RE: AD replication over WAN

From: Laura A. Robinson (larobins@bellatlantic.net)
Date: 01/24/03

  • Next message: Todd Sabin: "Re: Attacking EFS through cached domain logon credentials"
    From: "Laura A. Robinson" <larobins@bellatlantic.net>
    To: "'Kim, Anthony'" <anthony.kim@vwcredit.com>, "'Deus, Attonbitus'" <Thor@HammerofGod.com>, "'Jim Harrison (SPG)'" <jmharr@microsoft.com>, "'Valentine M. Smith'" <vmsmith@grokking.org>, <focus-ms@securityfocus.com>
    Date: Fri, 24 Jan 2003 12:56:21 -0500
    
    

    Yes. This is because the File Replication Service requires a synchronous
    transport mechanism for its replication. Since FRS is responsible for
    replication of group policies and scripts (not to mention DFS, but that's
    another discussion), and since those are domain-specific in terms of their
    storage, you cannot replicate a domain partition via SMTP.

    With that said, in all of the AD implementations I've seen or worked on, I
    know of only one that used SMTP replication, and it was for a highly
    specialized and unique purpose. Generally speaking, if an environment is
    such that SMTP replication would be necessary, then it is probably also an
    environment that would better lend itself to placing the remote site in its
    own forest altogether.

    Laura

    > -----Original Message-----
    > From: Kim, Anthony [mailto:anthony.kim@vwcredit.com]
    > Sent: Monday, January 13, 2003 1:59 PM
    > To: 'Deus, Attonbitus'; Jim Harrison (SPG); Valentine M.
    > Smith; focus-ms@securityfocus.com
    > Subject: RE: AD replication over WAN
    >
    >
    > Interesting discussion.
    >
    > Reminded me of this helpful little thing:
    > http://www.microsoft.com/serviceproviders/columns/config_ipsec
    > _P63623.asp
    >
    > Also, is it still the case that replication via SMTP
    > transport can only be used for INTER-domain replication and
    > not for INTRA-domain replication?
    >
    >
    > -----Original Message-----
    > From: Deus, Attonbitus [mailto:Thor@HammerofGod.com]
    > Sent: Monday, January 13, 2003 10:03 AM
    > To: Jim Harrison (SPG); Valentine M. Smith; focus-ms@securityfocus.com
    > Subject: RE: AD replication over WAN
    >
    >
    >
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > At 06:43 PM 1/12/2003, Jim Harrison (SPG) wrote:
    > >Given that the replication path (port/protocol) is well-defined and
    > >generally understood, it also makes sense that they could
    > also provide a
    > >"door" to your AD controllers for those who wish to do you
    > harm for no
    > >apparent reason.
    > >
    > >With that in mind, it seems clear to me that a site-to-site
    > VPN is not
    > >only preferable, it's mandatory.
    > >
    >
    > Agreed- IP or RPC based replication should be via a VPN tunnel. You
    > could, however, use SMTP as a replication transport, in which case
    > certificates would be required and all replication
    > information would be
    > encrypted without the need to open up the DC's directly.
    >
    > AD
    >
    >
    >
    > -----BEGIN PGP SIGNATURE-----
    > Version: PGP 7.1
    >
    > iQA/AwUBPiLjI4hsmyD15h5gEQIN1ACfQT+uu96rwT1a0l8BDoK8zynfYKAAnisP
    > f5Biz71mZTOYD3UEOtlu30FQ
    > =CkdT
    > -----END PGP SIGNATURE-----
    >
    >
    > **************************************************************
    > *********
    > DISCLAIMER:
    > The information transmitted may contain confidential material and is
    > intended only for the person or entity to which it is addressed. Any
    > review, retransmission, dissemination or other use of or taking of any
    > action by persons or entities other than the intended recipient is
    > prohibited. If you are not the intended recipient, please delete the
    > information from your system and contact the sender.
    >
    > **************************************************************
    > *********
    >



    Relevant Pages

    • Re: smtp AD site Link versus IP AD Site Link
      ... The Intersite replication transport has no bearing on normal useage, ... wish for them to access resources in the parent domain, ... nor is it done via SMTP. ... This is why I'm focusing on DNS... ...
      (microsoft.public.win2000.active_directory)
    • Re: Site Question
      ... I am aware of the limitation of SMTP. ... Read the previous post "Logon to a Site vs Subnet" ... Inter-site replication using SMTP is not supported for domain controllers ... network, but that can be reached using the Simple Mail Transfer Protocol ...
      (microsoft.public.windows.server.active_directory)
    • Re: IP vs RPC transports in Sites and Services
      ... -Replication between sites can use either RPC over IP or SMTP over IP. ... -Replication between sites over SMTP is supported for only domain controllers of different domains. ... Therefore, replication between sites over SMTP is supported for only schema, configuration, and global catalog replication, which means that domains can span sites only when point-to-point, synchronous RPC is available between sites. ... The RPC intersite and intrasite transport and the SMTP intersite transport correspond to synchronous and asynchronous communication methods, ...
      (microsoft.public.windows.server.active_directory)
    • Re: smtp AD site Link versus IP AD Site Link
      ... i checked DNS using nslookup & it OK i have AD Zones, ... if its not SMTP what could be the problem to have have access to both DCs ... from both Sites while keeping AD replication reliable? ... You will probably benefit from delegating the child domains to DNS ...
      (microsoft.public.win2000.active_directory)
    • Re: Directory Service Errors
      ... Are you intentionally using SMTP as the replication transport? ... The Query for mesaages for service NTDS Replication via transprot CN=SMTP,CN=Inter-Site Transports,CN=Sites, etc, failed with the following ...
      (microsoft.public.win2000.active_directory)