RE: [ActiveDir] Isolating a DC
Agree, isolating by site is often confused with requiring a separate subnet and thus extra efforts on the networking infrastructure. Thats actually not the case. You can create your AD site and just assign it a 32bit masked IP address as the subnet if the other sites are properly configured, this will ensure that no client will try to leverage the DC in this special site. Realize that a separate site doesnt take care of the generic DC lookups performed by clients (e.g. when they join the domain or when all DCs in their site fail) however, adjusting the priorities in DNS and configuring the DNS mnemonics appropriately for the DC in the special site will also take care of this extra challenge (should be described in the Exchange Server Site doc for which Brian previously provided the link). /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves Sent: Wednesday, September 13, 2006 8:26 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Isolating a DC Yeah, I didn't mean to sound so negative it just seems like isolating by site (which is a logical, not physical barrier) is a more holistic solution which provides the isolation required, while allowing the DCs to continue to potentially (in an emergency situation) perform the duties of user authentication without having to change anything. The IPSec solution just seems like serious overkill that's unnecessary. On 9/13/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: I thought his original request was to make sure that no other client talks to the isolated server except those permitted. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Matt Hargraves Sent: Wed 9/13/2006 7:26 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Isolating a DC Isolating via site will still leave the DC available in case of emergencies (your authentication DCs go down), whereas IPSec makes them completely unavailable for any purposes for clients. I've actually never heard of anyone doing this and would consider it a very bad idea unless you have significant redundancy in your 'normal' environment. BTW, from a Microsoft presentation a little over a year ago, they have 4 Exchange server sites, only 1 of them (Redmond) isolates their DCs from authentication and reserves it for Exchange, the other 3 use their Exchange (a *very* DC/GC intensive app) servers for authentication also. Site is only a logical separation. IPSec might as well be a physical barrier. Unless there is a serious reason why you would rather have none of your clients to be able to authenticate instead of authenticating against these DCs (as I said, in case of an emergency), then you should probably avoid putting a IP filter on these boxes. If you isolate via site, then the only way that clients are going to authenticate against them is if all DCs are down in their site, which since you're a single physical site org, means that all of the authentication DCs are down, which is probably a more serious problem than OMG, a (gasp) *user* authenticated against my application DC. On 9/13/06, Lucas, Bryan [EMAIL PROTECTED] wrote: Thanks to all for the responses. This (isolating via ipsec) is probably the right direction for me. We're a single site, single domain at a single physical location, but the idea of building another site isn't appealing from a keep it simple perspective. Are there any technical reasons why a separate site would be better than isolation through IPSec?Will I cause clients/apps, who initially don't know they are denied, delays when they try to access the ipsec isolated DC? Bryan Lucas Server Administrator Texas Christian University -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of James Eaton-Lee Sent: Wednesday, September 13, 2006 5:39 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Isolating a DC Akomolafe, Deji wrote: I highly recommend that you read http://www.windowsitpro.com/articles/print.cfm?articleid=37935 Then, as a fall-back option, look for the isolation using IPSec whitepapers on Microsoft site. I can't find them now, but I know that they exist. They show you how to restrict communication with a specific server or network using IPSec. I think what you're referring to is the excellent Server and Domain Isolation using IPSec content, at: http://www.microsoft.com/technet/security/topics/architectureanddesign/i psec/default.mspx If all you're looking for is host-based firewalling, however, there's other content online that'll explain this a little more concisely, such as this presentation from the Virginia Tech
RE: [ActiveDir] Isolating a DC
Thanks to all for the responses. This (isolating via ipsec) is probably the right direction for me. We're a single site, single domain at a single physical location, but the idea of building another site isn't appealing from a keep it simple perspective. Are there any technical reasons why a separate site would be better than isolation through IPSec? Will I cause clients/apps, who initially don't know they are denied, delays when they try to access the ipsec isolated DC? Bryan Lucas Server Administrator Texas Christian University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Eaton-Lee Sent: Wednesday, September 13, 2006 5:39 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Isolating a DC Akomolafe, Deji wrote: I highly recommend that you read http://www.windowsitpro.com/articles/print.cfm?articleid=37935 Then, as a fall-back option, look for the isolation using IPSec whitepapers on Microsoft site. I can't find them now, but I know that they exist. They show you how to restrict communication with a specific server or network using IPSec. I think what you're referring to is the excellent Server and Domain Isolation using IPSec content, at: http://www.microsoft.com/technet/security/topics/architectureanddesign/i psec/default.mspx If all you're looking for is host-based firewalling, however, there's other content online that'll explain this a little more concisely, such as this presentation from the Virginia Tech Windows Users Group: http://vtwug.w2k.vt.edu/pdf/w2k_ipsec_firewall.pdf#search=%22using%20ips ec%20as%20a%20firewall%22 And also Using IPSec to Lock Down a Server from technet.. http://www.microsoft.com/technet/itsolutions/network/security/ipsecld.ms px Hope that helps! - James. -- James (njan) Eaton-Lee | 10807960 | http://www.jeremiad.org Semper Monemus Sed Non Audiunt, Ergo Lartus - (Jean-Croix) sites: https://www.bsrf.org.uk ~ http://www.security-forums.com ca: https://www.cacert.org/index.php?id=3 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Isolating a DC
Isolating via site will still leave the DC available in case of emergencies (your authentication DCs go down), whereas IPSec makes them completely unavailable for any purposes for clients. I've actually never heard of anyone doing this and would consider it a very bad idea unless you have significant redundancy in your 'normal' environment. BTW, from a Microsoft presentation a little over a year ago, they have 4 Exchange server sites, only 1 of them (Redmond) isolates their DCs from authentication and reserves it for Exchange, the other 3 use their Exchange (a *very* DC/GC intensive app) servers for authentication also. Site is only a logical separation. IPSec might as well be a physical barrier. Unless there is a serious reason why you would rather have none of your clients to be able to authenticate instead of authenticating against these DCs (as I said, in case of an emergency), then you should probably avoid putting a IP filter on these boxes. If you isolate via site, then the only way that clients are going to authenticate against them is if all DCs are down in their site, which since you're a single physical site org, means that all of the authentication DCs are down, which is probably a more serious problem than OMG, a (gasp) *user* authenticated against my application DC. On 9/13/06, Lucas, Bryan [EMAIL PROTECTED] wrote: Thanks to all for the responses.This (isolating via ipsec) is probably the right direction for me.We're a single site, single domain at a single physical location, butthe idea of building another site isn't appealing from a keep it simple perspective.Are there any technical reasons why a separate site would be better thanisolation through IPSec?Will I cause clients/apps, who initially don'tknow they are denied, delays when they try to access the ipsec isolated DC?Bryan LucasServer AdministratorTexas Christian University-Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of James Eaton-LeeSent: Wednesday, September 13, 2006 5:39 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Isolating a DCAkomolafe, Deji wrote: I highly recommend that you read http://www.windowsitpro.com/articles/print.cfm?articleid=37935 Then, as a fall-back option, look for the isolation using IPSec whitepapers on Microsoft site. I can't find them now, but I know that they exist. They show you how to restrict communication with aspecific server or network using IPSec.I think what you're referring to is the excellent Server and DomainIsolation using IPSec content, at: http://www.microsoft.com/technet/security/topics/architectureanddesign/ipsec/default.mspxIf all you're looking for is host-based firewalling, however, there's other content online that'll explain this a little moreconcisely, such as this presentation from the Virginia Tech WindowsUsers Group: http://vtwug.w2k.vt.edu/pdf/w2k_ipsec_firewall.pdf#search=%22using%20ipsec%20as%20a%20firewall%22And also Using IPSec to Lock Down a Server from technet.. http://www.microsoft.com/technet/itsolutions/network/security/ipsecld.mspxHope that helps!- James.-- James (njan) Eaton-Lee | 10807960 | http://www.jeremiad.org Semper Monemus Sed Non Audiunt, Ergo Lartus - (Jean-Croix)sites: https://www.bsrf.org.uk ~ http://www.security-forums.com ca: https://www.cacert.org/index.php?id=3List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Isolating a DC
Yeah, I didn't mean to sound so negative it just seems like isolating by site (which is a logical, not physical barrier) is a more holistic solution which provides the isolation required, while allowing the DCs to continue to potentially (in an emergency situation) perform the duties of user authentication without having to change anything. The IPSec solution just seems like serious overkill that's unnecessary.On 9/13/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: I thought his original request was to make sure that no other client talks to the isolated server except those permitted. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Matt HargravesSent: Wed 9/13/2006 7:26 AM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Isolating a DC Isolating via site will still leave the DC available in case of emergencies (your authentication DCs go down), whereas IPSec makes them completely unavailable for any purposes for clients. I've actually never heard of anyone doing this and would consider it a very bad idea unless you have significant redundancy in your 'normal' environment. BTW, from a Microsoft presentation a little over a year ago, they have 4 Exchange server sites, only 1 of them (Redmond) isolates their DCs from authentication and reserves it for Exchange, the other 3 use their Exchange (a *very* DC/GC intensive app) servers for authentication also. Site is only a logical separation. IPSec might as well be a physical barrier. Unless there is a serious reason why you would rather have none of your clients to be able to authenticate instead of authenticating against these DCs (as I said, in case of an emergency), then you should probably avoid putting a IP filter on these boxes. If you isolate via site, then the only way that clients are going to authenticate against them is if all DCs are down in their site, which since you're a single physical site org, means that all of the authentication DCs are down, which is probably a more serious problem than OMG, a (gasp) *user* authenticated against my application DC. On 9/13/06, Lucas, Bryan [EMAIL PROTECTED] wrote: Thanks to all for the responses.This (isolating via ipsec) is probably the right direction for me. We're a single site, single domain at a single physical location, butthe idea of building another site isn't appealing from a keep it simple perspective.Are there any technical reasons why a separate site would be better than isolation through IPSec?Will I cause clients/apps, who initially don'tknow they are denied, delays when they try to access the ipsec isolated DC?Bryan LucasServer AdministratorTexas Christian University -Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of James Eaton-LeeSent: Wednesday, September 13, 2006 5:39 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Isolating a DCAkomolafe, Deji wrote: I highly recommend that you read http://www.windowsitpro.com/articles/print.cfm?articleid=37935 Then, as a fall-back option, look for the isolation using IPSec whitepapers on Microsoft site. I can't find them now, but I know that they exist. They show you how to restrict communication with aspecific server or network using IPSec.I think what you're referring to is the excellent Server and DomainIsolation using IPSec content, at: http://www.microsoft.com/technet/security/topics/architectureanddesign/i psec/default.mspxIf all you're looking for is host-based firewalling, however, there's other content online that'll explain this a little moreconcisely, such as this presentation from the Virginia Tech Windows Users Group:http://vtwug.w2k.vt.edu/pdf/w2k_ipsec_firewall.pdf#search=%22using%20ips ec%20as%20a%20firewall%22And also Using IPSec to Lock Down a Server from technet.. http://www.microsoft.com/technet/itsolutions/network/security/ipsecld.mspxHope that helps!- James.--James (njan) Eaton-Lee | 10807960 | http://www.jeremiad.org/Semper Monemus Sed Non Audiunt, Ergo Lartus - (Jean-Croix)sites: https://www.bsrf.org.uk/ ~ http://www.security-forums.com/ca: https://www.cacert.org/index.php?id=3List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Isolating a DC
I should probably expand on my reasoning. We have 5 DCs now with 2 of them in a separate physical location (same campus) so we do have plenty of redundancy and performance. My issue is I have an account provisioning system that synchronizes various directories including AD. It generates a *ton* of entries in the Security Log. I also have some other apps/appliances that generate some logs as well. Our policy is to collect and archive all DC security logs. If I just dont collect the logs from that DC but I dont isolate it, then I can potentially miss legitimate security logs. I worry that if I isolate it with IPSEC, what tells Exchange dont ever try that DC again. Seems like it would introduce delay while the application/user workstation learns that DC is unavailable. Thanks, Bryan Lucas Server Administrator Texas Christian University From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves Sent: Wednesday, September 13, 2006 9:26 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Isolating a DC Isolating via site will still leave the DC available in case of emergencies (your authentication DCs go down), whereas IPSec makes them completely unavailable for any purposes for clients. I've actually never heard of anyone doing this and would consider it a very bad idea unless you have significant redundancy in your 'normal' environment. BTW, from a Microsoft presentation a little over a year ago, they have 4 Exchange server sites, only 1 of them (Redmond) isolates their DCs from authentication and reserves it for Exchange, the other 3 use their Exchange (a *very* DC/GC intensive app) servers for authentication also. Site is only a logical separation. IPSec might as well be a physical barrier. Unless there is a serious reason why you would rather have none of your clients to be able to authenticate instead of authenticating against these DCs (as I said, in case of an emergency), then you should probably avoid putting a IP filter on these boxes. If you isolate via site, then the only way that clients are going to authenticate against them is if all DCs are down in their site, which since you're a single physical site org, means that all of the authentication DCs are down, which is probably a more serious problem than OMG, a (gasp) *user* authenticated against my application DC. On 9/13/06, Lucas, Bryan [EMAIL PROTECTED] wrote: Thanks to all for the responses. This (isolating via ipsec) is probably the right direction for me. We're a single site, single domain at a single physical location, but the idea of building another site isn't appealing from a keep it simple perspective. Are there any technical reasons why a separate site would be better than isolation through IPSec?Will I cause clients/apps, who initially don't know they are denied, delays when they try to access the ipsec isolated DC? Bryan Lucas Server Administrator Texas Christian University -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of James Eaton-Lee Sent: Wednesday, September 13, 2006 5:39 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Isolating a DC Akomolafe, Deji wrote: I highly recommend that you read http://www.windowsitpro.com/articles/print.cfm?articleid=37935 Then, as a fall-back option, look for the isolation using IPSec whitepapers on Microsoft site. I can't find them now, but I know that they exist. They show you how to restrict communication with a specific server or network using IPSec. I think what you're referring to is the excellent Server and Domain Isolation using IPSec content, at: http://www.microsoft.com/technet/security/topics/architectureanddesign/i psec/default.mspx If all you're looking for is host-based firewalling, however, there's other content online that'll explain this a little more concisely, such as this presentation from the Virginia Tech Windows Users Group: http://vtwug.w2k.vt.edu/pdf/w2k_ipsec_firewall.pdf#search=%22using%20ips ec%20as%20a%20firewall%22 And also Using IPSec to Lock Down a Server from technet.. http://www.microsoft.com/technet/itsolutions/network/security/ipsecld.ms px Hope that helps! - James. -- James (njan) Eaton-Lee | 10807960 | http://www.jeremiad.org Semper Monemus Sed Non Audiunt, Ergo Lartus - (Jean-Croix) sites: https://www.bsrf.org.uk ~ http://www.security-forums.com ca: https://www.cacert.org/index.php?id=3 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Isolating a DC
I worry that if I isolate it with IPSEC, what tells Exchange dont ever try that DC again You should readhttp://support.microsoft.com/kb/250570/ then Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Lucas, BryanSent: Wed 9/13/2006 12:31 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Isolating a DC I should probably expand on my reasoning. We have 5 DCs now with 2 of them in a separate physical location (same campus) so we do have plenty of redundancy and performance. My issue is I have an account provisioning system that synchronizes various directories including AD. It generates a *ton* of entries in the Security Log. I also have some other apps/appliances that generate some logs as well. Our policy is to collect and archive all DC security logs. If I just dont collect the logs from that DC but I dont isolate it, then I can potentially miss legitimate security logs. I worry that if I isolate it with IPSEC, what tells Exchange dont ever try that DC again. Seems like it would introduce delay while the application/user workstation learns that DC is unavailable. Thanks, Bryan Lucas Server Administrator Texas Christian University From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt HargravesSent: Wednesday, September 13, 2006 9:26 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Isolating a DC Isolating via site will still leave the DC available in case of emergencies (your authentication DCs go down), whereas IPSec makes them completely unavailable for any purposes for clients. I've actually never heard of anyone doing this and would consider it a very bad idea unless you have significant redundancy in your 'normal' environment. BTW, from a Microsoft presentation a little over a year ago, they have 4 Exchange server sites, only 1 of them (Redmond) isolates their DCs from authentication and reserves it for Exchange, the other 3 use their Exchange (a *very* DC/GC intensive app) servers for authentication also. Site is only a logical separation. IPSec might as well be a physical barrier. Unless there is a serious reason why you would rather have none of your clients to be able to authenticate instead of authenticating against these DCs (as I said, in case of an emergency), then you should probably avoid putting a IP filter on these boxes. If you isolate via site, then the only way that clients are going to authenticate against them is if all DCs are down in their site, which since you're a single physical site org, means that all of the authentication DCs are down, which is probably a more serious problem than "OMG, a (gasp) *user* authenticated against my application DC". On 9/13/06, Lucas, Bryan [EMAIL PROTECTED] wrote: Thanks to all for the responses.This (isolating via ipsec) is probably the right direction for me.We're a single site, single domain at a single physical location, butthe idea of building another site isn't appealing from a "keep it simple" perspective.Are there any technical reasons why a separate site would be better thanisolation through IPSec?Will I cause clients/apps, who initially don'tknow they are denied, delays when they try to access the ipsec isolated DC?Bryan LucasServer AdministratorTexas Christian University-Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of James Eaton-LeeSent: Wednesday, September 13, 2006 5:39 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Isolating a DCAkomolafe, Deji wrote: I highly recommend that you readhttp://www.windowsitpro.com/articles/print.cfm?articleid=37935 Then, as a fall-back option, look for the isolation using IPSec whitepapers on Microsoft site. I can't find them now, but I know that they exist. They show you how to restrict communication with aspecific server or network using IPSec.I think what you're referring to is the excellent "Server and DomainIsolation using IPSec" content, at: http://www.microsoft.com/technet/security/topics/architectureanddesign/ipsec/default.mspxIf all you're looking for is host-based firewalling, however, there's other content online that'll explain this a little moreconcisely, such as this presentation from the Virginia Tech WindowsUsers Group:http://vtwug.w2k.vt.edu/pdf/w2k_ipsec_firewall.pdf#search=%22using%20ipsec%20as%20a%20firewall%22And also "Using IPSec to Lock Down a Server" from technet..http://www.microsoft.com/technet/itsolutions/network/security/ipsecld.mspxHope that helps!- James.--James (njan) Eaton-Lee | 10807960 | http://www.jeremiad.org/Semper Monemus Sed Non Audiunt, Ergo Lartus - (Jean-Croix)sites: https://www.bsrf.org.uk/ ~ http://www.security-forums.com/ca: https://www.cacert.org/index.php?id=3List info : http://w
[ActiveDir] Isolating a DC
Id like to isolate a DC from regular user authentication. I only want certain applications/processes using it. Obviously it will need to replicate with the other DCs. I dont have an interface on the firewall to use, so I would probably have to do something software based on the DC itself. Any recommendations on what to read, how to isolate it and what ports are required? Bryan Lucas Server Administrator Texas Christian University
Re: [ActiveDir] Isolating a DC
Your best bet is to place it in a separate site within AD Sites and Services I believe.This is the method that MS recommends for segregating DCs that are used for Exchange servers. On 9/12/06, Lucas, Bryan [EMAIL PROTECTED] wrote: I'd like to isolate a DC from regular user authentication. I only want certain applications/processes using it. Obviously it will need to replicate with the other DC's. I don't have an interface on the firewall to use, so I would probably have to do something software based on the DC itself. Any recommendations on what to read, how to isolate it and what ports are required? Bryan Lucas Server Administrator Texas Christian University
RE: [ActiveDir] Isolating a DC
I highly recommend that you read http://www.windowsitpro.com/articles/print.cfm?articleid=37935 Then, as a fall-back option, look for the isolation using IPSec whitepapers on Microsoft site. I can't find them now, but I know that they exist. They show you how to restrict communication with a specific server or network using IPSec. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Lucas, BryanSent: Tue 9/12/2006 9:18 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Isolating a DC Id like to isolate a DC from regular user authentication. I only want certain applications/processes using it. Obviously it will need to replicate with the other DCs. I dont have an interface on the firewall to use, so I would probably have to do something software based on the DC itself. Any recommendations on what to read, how to isolate it and what ports are required? Bryan Lucas Server Administrator Texas Christian University
RE: [ActiveDir] Isolating a DC
Utilize a separate site for the server and dont assign client subnets to that site. If its the same physical location as other DC consider utilizing site link change notifications so that it replicates more quickly then the standard site link interval. Kurt Falde From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: Tuesday, September 12, 2006 12:18 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Isolating a DC Id like to isolate a DC from regular user authentication. I only want certain applications/processes using it. Obviously it will need to replicate with the other DCs. I dont have an interface on the firewall to use, so I would probably have to do something software based on the DC itself. Any recommendations on what to read, how to isolate it and what ports are required? Bryan Lucas Server Administrator Texas Christian University
RE: [ActiveDir] Isolating a DC
Assuming that you don't want users hitting the DC for performance reasons, thentake a look atthe attached doc. It says it's for Exchange, but can be used for any application. This doesn't block traffic, but makes the configured DC's to be the least preferable/discoverable by clients. Microsoft IT Showcase: Creating an Active Directory Site for Exchange Server http://www.microsoft.com/downloads/details.aspx?FamilyID=6b263452-7a61-4253-9c9e-b337cb80d460DisplayLang=en From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kurt FaldeSent: Tuesday, September 12, 2006 10:36 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Isolating a DC Utilize a separate site for the server and dont assign client subnets to that site. If its the same physical location as other DC consider utilizing site link change notifications so that it replicates more quickly then the standard site link interval. Kurt Falde From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, BryanSent: Tuesday, September 12, 2006 12:18 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Isolating a DC Id like to isolate a DC from regular user authentication. I only want certain applications/processes using it. Obviously it will need to replicate with the other DCs. I dont have an interface on the firewall to use, so I would probably have to do something software based on the DC itself. Any recommendations on what to read, how to isolate it and what ports are required? Bryan Lucas Server Administrator Texas Christian University