[Samba] RODC in DMZ
Ilias Chasapakis forumZFD
chasapakis at forumZFD.de
Fri Dec 13 12:26:56 UTC 2024
Der Rowland,
We share that concerns actually and of course if there is a way to avoid
it, it is always better. Another fellow suggested us an LDAP-Proxy
instead (personally have never setup one). What we actually need in our
case scenario, is only that service and not the rest of bells and
whistles of an RODC.
I just was wondering if someone had experience with what happens if one
does actually close some of these ports which in the end are unused (of
course join and replication should also be able to go on). The
implications of opening anything on a DMZ to an internal network are for
sure not nice (even with very restricted accesses) unless compromises
are needed for practical reasons.
Thanks for sharing your thought on this.
Best
Ilias
Am 13.12.24 um 11:53 schrieb Rowland Penny via samba:
> Well, personally, I wouldn't put anything to do with AD into a DMZ, but
> that is probably just me. Any AD client in a DMZ (and that includes an
> RODC) must 'talk' to an internal DC.
>
> If you must do this, Microsoft has documentation here:
>
> https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd728034(v=ws.10)?redirectedfrom=MSDN
>
> Rowland
>
--
forumZFD
Entschieden für Frieden | Committed to Peace
Ilias Chasapakis
Referent IT | IT Referent
Forum Ziviler Friedensdienst e.V. | Forum Civil Peace Service
Am Kölner Brett 8 | 50825 Köln | Germany
Tel 0221 91273243 | Fax 0221 91273299 |http://www.forumZFD.de
Vorstand nach § 26 BGB, einzelvertretungsberechtigt|Executive Board:
Alexander Mauz, Sonja Wiekenberg-Mlalandle
VR 17651 Amtsgericht Köln
Spenden|Donations: IBAN DE90 4306 0967 4103 7264 00 BIC GENODEM1GLS
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20241213/b1286987/OpenPGP_signature.sig>
More information about the samba
mailing list