In a word, yuk. But, I think its fixable. If I'm reading it correctly, all your sites share one site connector - that's going to be the biggest issue you have. In effect, that says that any site can replicate with any other site. You'll want to make discrete site connectors between the hub and each spoke site. Then, by desginating bridgeheads, you can open one set of rules per connection.
Roger ------------------------------------------------------ Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA > -----Original Message----- > From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, December 03, 2002 4:53 PM > To: '[EMAIL PROTECTED]' > Subject: [ActiveDir] AD Site design with Firewalls and other > goodies... > > > We are starting to have issues with some domains that are > joining our AD > that have tight firewall policies and are not easily > convinced to trust the > rest of the organization. I once again would like to solicit expert > opinions from this group in an effort to determine the best > way address the > issues that we are facing when it comes to directory replication. > > Specifically we have a large site that is the default site > everyone who > joins the AD connects to. We have about 10 other remote > sites we move. All > sites are connected via the default site connector. > > What is happening is we are getting AD Domains joining and > they are slipping > in firewalls after the fact. This is causing domain > controllers KCC's to > setup connection agreements and then not be able to replicate into the > firewalled subnet. The Firewall admins are resistant to opening the > firewall to all the organizations networks. They prefer to > know which host > and the exact port ranges. Baring the suggestions outlined > in the MS white > paper about AD and firewalls. (Use Static RPC replication, > IPSEC). Is > there a way to use sites and sitelinks and preferred > bridgehead servers to > separate out those DC's s who only want to speak to a small > finite number of > DC's in a hub and spoke replication topology. I am not > opposed to turning > off remote DC KCC's but fear this wouldn't help those DC > located in the HUB > site. > > What I want to avoid as much as possible is IPSEC policies, > Swiss Cheese > firewalls, and other crazy configurations if possible. > > Thanks for any assistance you all can offer. > > Todd Myrick > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
