Domain replication with firewall

[Yannick Robert]

Hi,

I have tried to replicate same domain between 2 DC with SMTP replication,
but it was impossible. My problem is to replicate without any use of the
netbios & ldap ports.

there is a reason : i have a DC in the intranet, and another one in the DMZ.
Between them there is a firewall, and, of course, the netbios & ldap ports
are prohibited.

Is somebody know a solution to have the same accounts in the 2 DC.

Thanks in advance

Y.R.

 

[Simon Geary]

Rather than opening up the many required ports in your Firewall you may want
to consider creating a VPN tunnel between the two sides. This will simplify
the configuration and is more secure.

Have a read of this for another option.
http://support.microsoft.com/?id=224196

 

[Yannick Robert]

Thanks, it's a very good documentation about the different configurations
with a firewall

 

[Ace Fekay [MVP]]

In

Hi,

I have tried to replicate same domain between 2 DC with SMTP
replication, but it was impossible. My problem is to replicate
without any use of the netbios & ldap ports.

there is a reason : i have a DC in the intranet, and another one in
the DMZ. Between them there is a firewall, and, of course, the
netbios & ldap ports are prohibited.

Is somebody know a solution to have the same accounts in the 2 DC.

Thanks in advance

Y.R.

Sounds like a VPN between the two may be your better bet or a VPN to the
firewall allowing inside access. This way you only open the VPN ports.

NetBIOS ports wouldn't make a difference, but there are about 30 ports
needed for domain communication.

Active Directory Replication over Firewalls - Microsoft Service Providers:
http://www.microsoft.com/SERVICEPROVIDERS/columns/config_ipsec_p63623.asp

179442 - How to Configure a Firewall for Domains and Trusts:
http://support.microsoft.com/?id=179442

Q289241 - A List of the Windows 2000 Domain Controller Default Ports:
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q289241&

Restricting Active Directory Replication Traffic to a Specific Port
(Q224196):
http://support.microsoft.com/?id=224196
--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory