[Samba] RODC in DMZ

Ilias Chasapakis forumZFD chasapakis at forumZFD.de
Fri Dec 13 12:26:56 UTC 2024


Der Rowland,

We share that concerns actually and of course if there is a way to avoid 
it, it is always better. Another fellow suggested us an LDAP-Proxy 
instead (personally have never setup one). What we actually need in our 
case scenario, is only that service and not the rest of bells and 
whistles of an RODC.

I just was wondering if someone had experience with what happens if one 
does actually close some of these ports which in the end are unused (of 
course join and replication should also be able to go on). The 
implications of opening anything on a DMZ to an internal network are for 
sure not nice (even with very restricted accesses) unless compromises 
are needed for practical reasons.

Thanks for sharing your thought on this.

Best
Ilias

Am 13.12.24 um 11:53 schrieb Rowland Penny via samba:
> Well, personally, I wouldn't put anything to do with AD into a DMZ, but
> that is probably just me. Any AD client in a DMZ (and that includes an
> RODC) must 'talk' to an internal DC.
>
> If you must do this, Microsoft has documentation here:
>
> https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd728034(v=ws.10)?redirectedfrom=MSDN
>
> Rowland
>
-- 
forumZFD
Entschieden für Frieden | Committed to Peace

Ilias Chasapakis
Referent IT | IT Referent

Forum Ziviler Friedensdienst e.V. | Forum Civil Peace Service
Am Kölner Brett 8 | 50825 Köln | Germany

Tel 0221 91273243 | Fax 0221 91273299 |http://www.forumZFD.de

Vorstand nach § 26 BGB, einzelvertretungsberechtigt|Executive Board:
Alexander Mauz, Sonja Wiekenberg-Mlalandle
VR 17651 Amtsgericht Köln

Spenden|Donations: IBAN DE90 4306 0967 4103 7264 00   BIC GENODEM1GLS

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20241213/b1286987/OpenPGP_signature.sig>


More information about the samba mailing list