one-way replicaion of AD

[Dragan Terzic]

How to setup replication of active directory between two
domain controllers so that one is master and other is
slave?
Slave should not allow any modifications, and only accept
updates from master.
Slave will be on the Internet, and therefore should not
accept any modifications on Active directory, even if
somebody guess Administrator password.

 

[Joe Richards [MVP]]

Not going to happen. I worked through scenarios before trying to work this out and it resulted in failure every time.

 

[Dragan Terzic]

Yes, but this is hole in the security system. If anyone
with administrator's password (and there is always
possibility that someone guess or find password) can
modify LDAP data in DMZ, and (what is even worse) that
modification is automatically propagated to others domain
controllers, this whole system is totally unsecured.
I need ldap (389) port open for public access for reading
certain information.
Is there any way to make AD read-only for anyone
(including Administrator) on one domain controller (I need
read-only copy of AD that is regulary updated from other
domain controler)
BR

-----Original Message-----
Not going to happen. I worked through scenarios before

trying to work this out and it resulted in failure every
time.