dubaisans dubai wrote:
i want to put win2k3 active directory server behind the corporate firewall. we are using windows xp clients and also group policy
See the following for information on AD in segmented networks, and what the firewall implications are for Login, Authentication, Fileshare, Replication traffic, etc:
http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf-9767-a9166368434e&DisplayLang=enThis is well worth reading from start to finish and as well as simple port listings, it provides substantial guidance on segregating AD in various ways and how you should & shouldn't go about doing it, with discussion of IPSec.
> what ports need to be allowed on firewall ? is there any fine tuning > that can be done on AD to make it more firewall friendly? Yes. See the following: http://support.microsoft.com/kb/224196> i have some DC is remote locations . what ports need to be allowed between DCs?
In order to allow replication to happen over a firewall, see the following: http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/deploy/confeat/adrepfir.mspxSee also the "Active Directory in Networks Segmented by Firewalls" guide both for this and for more information on IPSec.
It is not to be recommended, however, to do this over the internet. You almost certainly want to consider IPSec and/or a site-to-site VPN or private circuit.
Hope that helps, - James. -- James (njan) Eaton-Lee | UIN: 10807960 | http://www.jeremiad.org "All at sea again / And now my hurricanes Have brought down this ocean rain / To bathe me again" https://www.bsrf.org.uk | ca: https://www.cacert.org/index.php?id=3 --
smime.p7s
Description: S/MIME Cryptographic Signature
