans dubai wrote: > i want to put win2k3 active directory server behind the corporate > firewall. we are using windows xp clients and also group policy See the following for information on AD in segmented networks, and what the firewall implications are for Login, Authentication, Fileshare, Replication traffic, etc: http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf- 9767-a9166368434e&DisplayLang=en This is well worth reading from start to finish and as well as simple port listings, it provides substantial guidance on segregating AD in various ways and how you should & shouldn't go about doing it, with discussion of IPSec. > what ports need to be allowed on firewall ? is there any fine tuning > that can be done on AD to make it more firewall friendly? Yes. See the following: http://support.microsoft.com/kb/224196 > i have some DC is remote locations . what ports need to be allowed between DCs? In order to allow replication to happen over a firewall, see the following: http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/ac tivedirectory/deploy/confeat/adrepfir.mspx See also the "Active Directory in Networks Segmented by Firewalls" guide both for this and for more information on IPSec. It is not to be recommended, however, to do this over the internet. You almost certainly want to consider IPSec and/or a site-to-site VPN or private circuit. Hope that helps, - James. -- James (njan) Eaton-Lee | UIN: 10807960 | http://www.jeremiad.org "All at sea again / And now my hurricanes Have brought down this ocean rain / To bathe me again" https://www.bsrf.org.uk | ca: https://www.cacert.org/index.php?id=3 --
