S
Stuart Coney
Hello all,
I have been searching (and searching) the Microsoft site for information on
"Securing Communication Between Domain Members and their Domain
Controllers".
Overview
=======
We are looking at a migration from an NT4 domain plus a large number of DMZ
(perimeter in MS Speak) located stand alone servers. The idea is to
integrte them into a single secure Active Directory Domain.
The DC's for the domain will be located in a secured network seperate from
both the DMZ and internal network environments and access will be controlled
through firewalls. As all servers in the domain are located at location
all DC's will be located in the secure network, therefore all DC replication
will occur in the secure netwrok.
The forest containing this domain will be seperate from the corporate
forest.
The problem
=========
We want to secure communication between the member servers in the DMZ with
the DC's. My original thought of IPSec has been ruled out due to specific
information on the MS site "Using IPSec to help secure traffic between
domain members (either clients or servers) and their domain controllers is
not recommended"...due to increased latency in authentication, increased DC
load and complexity of ipsec management etc.
My next thought was whether we could use LDAP SSL and configure the DC's and
member servers to communicate this way, looking through the MS tech. support
I have found several documents relating to configuring LDAP SSL between DC's
for replication but none for general secure connections between member
servers and DC's.
====
Can anybody advise for the above scenario the best practice for securing
communication between the member servers and domain controllers?
much appreciated
Stu
I have been searching (and searching) the Microsoft site for information on
"Securing Communication Between Domain Members and their Domain
Controllers".
Overview
=======
We are looking at a migration from an NT4 domain plus a large number of DMZ
(perimeter in MS Speak) located stand alone servers. The idea is to
integrte them into a single secure Active Directory Domain.
The DC's for the domain will be located in a secured network seperate from
both the DMZ and internal network environments and access will be controlled
through firewalls. As all servers in the domain are located at location
all DC's will be located in the secure network, therefore all DC replication
will occur in the secure netwrok.
The forest containing this domain will be seperate from the corporate
forest.
The problem
=========
We want to secure communication between the member servers in the DMZ with
the DC's. My original thought of IPSec has been ruled out due to specific
information on the MS site "Using IPSec to help secure traffic between
domain members (either clients or servers) and their domain controllers is
not recommended"...due to increased latency in authentication, increased DC
load and complexity of ipsec management etc.
My next thought was whether we could use LDAP SSL and configure the DC's and
member servers to communicate this way, looking through the MS tech. support
I have found several documents relating to configuring LDAP SSL between DC's
for replication but none for general secure connections between member
servers and DC's.
====
Can anybody advise for the above scenario the best practice for securing
communication between the member servers and domain controllers?
much appreciated
Stu