RE: AD replication over WAN

From: Kim, Anthony (anthony.kim@vwcredit.com)
Date: 01/13/03

  • Next message: Scott: "RE: Bypass Traverse Checking?"
    From: "Kim, Anthony" <anthony.kim@vwcredit.com>
    To: "'Deus, Attonbitus'" <Thor@HammerofGod.com>, "Jim Harrison (SPG)" <jmharr@microsoft.com>, "Valentine M. Smith" <vmsmith@grokking.org>, focus-ms@securityfocus.com
    Date: Mon, 13 Jan 2003 12:58:34 -0600
    
    

    Interesting discussion.

    Reminded me of this helpful little thing:
    http://www.microsoft.com/serviceproviders/columns/config_ipsec_P63623.asp

    Also, is it still the case that replication via SMTP transport
    can only be used for INTER-domain replication and not for
    INTRA-domain replication?

    -----Original Message-----
    From: Deus, Attonbitus [mailto:Thor@HammerofGod.com]
    Sent: Monday, January 13, 2003 10:03 AM
    To: Jim Harrison (SPG); Valentine M. Smith; focus-ms@securityfocus.com
    Subject: RE: AD replication over WAN

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    At 06:43 PM 1/12/2003, Jim Harrison (SPG) wrote:
    >Given that the replication path (port/protocol) is well-defined and
    >generally understood, it also makes sense that they could also provide a
    >"door" to your AD controllers for those who wish to do you harm for no
    >apparent reason.
    >
    >With that in mind, it seems clear to me that a site-to-site VPN is not
    >only preferable, it's mandatory.
    >

    Agreed- IP or RPC based replication should be via a VPN tunnel. You
    could, however, use SMTP as a replication transport, in which case
    certificates would be required and all replication information would be
    encrypted without the need to open up the DC's directly.

    AD

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.1

    iQA/AwUBPiLjI4hsmyD15h5gEQIN1ACfQT+uu96rwT1a0l8BDoK8zynfYKAAnisP
    f5Biz71mZTOYD3UEOtlu30FQ
    =CkdT
    -----END PGP SIGNATURE-----

    ***********************************************************************
    DISCLAIMER:
    The information transmitted may contain confidential material and is
    intended only for the person or entity to which it is addressed. Any
    review, retransmission, dissemination or other use of or taking of any
    action by persons or entities other than the intended recipient is
    prohibited. If you are not the intended recipient, please delete the
    information from your system and contact the sender.
     ***********************************************************************



    Relevant Pages

    • RE: AD replication over WAN
      ... is it still the case that replication via SMTP transport ... it seems clear to me that a site-to-site VPN is not ... If you are not the intended recipient, ...
      (Focus-Microsoft)
    • RE: AD replication over WAN
      ... This is because the File Replication Service requires a synchronous ... transport mechanism for its replication. ... you cannot replicate a domain partition via SMTP. ... If you are not the intended recipient, ...
      (Focus-Microsoft)
    • RE: AD replication over WAN
      ... >Given that the replication path (port/protocol) is well-defined and ... >"door" to your AD controllers for those who wish to do you harm for no ... it seems clear to me that a site-to-site VPN is not ... Agreed- IP or RPC based replication should be via a VPN tunnel. ...
      (Focus-Microsoft)